mystic | 92023f346ccc819d9c52da2af751cda1bc5396b5d745c68d99d1d2ff99db093a

Analysis

max time kernel
132s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ff2598373e4f2608549579f5029d8c3106c485e2d1768ec605951faad4c9ace.exe
Size

759KB
MD5

e9600fdfb902a613522b2946389b33e4
SHA1

62956ffd30a62b2ba1174e7a486dd73aa72957f2
SHA256

2ff2598373e4f2608549579f5029d8c3106c485e2d1768ec605951faad4c9ace
SHA512

0e43d90e8c741f31d026167ff528315c5680e8527d611d0b11ba455e54895db38bd30a1966e3c51803b4005239245b9ba12d416047741f6e0397cf62719524e4
SSDEEP

12288:7Mr5y90joTirjM7uV+R6DjO0dx3ugZxM9tuh6UhKch5SCtBDOE8ZOl+Wf0TX7Xhs:6yco+E7uKUx+gZUrWiuDFIOcRTz00c

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral6/memory/4784-14-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral6/memory/4784-18-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral6/memory/4784-16-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral6/memory/4784-15-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral6/files/0x0007000000023463-20.dat	family_redline
behavioral6/memory/2756-22-0x0000000000150000-0x000000000018E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
116	KC6pm9vs.exe
4424	1gp07Ah0.exe
2756	2jm593Xn.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2ff2598373e4f2608549579f5029d8c3106c485e2d1768ec605951faad4c9ace.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	KC6pm9vs.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4424 set thread context of 4784	4424	1gp07Ah0.exe	89

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4108	4784	WerFault.exe	89

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4064 wrote to memory of 116	4064	2ff2598373e4f2608549579f5029d8c3106c485e2d1768ec605951faad4c9ace.exe	85
PID 4064 wrote to memory of 116	4064	2ff2598373e4f2608549579f5029d8c3106c485e2d1768ec605951faad4c9ace.exe	85
PID 4064 wrote to memory of 116	4064	2ff2598373e4f2608549579f5029d8c3106c485e2d1768ec605951faad4c9ace.exe	85
PID 116 wrote to memory of 4424	116	KC6pm9vs.exe	86
PID 116 wrote to memory of 4424	116	KC6pm9vs.exe	86
PID 116 wrote to memory of 4424	116	KC6pm9vs.exe	86
PID 4424 wrote to memory of 4784	4424	1gp07Ah0.exe	89
PID 4424 wrote to memory of 4784	4424	1gp07Ah0.exe	89
PID 4424 wrote to memory of 4784	4424	1gp07Ah0.exe	89
PID 4424 wrote to memory of 4784	4424	1gp07Ah0.exe	89
PID 4424 wrote to memory of 4784	4424	1gp07Ah0.exe	89
PID 4424 wrote to memory of 4784	4424	1gp07Ah0.exe	89
PID 4424 wrote to memory of 4784	4424	1gp07Ah0.exe	89
PID 4424 wrote to memory of 4784	4424	1gp07Ah0.exe	89
PID 4424 wrote to memory of 4784	4424	1gp07Ah0.exe	89
PID 4424 wrote to memory of 4784	4424	1gp07Ah0.exe	89
PID 116 wrote to memory of 2756	116	KC6pm9vs.exe	91
PID 116 wrote to memory of 2756	116	KC6pm9vs.exe	91
PID 116 wrote to memory of 2756	116	KC6pm9vs.exe	91

C:\Users\Admin\AppData\Local\Temp\2ff2598373e4f2608549579f5029d8c3106c485e2d1768ec605951faad4c9ace.exe
"C:\Users\Admin\AppData\Local\Temp\2ff2598373e4f2608549579f5029d8c3106c485e2d1768ec605951faad4c9ace.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KC6pm9vs.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KC6pm9vs.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1gp07Ah0.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1gp07Ah0.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4424
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4784
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 540
        5⤵
        Program crash
        
        PID:4108
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2jm593Xn.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2jm593Xn.exe
    3⤵
    - Executes dropped EXE
    PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4784 -ip 4784
1⤵
PID:3500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KC6pm9vs.exe

Filesize
563KB

MD5
3acd1113b9e61c04d47779e54e67e012

SHA1
f7042425eeb62cb0043f26e23816aaa0404a0bf3

SHA256
7c28df7e75b7881284ad0ff491013a04becc32a91e07f6804bffeb6b408fe61b

SHA512
aa1576af6a17eb9289301d1ee059f81d4f6a82d829762fed046b8fa25bb79d1424f9884575c4297d3144ca601397edfafe815fc96b7614aad92815d171495e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1gp07Ah0.exe

Filesize
1.1MB

MD5
9930ece71269384e24507896a9314705

SHA1
0f11c44423d3f3bafaa63d2d388db8e13a5823ed

SHA256
3b4a8214beca876c42deef37c42f32db6966786fe369c773f9ded4bb0a3d1ce8

SHA512
47eb0cc8ac30ed96d48d661c7f6e9374fda7c55f7e2833d9dce166552c9de2b44ee9f90fde72005b666ae9a36d4cbf4311c82d38b06e4044b4eb78c327f3dbef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2jm593Xn.exe

Filesize
222KB

MD5
ebf977a0c043e4234c96c3cc1fa4bf12

SHA1
ae283a01b43ccacf15a6f450618e3987ac2f4fa2

SHA256
f21641b4597998f4859b86697467860127da84398f8e9cbf8629a6a09da02b52

SHA512
e86f46972d9b3c3765e856a8c080fc6fe0fa7f3b29adf8877ef8bdd9246b03e011760096eadb1d12a27e577f2e19f7e9438748fbf1383df9aaeb9fac8cbe9ede

Download Submit
memory/2756-27-0x00000000079E0000-0x0000000007AEA000-memory.dmp

Filesize
1.0MB

Download
memory/2756-22-0x0000000000150000-0x000000000018E000-memory.dmp

Filesize
248KB

Download
memory/2756-23-0x0000000007430000-0x00000000079D4000-memory.dmp

Filesize
5.6MB

Download
memory/2756-24-0x0000000006F20000-0x0000000006FB2000-memory.dmp

Filesize
584KB

Download
memory/2756-25-0x0000000006FD0000-0x0000000006FDA000-memory.dmp

Filesize
40KB

Download
memory/2756-26-0x0000000008000000-0x0000000008618000-memory.dmp

Filesize
6.1MB

Download
memory/2756-28-0x00000000071A0000-0x00000000071B2000-memory.dmp

Filesize
72KB

Download
memory/2756-29-0x0000000007200000-0x000000000723C000-memory.dmp

Filesize
240KB

Download
memory/2756-30-0x0000000007240000-0x000000000728C000-memory.dmp

Filesize
304KB

Download
memory/4784-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4784-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4784-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4784-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads