mystic | 9b80269950e0f1b633a8f97657fa8c4843d63cc1062890797edcbbcf58625520

Analysis

max time kernel
145s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dea00ebf6034d535aea8f56cd6017972814dfb3374887346a9c9c8182c1110e0.exe
Size

1.5MB
MD5

290deb5ab4151b46f29bf37ab8758ad5
SHA1

b51aeba964ad27b21cfa57bfe56b5a0d5524f600
SHA256

dea00ebf6034d535aea8f56cd6017972814dfb3374887346a9c9c8182c1110e0
SHA512

5105de103ed8dffa09a59623c299c4f87ac621805159d08287ec3b1f1f426403522ae07a235678521a4bd21048202536d04ab65602aa139447aa3b2386471433
SSDEEP

24576:AyrMyci1LXoDigLRi8JTgeuMgJQjjfOKs80ovQwpWgqTLnysS6FioMxt11aRA/Bw:HrqyL4iqikHgJEjfOR80iQw4gyys51Ko

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral17/memory/5064-35-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral17/memory/5064-38-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral17/memory/5064-36-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral17/files/0x000700000002340d-40.dat	family_redline
behavioral17/memory/1812-42-0x0000000000780000-0x00000000007BE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3828	mb1bW7Iw.exe
4664	Hk2oo0SN.exe
4884	ce9il4lA.exe
3572	Ji5eL9sO.exe
1216	1Mb39zD2.exe
1812	2Zk122xd.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Ji5eL9sO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dea00ebf6034d535aea8f56cd6017972814dfb3374887346a9c9c8182c1110e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	mb1bW7Iw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Hk2oo0SN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ce9il4lA.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1216 set thread context of 5064	1216	1Mb39zD2.exe	92

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 3828	1312	dea00ebf6034d535aea8f56cd6017972814dfb3374887346a9c9c8182c1110e0.exe	83
PID 1312 wrote to memory of 3828	1312	dea00ebf6034d535aea8f56cd6017972814dfb3374887346a9c9c8182c1110e0.exe	83
PID 1312 wrote to memory of 3828	1312	dea00ebf6034d535aea8f56cd6017972814dfb3374887346a9c9c8182c1110e0.exe	83
PID 3828 wrote to memory of 4664	3828	mb1bW7Iw.exe	84
PID 3828 wrote to memory of 4664	3828	mb1bW7Iw.exe	84
PID 3828 wrote to memory of 4664	3828	mb1bW7Iw.exe	84
PID 4664 wrote to memory of 4884	4664	Hk2oo0SN.exe	86
PID 4664 wrote to memory of 4884	4664	Hk2oo0SN.exe	86
PID 4664 wrote to memory of 4884	4664	Hk2oo0SN.exe	86
PID 4884 wrote to memory of 3572	4884	ce9il4lA.exe	88
PID 4884 wrote to memory of 3572	4884	ce9il4lA.exe	88
PID 4884 wrote to memory of 3572	4884	ce9il4lA.exe	88
PID 3572 wrote to memory of 1216	3572	Ji5eL9sO.exe	89
PID 3572 wrote to memory of 1216	3572	Ji5eL9sO.exe	89
PID 3572 wrote to memory of 1216	3572	Ji5eL9sO.exe	89
PID 1216 wrote to memory of 2208	1216	1Mb39zD2.exe	91
PID 1216 wrote to memory of 2208	1216	1Mb39zD2.exe	91
PID 1216 wrote to memory of 2208	1216	1Mb39zD2.exe	91
PID 1216 wrote to memory of 5064	1216	1Mb39zD2.exe	92
PID 1216 wrote to memory of 5064	1216	1Mb39zD2.exe	92
PID 1216 wrote to memory of 5064	1216	1Mb39zD2.exe	92
PID 1216 wrote to memory of 5064	1216	1Mb39zD2.exe	92
PID 1216 wrote to memory of 5064	1216	1Mb39zD2.exe	92
PID 1216 wrote to memory of 5064	1216	1Mb39zD2.exe	92
PID 1216 wrote to memory of 5064	1216	1Mb39zD2.exe	92
PID 1216 wrote to memory of 5064	1216	1Mb39zD2.exe	92
PID 1216 wrote to memory of 5064	1216	1Mb39zD2.exe	92
PID 1216 wrote to memory of 5064	1216	1Mb39zD2.exe	92
PID 3572 wrote to memory of 1812	3572	Ji5eL9sO.exe	93
PID 3572 wrote to memory of 1812	3572	Ji5eL9sO.exe	93
PID 3572 wrote to memory of 1812	3572	Ji5eL9sO.exe	93

C:\Users\Admin\AppData\Local\Temp\dea00ebf6034d535aea8f56cd6017972814dfb3374887346a9c9c8182c1110e0.exe
"C:\Users\Admin\AppData\Local\Temp\dea00ebf6034d535aea8f56cd6017972814dfb3374887346a9c9c8182c1110e0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mb1bW7Iw.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mb1bW7Iw.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Hk2oo0SN.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Hk2oo0SN.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4664
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ce9il4lA.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ce9il4lA.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4884
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ji5eL9sO.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ji5eL9sO.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3572
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Mb39zD2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Mb39zD2.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2208
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:5064
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Zk122xd.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Zk122xd.exe
        6⤵
        Executes dropped EXE
        
        PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mb1bW7Iw.exe

Filesize
1.3MB

MD5
54ce7abc8f631d70e0cf0cccd35ad4cd

SHA1
d76680fd5f1028ce795fc01d261f312f4d14b5a5

SHA256
24faa5a3f42717986a752e59aab909a86d12878202b92e4e92d8226d090c9d80

SHA512
812378eb44100e7cf0dc6f147ce11fe51c6be15aaf4bca99dfa3b9f748645620820b986cf0e763e37d8a337bd23f06aa712e27ff2800e518235ffd4050e11617

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Hk2oo0SN.exe

Filesize
1.2MB

MD5
0baefc9e43115761ba95f1bdbf7e02e0

SHA1
bebc7f6d1195d228740f48b674f60095f7404804

SHA256
5020d4ea9e1fefa2be271ecdb7c143f1401f918e56357adab0ee4722c17fc29b

SHA512
0a579d9952298098bc2ec0f6a1e9bbcc89ed9edce2ced246db88d375f9043f050c6e2885f90696951627001ac52486dec515ea421932bafd9d705ca4302af139

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ce9il4lA.exe

Filesize
761KB

MD5
0698128e705a2e656986d6c27c2cef21

SHA1
bfac32cf437ae830399144c145580695ebb0fa34

SHA256
83b639eabae699809ba8e19779ee7bd3eb20fd5c34378683232492953aa8b71c

SHA512
50432f1f9d77ff4bcae519ded9d49ef1c19d896094dbc398f991908ff4b0371358e970824ddbb941fb4cb8ec8574f926457e226247c4ddb60352a2252be42574

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ji5eL9sO.exe

Filesize
565KB

MD5
e7fedeb797d6ad0de53799b844d690cb

SHA1
2cb75922beff243e042a1c4d6a768d2dad441b9f

SHA256
a67dddc14e5dbc9737e199ff0e5a3495dca0082a1efff2be2b7cb4988f8e76d9

SHA512
ad8e67ea52fdc9d4a7e6d98d97d1a78d2f88aba3033e473e663157776e59c1d82367d2dcc4d244a940612654f807430ff0718bcb5f45c0479e75a8c64e235cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Mb39zD2.exe

Filesize
1.1MB

MD5
a84df14e465e862400316ded24e9a21b

SHA1
f0de770348d7e5918ed98d21c4cb6a919246ba61

SHA256
789393787c52d9c3f0bdc0b9e60f735150ad8c8e6638aa86cef5c51a3a1958f0

SHA512
f64e6915add3c069e4c89ee4a2de0f8f1c973ce9612d10b5c08ee60d6e00c284190f3f3135247652f4e4ab0792a2eb34dc8f22f03d110bef6293ff166496d8f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Zk122xd.exe

Filesize
222KB

MD5
a29b3c1a923a3bba2746cbed2a0d7309

SHA1
9ac4526a9dd407b2c9fb34e6b0156fb615fadc02

SHA256
b455f5018e9b1fa108db747b398f0d10552e5f16c4449856822e575c275746b4

SHA512
f08d29b425d69a1c8e4459da6e00542140dfe852732ddee4159ce6bac8009e89ea0af22e1081db96b5fe6eeaa71b58a56a193b1b8cfd7005c9c6fe8274e3fc00

Download Submit
memory/1812-42-0x0000000000780000-0x00000000007BE000-memory.dmp

Filesize
248KB

Download
memory/1812-43-0x0000000007B90000-0x0000000008134000-memory.dmp

Filesize
5.6MB

Download
memory/1812-44-0x0000000007680000-0x0000000007712000-memory.dmp

Filesize
584KB

Download
memory/1812-45-0x0000000002AB0000-0x0000000002ABA000-memory.dmp

Filesize
40KB

Download
memory/1812-46-0x0000000008760000-0x0000000008D78000-memory.dmp

Filesize
6.1MB

Download
memory/1812-47-0x0000000007950000-0x0000000007A5A000-memory.dmp

Filesize
1.0MB

Download
memory/1812-48-0x0000000007880000-0x0000000007892000-memory.dmp

Filesize
72KB

Download
memory/1812-49-0x00000000078E0000-0x000000000791C000-memory.dmp

Filesize
240KB

Download
memory/1812-50-0x0000000007A60000-0x0000000007AAC000-memory.dmp

Filesize
304KB

Download
memory/5064-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5064-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5064-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads