mystic | 914615fc2a86a1a3aa8a108084dd30cc54e8b935b2f14f7def84c51a049c95c2

Analysis

max time kernel
136s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ca70af036250048ae92d2d5fde5b7a3179535a16c027d4f2bb5fa57b04f5550.exe
Size

771KB
MD5

b30cea05e9971bf44079d9275d9c3866
SHA1

6128e742a8214ce0cbe781d0ef5f4961364f5e9f
SHA256

7ca70af036250048ae92d2d5fde5b7a3179535a16c027d4f2bb5fa57b04f5550
SHA512

8a2e8024173c18eec5ff053103eaa3c900608fa95096b1954aa0d1f91f7ff93825aae947ac0365294cf7ee5b76d3f1e42db8ae6a0c7b3d447b0da4831f6d3840
SSDEEP

12288:9MrFy90XSs/fQTufC4xTPzblZug8Q2HuCuIhVmIR5BMFfEMy2Gyu:AylsJdfHugQHuKjmc52aMyL

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral6/memory/448-14-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral6/memory/448-16-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral6/memory/448-18-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral6/memory/448-15-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral6/files/0x0007000000023416-20.dat	family_redline
behavioral6/memory/1392-22-0x0000000000D30000-0x0000000000D6E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
4224	Hg5FJ9XN.exe
3108	1Td63Ff6.exe
1392	2Qh617FZ.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7ca70af036250048ae92d2d5fde5b7a3179535a16c027d4f2bb5fa57b04f5550.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Hg5FJ9XN.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3108 set thread context of 448	3108	1Td63Ff6.exe	87

Program crash 1 IoCs

pid	pid_target	Process	procid_target
764	448	WerFault.exe	87

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 4224	740	7ca70af036250048ae92d2d5fde5b7a3179535a16c027d4f2bb5fa57b04f5550.exe	82
PID 740 wrote to memory of 4224	740	7ca70af036250048ae92d2d5fde5b7a3179535a16c027d4f2bb5fa57b04f5550.exe	82
PID 740 wrote to memory of 4224	740	7ca70af036250048ae92d2d5fde5b7a3179535a16c027d4f2bb5fa57b04f5550.exe	82
PID 4224 wrote to memory of 3108	4224	Hg5FJ9XN.exe	83
PID 4224 wrote to memory of 3108	4224	Hg5FJ9XN.exe	83
PID 4224 wrote to memory of 3108	4224	Hg5FJ9XN.exe	83
PID 3108 wrote to memory of 448	3108	1Td63Ff6.exe	87
PID 3108 wrote to memory of 448	3108	1Td63Ff6.exe	87
PID 3108 wrote to memory of 448	3108	1Td63Ff6.exe	87
PID 3108 wrote to memory of 448	3108	1Td63Ff6.exe	87
PID 3108 wrote to memory of 448	3108	1Td63Ff6.exe	87
PID 3108 wrote to memory of 448	3108	1Td63Ff6.exe	87
PID 3108 wrote to memory of 448	3108	1Td63Ff6.exe	87
PID 3108 wrote to memory of 448	3108	1Td63Ff6.exe	87
PID 3108 wrote to memory of 448	3108	1Td63Ff6.exe	87
PID 3108 wrote to memory of 448	3108	1Td63Ff6.exe	87
PID 4224 wrote to memory of 1392	4224	Hg5FJ9XN.exe	89
PID 4224 wrote to memory of 1392	4224	Hg5FJ9XN.exe	89
PID 4224 wrote to memory of 1392	4224	Hg5FJ9XN.exe	89

C:\Users\Admin\AppData\Local\Temp\7ca70af036250048ae92d2d5fde5b7a3179535a16c027d4f2bb5fa57b04f5550.exe
"C:\Users\Admin\AppData\Local\Temp\7ca70af036250048ae92d2d5fde5b7a3179535a16c027d4f2bb5fa57b04f5550.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:740
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hg5FJ9XN.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hg5FJ9XN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Td63Ff6.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Td63Ff6.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3108
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:448
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 540
        5⤵
        Program crash
        
        PID:764
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Qh617FZ.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Qh617FZ.exe
    3⤵
    - Executes dropped EXE
    PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 448 -ip 448
1⤵
PID:512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hg5FJ9XN.exe

Filesize
574KB

MD5
700f716255f52bad1d4e7c194a52d252

SHA1
9001f8c2a072982fcc225edd15c5d4a27f49530c

SHA256
dfaf0847b34976e98eaa195c3126ac3a99d1535d15163bbdfbcb3f0dda644ab5

SHA512
aeba4f04c09d6cdd9a1f39dad79077a698492f75ef12984fe88e0eb8daf2d0cb4998688fdcfe88dba56eaad4b12d0fe8fcc307eec2600e3e7fb13aa56ee553a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Td63Ff6.exe

Filesize
1.1MB

MD5
2816af11bf598767a28f196f0c703fdb

SHA1
894ad14ba7b5fd9973dfda1e52482ceca2490a7a

SHA256
b84b8f553b79dd837622b7b13615aa1c7242783ec36977a417331493f5a38e92

SHA512
557d63f3e036eb47ad0bdf1ab883c549ee450ad409b8769049bd53542b8c613251ba9cd3964e825a90dc1882a68ba84fa04015e0f83f1e57a7ed60c4b922ba36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Qh617FZ.exe

Filesize
223KB

MD5
0139773d9be8381242fcdc9b2ae40785

SHA1
4bead313384c9f4bbf905bab427e457ad8223af1

SHA256
f07004500b7aa0caa5155d51fd44d6c19a17520af807aa5e52aec6f2fee9f94b

SHA512
dd02ddf8fb3bb96490243bf3224fb4cc1643efc8c037acfe484ef84d9c436a788c97dd702ee1a501bf5c466a09e1821b5051336bd362cc5e244ecdafc78702dc

Download Submit
memory/448-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/448-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/448-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/448-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1392-23-0x0000000008110000-0x00000000086B4000-memory.dmp

Filesize
5.6MB

Download
memory/1392-22-0x0000000000D30000-0x0000000000D6E000-memory.dmp

Filesize
248KB

Download
memory/1392-24-0x0000000007C00000-0x0000000007C92000-memory.dmp

Filesize
584KB

Download
memory/1392-25-0x0000000005170000-0x000000000517A000-memory.dmp

Filesize
40KB

Download
memory/1392-26-0x0000000008CE0000-0x00000000092F8000-memory.dmp

Filesize
6.1MB

Download
memory/1392-27-0x0000000007FB0000-0x00000000080BA000-memory.dmp

Filesize
1.0MB

Download
memory/1392-28-0x0000000007E20000-0x0000000007E32000-memory.dmp

Filesize
72KB

Download
memory/1392-29-0x0000000007EA0000-0x0000000007EDC000-memory.dmp

Filesize
240KB

Download
memory/1392-30-0x0000000007EE0000-0x0000000007F2C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads