mystic | 9f4cee8892544b3b9090f5a7288e0a353e34bada2f75253f19bfebaefa1f0f53

Analysis

max time kernel
136s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c8e4ed08188524a9beb39dfd35cc3c50ed0a6344464afcdff53746ddccee6a3.exe
Size

759KB
MD5

2046ecfb589e1470442d1971a5e97756
SHA1

ccc3b65402c365cd1bd4a91df860a4dc4e9fadfa
SHA256

9c8e4ed08188524a9beb39dfd35cc3c50ed0a6344464afcdff53746ddccee6a3
SHA512

1807c3b6f112db629c9b7e00e917271918c1cbcb0ff5f9830fe3468c44789a59e1dfdebb5ff8f9d28bf4ec2559801751a7715cecfd3bc73192a022a60784e96a
SSDEEP

12288:OMr5y90cUoQMHdLd7H0wCdF4f5COt0ij7xV6EGeNdEENlrmFscQyCkqqA:HykTolH0wMywpL5QpmUqA

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral14/memory/2388-14-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral14/memory/2388-18-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral14/memory/2388-16-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral14/memory/2388-15-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral14/files/0x0007000000023486-20.dat	family_redline
behavioral14/memory/4576-22-0x0000000000CD0000-0x0000000000D0E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
2452	oN7VW6pJ.exe
1936	1hM50Oh1.exe
4576	2HV034rz.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9c8e4ed08188524a9beb39dfd35cc3c50ed0a6344464afcdff53746ddccee6a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	oN7VW6pJ.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1936 set thread context of 2388	1936	1hM50Oh1.exe	90

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4404	2388	WerFault.exe	90

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 2452	5076	9c8e4ed08188524a9beb39dfd35cc3c50ed0a6344464afcdff53746ddccee6a3.exe	85
PID 5076 wrote to memory of 2452	5076	9c8e4ed08188524a9beb39dfd35cc3c50ed0a6344464afcdff53746ddccee6a3.exe	85
PID 5076 wrote to memory of 2452	5076	9c8e4ed08188524a9beb39dfd35cc3c50ed0a6344464afcdff53746ddccee6a3.exe	85
PID 2452 wrote to memory of 1936	2452	oN7VW6pJ.exe	86
PID 2452 wrote to memory of 1936	2452	oN7VW6pJ.exe	86
PID 2452 wrote to memory of 1936	2452	oN7VW6pJ.exe	86
PID 1936 wrote to memory of 2388	1936	1hM50Oh1.exe	90
PID 1936 wrote to memory of 2388	1936	1hM50Oh1.exe	90
PID 1936 wrote to memory of 2388	1936	1hM50Oh1.exe	90
PID 1936 wrote to memory of 2388	1936	1hM50Oh1.exe	90
PID 1936 wrote to memory of 2388	1936	1hM50Oh1.exe	90
PID 1936 wrote to memory of 2388	1936	1hM50Oh1.exe	90
PID 1936 wrote to memory of 2388	1936	1hM50Oh1.exe	90
PID 1936 wrote to memory of 2388	1936	1hM50Oh1.exe	90
PID 1936 wrote to memory of 2388	1936	1hM50Oh1.exe	90
PID 1936 wrote to memory of 2388	1936	1hM50Oh1.exe	90
PID 2452 wrote to memory of 4576	2452	oN7VW6pJ.exe	92
PID 2452 wrote to memory of 4576	2452	oN7VW6pJ.exe	92
PID 2452 wrote to memory of 4576	2452	oN7VW6pJ.exe	92

C:\Users\Admin\AppData\Local\Temp\9c8e4ed08188524a9beb39dfd35cc3c50ed0a6344464afcdff53746ddccee6a3.exe
"C:\Users\Admin\AppData\Local\Temp\9c8e4ed08188524a9beb39dfd35cc3c50ed0a6344464afcdff53746ddccee6a3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oN7VW6pJ.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oN7VW6pJ.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1hM50Oh1.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1hM50Oh1.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2388
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 540
        5⤵
        Program crash
        
        PID:4404
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2HV034rz.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2HV034rz.exe
    3⤵
    - Executes dropped EXE
    PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2388 -ip 2388
1⤵
PID:3472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oN7VW6pJ.exe

Filesize
562KB

MD5
f727cfd8c524022758cdac4799773f8b

SHA1
c4929d8c896f7f3783db813ea4ad0ee322ed90ee

SHA256
28330c7c3fbc424941f242e792fb4976ac9a8cf4cbcda11be14575ea037c9b1e

SHA512
be81080da4659c2ba5cc537f2c63568da535bf126b2dafab1c0ad7630af6c9c98891ffb34f1da8ace35e82d7d179e768ac1d92bf6d1301163c893b8422acf23b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1hM50Oh1.exe

Filesize
1.1MB

MD5
e93f040940611c08b3a9b4b7611a4c2b

SHA1
2f676e1d263e229fa58da88482cb0ed4b7a6a1d7

SHA256
d9cf79e825284a3bf4302cd3fd5ca80f817c6b875f2809609f34b1022d4bfb86

SHA512
67e6fabe4d844d9c6c84156cd329612d3df69aee782dbb0fe2c6b364ce765b93617b485cf3b7343aeb2f69c1896ed3571d58401100afe4072a01e5e633de0a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2HV034rz.exe

Filesize
222KB

MD5
91fda85627ba598d38af3c5f22a3c778

SHA1
68265be0d87c12c13702697c9d772c8abc7e4bbd

SHA256
f1b2e48bb30db3069f16cb483da2b3c7c90c7e4089753c558fa658d357f43087

SHA512
0f4ff28ad274b6d59da4d96143dfed650d66367146074ff617658838d7f0395bb3501c73278945446390c34a683609d2284f688b536430edd8d22cbd603e3810

Download Submit
memory/2388-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4576-23-0x0000000007F60000-0x0000000008504000-memory.dmp

Filesize
5.6MB

Download
memory/4576-22-0x0000000000CD0000-0x0000000000D0E000-memory.dmp

Filesize
248KB

Download
memory/4576-24-0x0000000007A50000-0x0000000007AE2000-memory.dmp

Filesize
584KB

Download
memory/4576-25-0x0000000002EA0000-0x0000000002EAA000-memory.dmp

Filesize
40KB

Download
memory/4576-26-0x0000000008B30000-0x0000000009148000-memory.dmp

Filesize
6.1MB

Download
memory/4576-27-0x0000000007DE0000-0x0000000007EEA000-memory.dmp

Filesize
1.0MB

Download
memory/4576-28-0x0000000007C90000-0x0000000007CA2000-memory.dmp

Filesize
72KB

Download
memory/4576-29-0x0000000007D10000-0x0000000007D4C000-memory.dmp

Filesize
240KB

Download
memory/4576-30-0x0000000007D50000-0x0000000007D9C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads