mystic | 9b80269950e0f1b633a8f97657fa8c4843d63cc1062890797edcbbcf58625520

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c68d91a00fd95a921391069a12b7eba5c82ab3db1e6c4d5868561527424cf5d2.exe
Size

1.3MB
MD5

de7d8d1ea9ec74fca10fd63873b1fde4
SHA1

4c951da991a818ce7f8abe42f63ffb431a852a47
SHA256

c68d91a00fd95a921391069a12b7eba5c82ab3db1e6c4d5868561527424cf5d2
SHA512

e32819236f4147eae4ab734405e3a1807697cdfbd063587f42a5bb9914dd9f4bfc98f73a0b4e917da72bf0a2da8782a93fe0d151697a19db47d23d323e60f53f
SSDEEP

24576:myK5ZJS6E1Nqug0ntSTM5GI+Xt3LEttlYWo7vKxso44vrtH9ex4mkQdmNIH:1oPbqNqp0tv+Bvjmsd4vFkx2gmNI

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral12/memory/4500-28-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral12/memory/4500-31-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral12/memory/4500-29-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral12/files/0x00070000000233e3-33.dat	family_redline
behavioral12/memory/2216-35-0x0000000000600000-0x000000000063E000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
3300	ql4AI4lx.exe
824	PC1cQ4eU.exe
876	Hc5rb7Tq.exe
2148	1WH82Ow5.exe
2216	2za053eb.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Hc5rb7Tq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c68d91a00fd95a921391069a12b7eba5c82ab3db1e6c4d5868561527424cf5d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ql4AI4lx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	PC1cQ4eU.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2148 set thread context of 4500	2148	1WH82Ow5.exe	85

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 3300	1500	c68d91a00fd95a921391069a12b7eba5c82ab3db1e6c4d5868561527424cf5d2.exe	81
PID 1500 wrote to memory of 3300	1500	c68d91a00fd95a921391069a12b7eba5c82ab3db1e6c4d5868561527424cf5d2.exe	81
PID 1500 wrote to memory of 3300	1500	c68d91a00fd95a921391069a12b7eba5c82ab3db1e6c4d5868561527424cf5d2.exe	81
PID 3300 wrote to memory of 824	3300	ql4AI4lx.exe	82
PID 3300 wrote to memory of 824	3300	ql4AI4lx.exe	82
PID 3300 wrote to memory of 824	3300	ql4AI4lx.exe	82
PID 824 wrote to memory of 876	824	PC1cQ4eU.exe	83
PID 824 wrote to memory of 876	824	PC1cQ4eU.exe	83
PID 824 wrote to memory of 876	824	PC1cQ4eU.exe	83
PID 876 wrote to memory of 2148	876	Hc5rb7Tq.exe	84
PID 876 wrote to memory of 2148	876	Hc5rb7Tq.exe	84
PID 876 wrote to memory of 2148	876	Hc5rb7Tq.exe	84
PID 2148 wrote to memory of 4500	2148	1WH82Ow5.exe	85
PID 2148 wrote to memory of 4500	2148	1WH82Ow5.exe	85
PID 2148 wrote to memory of 4500	2148	1WH82Ow5.exe	85
PID 2148 wrote to memory of 4500	2148	1WH82Ow5.exe	85
PID 2148 wrote to memory of 4500	2148	1WH82Ow5.exe	85
PID 2148 wrote to memory of 4500	2148	1WH82Ow5.exe	85
PID 2148 wrote to memory of 4500	2148	1WH82Ow5.exe	85
PID 2148 wrote to memory of 4500	2148	1WH82Ow5.exe	85
PID 2148 wrote to memory of 4500	2148	1WH82Ow5.exe	85
PID 2148 wrote to memory of 4500	2148	1WH82Ow5.exe	85
PID 876 wrote to memory of 2216	876	Hc5rb7Tq.exe	86
PID 876 wrote to memory of 2216	876	Hc5rb7Tq.exe	86
PID 876 wrote to memory of 2216	876	Hc5rb7Tq.exe	86

C:\Users\Admin\AppData\Local\Temp\c68d91a00fd95a921391069a12b7eba5c82ab3db1e6c4d5868561527424cf5d2.exe
"C:\Users\Admin\AppData\Local\Temp\c68d91a00fd95a921391069a12b7eba5c82ab3db1e6c4d5868561527424cf5d2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ql4AI4lx.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ql4AI4lx.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PC1cQ4eU.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PC1cQ4eU.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:824
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hc5rb7Tq.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hc5rb7Tq.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:876
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1WH82Ow5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1WH82Ow5.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2148
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4500
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2za053eb.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2za053eb.exe
        5⤵
        Executes dropped EXE
        
        PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ql4AI4lx.exe

Filesize
1.1MB

MD5
0fd35865f2ff38ef0b2a7557783a6796

SHA1
9260d128ca06bc9de01d04e639a0f18742d6e5e1

SHA256
53b1249e9d9afe8c9a6787f2d5c1a5eaebee6363f88c12becf24604881a2a8a0

SHA512
421cf57b5c8d8a5d5f65b1a06d70f03529197e1e8075c9054133b393aba0ff889e79329823ae2cca2e151b0ceb2e91c0d4009f41abf3634339324b23c6017b05

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PC1cQ4eU.exe

Filesize
758KB

MD5
822fc73dceef68450e63c8ffe3c7227d

SHA1
a581ff6b0c412b981c40d8b159b0fe18c7c4c0a2

SHA256
fb7b90b5efe166cd2ed9d64da672c47868db1d58888d322ed7f60dcbca0f3e00

SHA512
4308a9434c6ef593e881f5e29c066095e42301c148546a325817b215bafd350cbc62f745ba94221a7bfa767c67055c38e22f235aa795c6ae7b75864ca3a821d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hc5rb7Tq.exe

Filesize
561KB

MD5
fab733b539aa3c3ac0cddd441d7e8f37

SHA1
79cfc82ea52d2c4cc4cd64e1915c972649638ebc

SHA256
ef58253f199184ed57dde0b38b4cf772b5c81eaa8c9736b36f03f9fa06c7d745

SHA512
e85ea4acc23209df4ab0d2752e605417919779db685d4180ce474ab4ee71f0ec2f97f8f49c8c03cd144d3cccc723b4dc83405c52c8b7d64ec1aa211beb7896e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1WH82Ow5.exe

Filesize
1.1MB

MD5
7e88670e893f284a13a2d88af7295317

SHA1
4bc0d76245e9d6ca8fe69daa23c46b2b8f770f1a

SHA256
d5e9e8612572f4586bc94b4475503558b7c4cd9329d3ade5b86f45018957deb9

SHA512
01541840ee2aa44de1f5f41bee31409560c481c10ed07d854239c0c9bdb648c86857a6a83a907e23f3b2865043b175689aa5f4f13fd0fd5f5444756b9ddfcdc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2za053eb.exe

Filesize
222KB

MD5
d27718b2b8e3a68e34cdf5b8c5745c92

SHA1
3bcfe95420a8bb5f387ea2c4cd203f31880e9b82

SHA256
0fffc640bb6d1d8077798e39c9685d3acdd62278c9c9df306eab4982d9ddb894

SHA512
5ea1e77f86b2189895db6d33062ceb7adb7e39582281fe456ee806b8211a861364d3cbca641ebac3bc369d166ccded35ef6b8df6259bbd5366fcd5a6acd8b2ad

Download Submit
memory/2216-39-0x0000000008460000-0x0000000008A78000-memory.dmp

Filesize
6.1MB

Download
memory/2216-35-0x0000000000600000-0x000000000063E000-memory.dmp

Filesize
248KB

Download
memory/2216-36-0x0000000007890000-0x0000000007E34000-memory.dmp

Filesize
5.6MB

Download
memory/2216-37-0x0000000007380000-0x0000000007412000-memory.dmp

Filesize
584KB

Download
memory/2216-38-0x00000000027F0000-0x00000000027FA000-memory.dmp

Filesize
40KB

Download
memory/2216-40-0x0000000007730000-0x000000000783A000-memory.dmp

Filesize
1.0MB

Download
memory/2216-41-0x00000000075C0000-0x00000000075D2000-memory.dmp

Filesize
72KB

Download
memory/2216-42-0x0000000007660000-0x000000000769C000-memory.dmp

Filesize
240KB

Download
memory/2216-43-0x00000000076A0000-0x00000000076EC000-memory.dmp

Filesize
304KB

Download
memory/4500-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads