mystic | 92023f346ccc819d9c52da2af751cda1bc5396b5d745c68d99d1d2ff99db093a

Analysis

max time kernel
133s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29e8eb905dd243a014498d2c372ce7c07306a13d8848307d94468ecc7f523557.exe
Size

1.1MB
MD5

f76cf4b722e08339cdb005eed5f22f97
SHA1

06318afb4105b8dfe61c00731a51fc39551a59e0
SHA256

29e8eb905dd243a014498d2c372ce7c07306a13d8848307d94468ecc7f523557
SHA512

689ffe1dfd59bec6b6641a1cbb619edd7502b76418aea01986d7570880169369257a5bee1f08f1e309995581267502a5c0fc82987f55becc6a08428b39ceb129
SSDEEP

24576:NyiRZqrUwoAwNz+uqVuFKEh/rtAK8gOjw9C:oiRQRw8uqVEKortybw9

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral5/memory/908-21-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral5/memory/908-23-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral5/memory/908-25-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral5/memory/908-22-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral5/files/0x0007000000023562-27.dat	family_redline
behavioral5/memory/1232-29-0x0000000000BA0000-0x0000000000BDE000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
1088	pP5dN2gZ.exe
2372	BK4hT6sH.exe
4316	1XB16Jz3.exe
1232	2pz466ws.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	29e8eb905dd243a014498d2c372ce7c07306a13d8848307d94468ecc7f523557.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	pP5dN2gZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	BK4hT6sH.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4316 set thread context of 908	4316	1XB16Jz3.exe	94

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 1088	868	29e8eb905dd243a014498d2c372ce7c07306a13d8848307d94468ecc7f523557.exe	88
PID 868 wrote to memory of 1088	868	29e8eb905dd243a014498d2c372ce7c07306a13d8848307d94468ecc7f523557.exe	88
PID 868 wrote to memory of 1088	868	29e8eb905dd243a014498d2c372ce7c07306a13d8848307d94468ecc7f523557.exe	88
PID 1088 wrote to memory of 2372	1088	pP5dN2gZ.exe	91
PID 1088 wrote to memory of 2372	1088	pP5dN2gZ.exe	91
PID 1088 wrote to memory of 2372	1088	pP5dN2gZ.exe	91
PID 2372 wrote to memory of 4316	2372	BK4hT6sH.exe	92
PID 2372 wrote to memory of 4316	2372	BK4hT6sH.exe	92
PID 2372 wrote to memory of 4316	2372	BK4hT6sH.exe	92
PID 4316 wrote to memory of 908	4316	1XB16Jz3.exe	94
PID 4316 wrote to memory of 908	4316	1XB16Jz3.exe	94
PID 4316 wrote to memory of 908	4316	1XB16Jz3.exe	94
PID 4316 wrote to memory of 908	4316	1XB16Jz3.exe	94
PID 4316 wrote to memory of 908	4316	1XB16Jz3.exe	94
PID 4316 wrote to memory of 908	4316	1XB16Jz3.exe	94
PID 4316 wrote to memory of 908	4316	1XB16Jz3.exe	94
PID 4316 wrote to memory of 908	4316	1XB16Jz3.exe	94
PID 4316 wrote to memory of 908	4316	1XB16Jz3.exe	94
PID 4316 wrote to memory of 908	4316	1XB16Jz3.exe	94
PID 2372 wrote to memory of 1232	2372	BK4hT6sH.exe	95
PID 2372 wrote to memory of 1232	2372	BK4hT6sH.exe	95
PID 2372 wrote to memory of 1232	2372	BK4hT6sH.exe	95

C:\Users\Admin\AppData\Local\Temp\29e8eb905dd243a014498d2c372ce7c07306a13d8848307d94468ecc7f523557.exe
"C:\Users\Admin\AppData\Local\Temp\29e8eb905dd243a014498d2c372ce7c07306a13d8848307d94468ecc7f523557.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:868
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pP5dN2gZ.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pP5dN2gZ.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BK4hT6sH.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BK4hT6sH.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1XB16Jz3.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1XB16Jz3.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4316
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:908
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pz466ws.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pz466ws.exe
      4⤵
      Executes dropped EXE
      PID:1232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4316,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=3916 /prefetch:8
1⤵
PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pP5dN2gZ.exe

Filesize
759KB

MD5
52e71492768c27581f0926ee3285eaa7

SHA1
45bf080777e36e4e25c5be7939dfb5fedfa56c7d

SHA256
89161069543bc4818f15ee72151686f78dcf0265a60c4aaac01cfc167a468ac9

SHA512
a30ff575ce82e7334d63bca82529d841f15e94fed36a3f12c61d1598440139a672e19b788915d05720df7f3ca845ccb9bcd0a5e8de15a7f3338ceeebc2b5c510

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BK4hT6sH.exe

Filesize
562KB

MD5
b416faae4d3dea22a9ac4a8fa4869369

SHA1
05e3354116f84e58941db0201bd0b542e2eb364f

SHA256
d9dde7f98ef88fb3204d78e9458a799540f3bb917a9ae689648988717ce4db2e

SHA512
15601496b5f53c784c519badfc576d4c38d995d57accf740479fa36e3c8ec80eb8b6bf726eca4b86e26b2c54855aa14df0959d1cf68e8cd815f5447bbc05e91d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1XB16Jz3.exe

Filesize
1.1MB

MD5
a2a3cf9e06d11d13737a8aaa068f5a33

SHA1
fa6fdda213041f36857005505c6362e3569f2f6a

SHA256
a49b4026a782b80b580db1082e18220513755bea09a208e641601f15b2baca95

SHA512
2e59a9a4aa03860b68112ca9863a3df1c3ccdc9d645ee21864427a8215371d9c85f7846e0c30651763856adc45af2d32aedfa1a02ca0a78ebfec996f601476ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pz466ws.exe

Filesize
222KB

MD5
d13f2f39e3e0125ce5cfd897849533a8

SHA1
1a10dbd7a142a6ba4b121d0d72adbe8fec158388

SHA256
0913c7bee133b99a5f1e4fb220eea210e52a02353c11111a838534be61590d47

SHA512
9596e381eac5b32a2a04a4c4c945d5db62f110d8708c2826ca204551094da9607150da82a71b07ad128a3dfd41a9a1251ef457de9af90c5b4a16cd0c04ce0eb4

Download Submit
memory/908-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/908-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/908-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/908-22-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1232-29-0x0000000000BA0000-0x0000000000BDE000-memory.dmp

Filesize
248KB

Download
memory/1232-30-0x0000000007FC0000-0x0000000008564000-memory.dmp

Filesize
5.6MB

Download
memory/1232-31-0x0000000007AB0000-0x0000000007B42000-memory.dmp

Filesize
584KB

Download
memory/1232-32-0x0000000002F10000-0x0000000002F1A000-memory.dmp

Filesize
40KB

Download
memory/1232-33-0x0000000008B90000-0x00000000091A8000-memory.dmp

Filesize
6.1MB

Download
memory/1232-34-0x0000000007EA0000-0x0000000007FAA000-memory.dmp

Filesize
1.0MB

Download
memory/1232-35-0x0000000007C80000-0x0000000007C92000-memory.dmp

Filesize
72KB

Download
memory/1232-36-0x0000000007D10000-0x0000000007D4C000-memory.dmp

Filesize
240KB

Download
memory/1232-37-0x0000000007D50000-0x0000000007D9C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads