mystic | 914615fc2a86a1a3aa8a108084dd30cc54e8b935b2f14f7def84c51a049c95c2

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a8ac35e43f621292035c3d74429426db38475babb90b9f0a7b48a6eb9e2d121.exe
Size

1.5MB
MD5

59fc8cbe85eea5b535f8eca6a62c03f2
SHA1

0034320cdbdd2bac620d09d21a0f220b1a0c0263
SHA256

0a8ac35e43f621292035c3d74429426db38475babb90b9f0a7b48a6eb9e2d121
SHA512

62e875521712cac7ae7f85d929351abff8c99a28dbb4738505aa6b57cb8c180166644242efcd8ae8eb1da2f7d625e662fb0566ab8722ca82e99923d58059e955
SSDEEP

24576:Ry8BfcUoLS0vkIbLVQ612kLK9clo0tZ0KtdWlkknNbHR4GzaEsALyNS9:EQoLSIualX0GdsWGzhsyB

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral3/memory/4956-35-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral3/memory/4956-41-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral3/memory/4956-39-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral3/files/0x000700000002343e-37.dat	family_redline
behavioral3/memory/1732-42-0x0000000000B70000-0x0000000000BAE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
2428	gQ5sL9Nn.exe
1428	SV1gc6Wx.exe
2552	cF2fG0Yz.exe
1876	qu1jB4dd.exe
5060	1XI31tG0.exe
1732	2xs041zH.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0a8ac35e43f621292035c3d74429426db38475babb90b9f0a7b48a6eb9e2d121.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	gQ5sL9Nn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	SV1gc6Wx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	cF2fG0Yz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	qu1jB4dd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5060 set thread context of 4956	5060	1XI31tG0.exe	93

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 2428	4908	0a8ac35e43f621292035c3d74429426db38475babb90b9f0a7b48a6eb9e2d121.exe	84
PID 4908 wrote to memory of 2428	4908	0a8ac35e43f621292035c3d74429426db38475babb90b9f0a7b48a6eb9e2d121.exe	84
PID 4908 wrote to memory of 2428	4908	0a8ac35e43f621292035c3d74429426db38475babb90b9f0a7b48a6eb9e2d121.exe	84
PID 2428 wrote to memory of 1428	2428	gQ5sL9Nn.exe	85
PID 2428 wrote to memory of 1428	2428	gQ5sL9Nn.exe	85
PID 2428 wrote to memory of 1428	2428	gQ5sL9Nn.exe	85
PID 1428 wrote to memory of 2552	1428	SV1gc6Wx.exe	86
PID 1428 wrote to memory of 2552	1428	SV1gc6Wx.exe	86
PID 1428 wrote to memory of 2552	1428	SV1gc6Wx.exe	86
PID 2552 wrote to memory of 1876	2552	cF2fG0Yz.exe	87
PID 2552 wrote to memory of 1876	2552	cF2fG0Yz.exe	87
PID 2552 wrote to memory of 1876	2552	cF2fG0Yz.exe	87
PID 1876 wrote to memory of 5060	1876	qu1jB4dd.exe	89
PID 1876 wrote to memory of 5060	1876	qu1jB4dd.exe	89
PID 1876 wrote to memory of 5060	1876	qu1jB4dd.exe	89
PID 5060 wrote to memory of 1248	5060	1XI31tG0.exe	92
PID 5060 wrote to memory of 1248	5060	1XI31tG0.exe	92
PID 5060 wrote to memory of 1248	5060	1XI31tG0.exe	92
PID 5060 wrote to memory of 4956	5060	1XI31tG0.exe	93
PID 5060 wrote to memory of 4956	5060	1XI31tG0.exe	93
PID 5060 wrote to memory of 4956	5060	1XI31tG0.exe	93
PID 5060 wrote to memory of 4956	5060	1XI31tG0.exe	93
PID 5060 wrote to memory of 4956	5060	1XI31tG0.exe	93
PID 5060 wrote to memory of 4956	5060	1XI31tG0.exe	93
PID 5060 wrote to memory of 4956	5060	1XI31tG0.exe	93
PID 5060 wrote to memory of 4956	5060	1XI31tG0.exe	93
PID 5060 wrote to memory of 4956	5060	1XI31tG0.exe	93
PID 5060 wrote to memory of 4956	5060	1XI31tG0.exe	93
PID 1876 wrote to memory of 1732	1876	qu1jB4dd.exe	94
PID 1876 wrote to memory of 1732	1876	qu1jB4dd.exe	94
PID 1876 wrote to memory of 1732	1876	qu1jB4dd.exe	94

C:\Users\Admin\AppData\Local\Temp\0a8ac35e43f621292035c3d74429426db38475babb90b9f0a7b48a6eb9e2d121.exe
"C:\Users\Admin\AppData\Local\Temp\0a8ac35e43f621292035c3d74429426db38475babb90b9f0a7b48a6eb9e2d121.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gQ5sL9Nn.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gQ5sL9Nn.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SV1gc6Wx.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SV1gc6Wx.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1428
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cF2fG0Yz.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cF2fG0Yz.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\qu1jB4dd.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\qu1jB4dd.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1876
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1XI31tG0.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1XI31tG0.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1248
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4956
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xs041zH.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xs041zH.exe
        6⤵
        Executes dropped EXE
        
        PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gQ5sL9Nn.exe

Filesize
1.3MB

MD5
4623933dcd0ba6708e9f4ac0a440ea75

SHA1
89723fb0e853812016d000c638e4a84cf6a12c27

SHA256
6b5adad662173ad827adf8ae88fdc8331441a550d1a850f4a9753f765d862fd2

SHA512
c8795cd1f96981a625b74a2963fff1e636339ac122a8313e973a831b5b52b95d0572c837095456ab9c9d64da26594d633c4f817738edd84eee99f27f2aa150a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SV1gc6Wx.exe

Filesize
1.1MB

MD5
d2439563281860ff68b7477af9492449

SHA1
6fe0da8afb3a172548d6deb99e0278e287bd1009

SHA256
356f9889b1d7e1e972e58f38e380b7299ff4b336adb7cf92d365796e4b68f733

SHA512
9e8df424eb176b7cf9a3a993801629ddc83ee7a746ba53cb65a603194d6fcdd80639f35b2680bf574e7fc146c2b6ca5fb8b1962ace3770487ee4982a28d94380

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cF2fG0Yz.exe

Filesize
760KB

MD5
c2b7b9d3d70317795b5a8b282c3f2bfd

SHA1
8bab8e1c1b9b171e1457f7cd074c8659e20e2a1e

SHA256
148524450241d8a6af3c9d2b6b37da043a256ce9256b52b790996cc1e0ac59ed

SHA512
566188a016c72facf68d88849deb65649aff2dacf4e13af8bf349594d696fbaf7f0f39ae6b33fabf048103fe0f4da58740b70766177bd560ebe1168ccc083ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\qu1jB4dd.exe

Filesize
563KB

MD5
775ad776e94500c4776917164f5bc318

SHA1
f678eae1fb3be61bc15e4a07eff0db266fdf99e4

SHA256
f0bf7dd4c879abe670c70fde7a036fa65902cbf84d15a58d40ed737613a4e264

SHA512
179764f1d7afa67d1456fb29bbbf021852375629908358ac8c0b7f492d93f1b93c14551dd887ada2c0953a14c528ac26202a6264b2bfe941921b18b88fd417a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1XI31tG0.exe

Filesize
1.1MB

MD5
962d4d2d38d43196ed5a9318e3d17a68

SHA1
9438cf246e5c7c9b41c9046f5b8a04f4e44bc8df

SHA256
80f515b0e617760f3df6706cb2c4258f6f8594f1ccdab58941106e57ac0683be

SHA512
786eac9228e83d4e6fbb33f7758570790eda8b90381138c8f9cb5cf06dd315ee3cfe51a79cd8532fbc5c5fa0ae2a71db6439a2dd3fafa9da11e3775e30a687b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xs041zH.exe

Filesize
221KB

MD5
e5da938a0c57cd7a86895529060f56a5

SHA1
2349f006942a720a65ee9484d9efa954bb2325ba

SHA256
cc5a7e193ff5eb784bada72a65b37a7f177221506b73272ea781e383ce558e05

SHA512
8bdba84b7231f158bdc4b9e139a70496a4b5995c45ea88aac5b408209b39c4a5b700c0f8848507e3d1d6b57f490794a0adb83062d866da4e5635688b322da588

Download Submit
memory/1732-45-0x0000000004F00000-0x0000000004F0A000-memory.dmp

Filesize
40KB

Download
memory/1732-42-0x0000000000B70000-0x0000000000BAE000-memory.dmp

Filesize
248KB

Download
memory/1732-43-0x0000000007E70000-0x0000000008414000-memory.dmp

Filesize
5.6MB

Download
memory/1732-44-0x0000000007960000-0x00000000079F2000-memory.dmp

Filesize
584KB

Download
memory/1732-46-0x0000000008A40000-0x0000000009058000-memory.dmp

Filesize
6.1MB

Download
memory/1732-47-0x0000000008420000-0x000000000852A000-memory.dmp

Filesize
1.0MB

Download
memory/1732-48-0x0000000007A70000-0x0000000007A82000-memory.dmp

Filesize
72KB

Download
memory/1732-49-0x0000000007D00000-0x0000000007D3C000-memory.dmp

Filesize
240KB

Download
memory/1732-50-0x0000000007D40000-0x0000000007D8C000-memory.dmp

Filesize
304KB

Download
memory/4956-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4956-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4956-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads