mystic | 9f4cee8892544b3b9090f5a7288e0a353e34bada2f75253f19bfebaefa1f0f53

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aaed2c62a2146133d41a2c878d138f90f6fd57a1173b0784f6516128378b0e28.exe
Size

1.5MB
MD5

039c520ad29f179727d52fd7bb41ddc9
SHA1

68e44ea4487f50fa6c97b3aa739bf3c2bb15e2f5
SHA256

aaed2c62a2146133d41a2c878d138f90f6fd57a1173b0784f6516128378b0e28
SHA512

e22e81f49b448e7d18f7bfdb3b13688020b279a6fb39db44238e2f695f90dab9f3b9af6409fc80f8a799537f330af753abc8e3548baad183ce24d7a61e74f0e8
SSDEEP

24576:Vy8nyYj4q3Y6M2GWyMu86ZD4SBFL/gfzWHbawDN67vluQaU8t0EOU2luc4kFO6i:w8ny24qNtyMuF4iSqHb/YPaavUcP4KO6

Score

10^/10

mystic redline kedru infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kedru

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral16/memory/3740-38-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral16/memory/3740-36-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral16/memory/3740-35-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral16/files/0x0007000000023454-40.dat	family_redline
behavioral16/memory/5032-42-0x0000000000B80000-0x0000000000BBC000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
1704	Ws0dl5dd.exe
2120	Xy8Jr5cs.exe
4864	IX4iK9bU.exe
3628	jq7aD3uW.exe
1872	1uz88rO8.exe
5032	2qr874YG.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	aaed2c62a2146133d41a2c878d138f90f6fd57a1173b0784f6516128378b0e28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Ws0dl5dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Xy8Jr5cs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	IX4iK9bU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	jq7aD3uW.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1872 set thread context of 3740	1872	1uz88rO8.exe	91

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 1704	1772	aaed2c62a2146133d41a2c878d138f90f6fd57a1173b0784f6516128378b0e28.exe	83
PID 1772 wrote to memory of 1704	1772	aaed2c62a2146133d41a2c878d138f90f6fd57a1173b0784f6516128378b0e28.exe	83
PID 1772 wrote to memory of 1704	1772	aaed2c62a2146133d41a2c878d138f90f6fd57a1173b0784f6516128378b0e28.exe	83
PID 1704 wrote to memory of 2120	1704	Ws0dl5dd.exe	84
PID 1704 wrote to memory of 2120	1704	Ws0dl5dd.exe	84
PID 1704 wrote to memory of 2120	1704	Ws0dl5dd.exe	84
PID 2120 wrote to memory of 4864	2120	Xy8Jr5cs.exe	87
PID 2120 wrote to memory of 4864	2120	Xy8Jr5cs.exe	87
PID 2120 wrote to memory of 4864	2120	Xy8Jr5cs.exe	87
PID 4864 wrote to memory of 3628	4864	IX4iK9bU.exe	89
PID 4864 wrote to memory of 3628	4864	IX4iK9bU.exe	89
PID 4864 wrote to memory of 3628	4864	IX4iK9bU.exe	89
PID 3628 wrote to memory of 1872	3628	jq7aD3uW.exe	90
PID 3628 wrote to memory of 1872	3628	jq7aD3uW.exe	90
PID 3628 wrote to memory of 1872	3628	jq7aD3uW.exe	90
PID 1872 wrote to memory of 3740	1872	1uz88rO8.exe	91
PID 1872 wrote to memory of 3740	1872	1uz88rO8.exe	91
PID 1872 wrote to memory of 3740	1872	1uz88rO8.exe	91
PID 1872 wrote to memory of 3740	1872	1uz88rO8.exe	91
PID 1872 wrote to memory of 3740	1872	1uz88rO8.exe	91
PID 1872 wrote to memory of 3740	1872	1uz88rO8.exe	91
PID 1872 wrote to memory of 3740	1872	1uz88rO8.exe	91
PID 1872 wrote to memory of 3740	1872	1uz88rO8.exe	91
PID 1872 wrote to memory of 3740	1872	1uz88rO8.exe	91
PID 1872 wrote to memory of 3740	1872	1uz88rO8.exe	91
PID 3628 wrote to memory of 5032	3628	jq7aD3uW.exe	92
PID 3628 wrote to memory of 5032	3628	jq7aD3uW.exe	92
PID 3628 wrote to memory of 5032	3628	jq7aD3uW.exe	92

C:\Users\Admin\AppData\Local\Temp\aaed2c62a2146133d41a2c878d138f90f6fd57a1173b0784f6516128378b0e28.exe
"C:\Users\Admin\AppData\Local\Temp\aaed2c62a2146133d41a2c878d138f90f6fd57a1173b0784f6516128378b0e28.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ws0dl5dd.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ws0dl5dd.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xy8Jr5cs.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xy8Jr5cs.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IX4iK9bU.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IX4iK9bU.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4864
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jq7aD3uW.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jq7aD3uW.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3628
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uz88rO8.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uz88rO8.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3740
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2qr874YG.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2qr874YG.exe
        6⤵
        Executes dropped EXE
        
        PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ws0dl5dd.exe

Filesize
1.3MB

MD5
62720902f665d57ce90d75ec43de2627

SHA1
7d23c3e8b31665411699a3f9571ca347a5b83f2e

SHA256
18bade8402b5bb5f07c942d9ce180161ca5c3215c98493a8251059ff17312362

SHA512
e1668520fc7aee97304b954bbae9b3aed1a8a0c25117b799cc91943ad8b99aa19df6fc2abb9234530759ef23fd10c2c5ef29ba88439c3aa951a9b603e6cf1338

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Xy8Jr5cs.exe

Filesize
1.2MB

MD5
b88f7b9bc84f8b58fd32e07fc20d7c13

SHA1
c4105691e3d31c9157001fcd9905d5d64b46b6df

SHA256
c2a00704091708efa5fc098e3fe3490b805056a209769105ac8669d1eec11588

SHA512
b743b2fdfb3db0964c68824bfa5707bcb8c6e8d4190aa002f2fd273d49fc26d237f913a8acdcecdeb28ddeb544d15ccac779ce3b63445c76d29320f5a0434364

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IX4iK9bU.exe

Filesize
765KB

MD5
d1e00977c3b90892de2d2b2687f41460

SHA1
44b82a0a560b60c069bd07cd6fd3ad6e8348c9ce

SHA256
15041e924d82e47d490dc2d54240460649f90e6de7b12cca1061f20ace6c9c8a

SHA512
baddce7b19e0f917ab1223bfc7654c850bbb96f1459dad63d5efd70e39f966fc2677a3b6c03d4a5e97786b6fd9e27f41281c2be66864536f33add26f566e43e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jq7aD3uW.exe

Filesize
569KB

MD5
cb4b77a00ff06f41d25e7014cba3a5bf

SHA1
a49a1bc6c58b8f113ebd0063e6004da03943974f

SHA256
d4e744ccb61cef2968b130523c284eb14a608c651d2dd6770df697e630af1a53

SHA512
739a1fbd622cfedbe1a80d2a34559a7086c7fd67b6ee8bd3bfa6864e6cc7d2341d1bc2cf5193d82acb953b1e7bf1b7406b6eeba185911ef2118441f1414d8ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uz88rO8.exe

Filesize
1.1MB

MD5
992b95942128e576f092bfc689f2bc07

SHA1
04751682f383cb40c1d1cf37f2d440b5b6ddf5b7

SHA256
44901b76fe126f154ad8839e833159fea65f5de8cf79c4918cc9d8136f57354a

SHA512
1de12546b1e3b0d3ede12b3d98023ed1e1e20e87968cf517a5bb2df304fc9d76b056c543c3c770fa30234030906b677a30cb4ad289703438c161d058ba49cc71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2qr874YG.exe

Filesize
219KB

MD5
c03c2b5def3992c4f734b9057e0d4d29

SHA1
43ef969756575bb2ba2f37f12fa94fb7fddbd984

SHA256
02f562695fd48dd3d50bbb0e6c8ac0ebf17b72d18f11189147a350b0262e5270

SHA512
c62f7d77aef22e94c5bfa40c92d2cc1c2d83855f8bdbd52814eb931449e07cd406ac7562a86933c8be08d177e7dcfda5c8906f9927a4893592ecf475dc71aa88

Download Submit
memory/3740-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3740-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3740-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-42-0x0000000000B80000-0x0000000000BBC000-memory.dmp

Filesize
240KB

Download
memory/5032-43-0x0000000007E60000-0x0000000008404000-memory.dmp

Filesize
5.6MB

Download
memory/5032-44-0x0000000007950000-0x00000000079E2000-memory.dmp

Filesize
584KB

Download
memory/5032-45-0x0000000004F20000-0x0000000004F2A000-memory.dmp

Filesize
40KB

Download
memory/5032-46-0x0000000008A30000-0x0000000009048000-memory.dmp

Filesize
6.1MB

Download
memory/5032-48-0x0000000007A30000-0x0000000007A42000-memory.dmp

Filesize
72KB

Download
memory/5032-47-0x0000000007D40000-0x0000000007E4A000-memory.dmp

Filesize
1.0MB

Download
memory/5032-49-0x0000000007AC0000-0x0000000007AFC000-memory.dmp

Filesize
240KB

Download
memory/5032-50-0x0000000007C30000-0x0000000007C7C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads