mystic | 92023f346ccc819d9c52da2af751cda1bc5396b5d745c68d99d1d2ff99db093a

Analysis

max time kernel
134s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a437fa89562e5fc34e761a6ede9c12aa1d8ef1be68ac45a97f3719b864fd8c1.exe
Size

758KB
MD5

62b7e49772a7782a7353405abf749571
SHA1

8a85acbcfedeebff6de882f7d1322c61471769fb
SHA256

3a437fa89562e5fc34e761a6ede9c12aa1d8ef1be68ac45a97f3719b864fd8c1
SHA512

949f0d041791833e1c22fcc117ea6a6446ada56022eb5dfb2cccf06a7b878031090e6bb3f7fc1ba9bea477976a77219b35cfe25af287976e42dc6cf44b7ba1b5
SSDEEP

12288:cMrHy90pjxjCoD2XkNFLFUl1CTH7WhhaJgiMiiZD9wgnSwu5:jyUjxvBhel1EKqJglisL1u5

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral11/memory/3776-14-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral11/memory/3776-21-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral11/memory/3776-20-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral11/memory/3776-18-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral11/files/0x000700000002341e-16.dat	family_redline
behavioral11/memory/1624-22-0x0000000000790000-0x00000000007CE000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
3176	Gq1zd0RX.exe
1548	1fV51kB9.exe
1624	2Yr540UL.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Gq1zd0RX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3a437fa89562e5fc34e761a6ede9c12aa1d8ef1be68ac45a97f3719b864fd8c1.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1548 set thread context of 3776	1548	1fV51kB9.exe	87

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 3176	4840	3a437fa89562e5fc34e761a6ede9c12aa1d8ef1be68ac45a97f3719b864fd8c1.exe	83
PID 4840 wrote to memory of 3176	4840	3a437fa89562e5fc34e761a6ede9c12aa1d8ef1be68ac45a97f3719b864fd8c1.exe	83
PID 4840 wrote to memory of 3176	4840	3a437fa89562e5fc34e761a6ede9c12aa1d8ef1be68ac45a97f3719b864fd8c1.exe	83
PID 3176 wrote to memory of 1548	3176	Gq1zd0RX.exe	84
PID 3176 wrote to memory of 1548	3176	Gq1zd0RX.exe	84
PID 3176 wrote to memory of 1548	3176	Gq1zd0RX.exe	84
PID 1548 wrote to memory of 4220	1548	1fV51kB9.exe	86
PID 1548 wrote to memory of 4220	1548	1fV51kB9.exe	86
PID 1548 wrote to memory of 4220	1548	1fV51kB9.exe	86
PID 1548 wrote to memory of 3776	1548	1fV51kB9.exe	87
PID 1548 wrote to memory of 3776	1548	1fV51kB9.exe	87
PID 1548 wrote to memory of 3776	1548	1fV51kB9.exe	87
PID 1548 wrote to memory of 3776	1548	1fV51kB9.exe	87
PID 1548 wrote to memory of 3776	1548	1fV51kB9.exe	87
PID 1548 wrote to memory of 3776	1548	1fV51kB9.exe	87
PID 1548 wrote to memory of 3776	1548	1fV51kB9.exe	87
PID 1548 wrote to memory of 3776	1548	1fV51kB9.exe	87
PID 1548 wrote to memory of 3776	1548	1fV51kB9.exe	87
PID 1548 wrote to memory of 3776	1548	1fV51kB9.exe	87
PID 3176 wrote to memory of 1624	3176	Gq1zd0RX.exe	88
PID 3176 wrote to memory of 1624	3176	Gq1zd0RX.exe	88
PID 3176 wrote to memory of 1624	3176	Gq1zd0RX.exe	88

C:\Users\Admin\AppData\Local\Temp\3a437fa89562e5fc34e761a6ede9c12aa1d8ef1be68ac45a97f3719b864fd8c1.exe
"C:\Users\Admin\AppData\Local\Temp\3a437fa89562e5fc34e761a6ede9c12aa1d8ef1be68ac45a97f3719b864fd8c1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gq1zd0RX.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gq1zd0RX.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1fV51kB9.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1fV51kB9.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1548
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4220
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3776
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Yr540UL.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Yr540UL.exe
    3⤵
    - Executes dropped EXE
    PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gq1zd0RX.exe

Filesize
562KB

MD5
150376e5b6995ba77009515423600127

SHA1
82c5432af462a848078fbdfc463abc50178ff45e

SHA256
07b8d11c40d8f74ca2c64a6b5dcd6cb402d418b345965f1420116c47ac3f4e5e

SHA512
2acb8d52ed8b921964bb70829fcd2adfb2fa08ac481933f3f1fd449214a7f08bcf48fbf47ea7364713758ed4079cd95e049d9ebf32054164ea002b595d8344f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1fV51kB9.exe

Filesize
1.1MB

MD5
14a8a8e0f570bc87ad632694432ecb64

SHA1
5d184ec2efef21d676b3b68ad2cf92108d399065

SHA256
49c6f6941c2b0046017a1ce2eaaa6ee6f406178a9bf4a1dec6c7e2c7a87ae65f

SHA512
4cb4c06e2387efc5ea0eb0a8bba0c18c5c4b8d9ca2daff336ecda16c626040cdf03427f56b13309fc6e1a0ac9087b0cab8c599296257cb20744bd2fb9129b02f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Yr540UL.exe

Filesize
222KB

MD5
a4840a8bd30c0b573cc84da3f2a34928

SHA1
713f86739240105eded5e8724c3b4d4509115631

SHA256
687983c211e1e5c0fa1addfe9a49f0322f527295cc9a328e522e3f4b6e8a4a89

SHA512
6cd3a56c79797aafe10b2fdce3e0280c8e3effc541e12a9435220a180a01ad25c8dc4d4910ca28e465c58d175ab99d3fe0786e275184375e629b1d0aa2c09d7c

Download Submit
memory/1624-27-0x0000000007820000-0x000000000792A000-memory.dmp

Filesize
1.0MB

Download
memory/1624-22-0x0000000000790000-0x00000000007CE000-memory.dmp

Filesize
248KB

Download
memory/1624-23-0x0000000007B20000-0x00000000080C4000-memory.dmp

Filesize
5.6MB

Download
memory/1624-24-0x0000000007570000-0x0000000007602000-memory.dmp

Filesize
584KB

Download
memory/1624-25-0x0000000002990000-0x000000000299A000-memory.dmp

Filesize
40KB

Download
memory/1624-26-0x00000000086F0000-0x0000000008D08000-memory.dmp

Filesize
6.1MB

Download
memory/1624-28-0x0000000007750000-0x0000000007762000-memory.dmp

Filesize
72KB

Download
memory/1624-29-0x00000000077B0000-0x00000000077EC000-memory.dmp

Filesize
240KB

Download
memory/1624-30-0x0000000007930000-0x000000000797C000-memory.dmp

Filesize
304KB

Download
memory/3776-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3776-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3776-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3776-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads