mystic | b0707ded6960936877cf4a2a4a5a7191894ea5c19ee70296e7004b5431f5044e

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9697ffb24dfe38f4a40e3cf91464543c6f5a47170c56b58a949e1a93ab9df050.exe
Size

1.5MB
MD5

5b1b2dc80e055c1f9326a1559bde65a6
SHA1

ea89222071ba275583438c34bf4b4f8b3158f798
SHA256

9697ffb24dfe38f4a40e3cf91464543c6f5a47170c56b58a949e1a93ab9df050
SHA512

ebf613b3bedd1f9bb5db26415f70a35cbd03b5fd1ee0e7e1365802e39d434c8fa3324141c835ef2d0edbf47bb5e74413a1bf4f33e61148a577b082c454e31580
SSDEEP

24576:NyxMR3S1glDa50/SVv/sSf/D+JqaiuzDNV3vhwc9w8//Pkaku0bLYYddc8z:oOrlLSVvUSfyQuznpw0/cRbTQ

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral14/memory/2916-35-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral14/memory/2916-36-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral14/memory/2916-38-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Gf969Yd.exe	family_redline
behavioral14/memory/4896-42-0x0000000000E60000-0x0000000000E9E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

na1kC4Bb.exeZY7uv4SC.exenP8sj5RW.exeee5fj4HH.exe1Kj33LC4.exe2Gf969Yd.exe

pid process

4400 na1kC4Bb.exe
5080 ZY7uv4SC.exe
3708 nP8sj5RW.exe
1484 ee5fj4HH.exe
4980 1Kj33LC4.exe
4896 2Gf969Yd.exe

pid	process
4400	na1kC4Bb.exe
5080	ZY7uv4SC.exe
3708	nP8sj5RW.exe
1484	ee5fj4HH.exe
4980	1Kj33LC4.exe
4896	2Gf969Yd.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9697ffb24dfe38f4a40e3cf91464543c6f5a47170c56b58a949e1a93ab9df050.exena1kC4Bb.exeZY7uv4SC.exenP8sj5RW.exeee5fj4HH.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9697ffb24dfe38f4a40e3cf91464543c6f5a47170c56b58a949e1a93ab9df050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	na1kC4Bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ZY7uv4SC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	nP8sj5RW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	ee5fj4HH.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1Kj33LC4.exe

description pid process target process

PID 4980 set thread context of 2916 4980 1Kj33LC4.exe AppLaunch.exe

description	pid	process	target process
PID 4980 set thread context of 2916	4980	1Kj33LC4.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

9697ffb24dfe38f4a40e3cf91464543c6f5a47170c56b58a949e1a93ab9df050.exena1kC4Bb.exeZY7uv4SC.exenP8sj5RW.exeee5fj4HH.exe1Kj33LC4.exe

description	pid	process	target process
PID 3208 wrote to memory of 4400	3208	9697ffb24dfe38f4a40e3cf91464543c6f5a47170c56b58a949e1a93ab9df050.exe	na1kC4Bb.exe
PID 3208 wrote to memory of 4400	3208	9697ffb24dfe38f4a40e3cf91464543c6f5a47170c56b58a949e1a93ab9df050.exe	na1kC4Bb.exe
PID 3208 wrote to memory of 4400	3208	9697ffb24dfe38f4a40e3cf91464543c6f5a47170c56b58a949e1a93ab9df050.exe	na1kC4Bb.exe
PID 4400 wrote to memory of 5080	4400	na1kC4Bb.exe	ZY7uv4SC.exe
PID 4400 wrote to memory of 5080	4400	na1kC4Bb.exe	ZY7uv4SC.exe
PID 4400 wrote to memory of 5080	4400	na1kC4Bb.exe	ZY7uv4SC.exe
PID 5080 wrote to memory of 3708	5080	ZY7uv4SC.exe	nP8sj5RW.exe
PID 5080 wrote to memory of 3708	5080	ZY7uv4SC.exe	nP8sj5RW.exe
PID 5080 wrote to memory of 3708	5080	ZY7uv4SC.exe	nP8sj5RW.exe
PID 3708 wrote to memory of 1484	3708	nP8sj5RW.exe	ee5fj4HH.exe
PID 3708 wrote to memory of 1484	3708	nP8sj5RW.exe	ee5fj4HH.exe
PID 3708 wrote to memory of 1484	3708	nP8sj5RW.exe	ee5fj4HH.exe
PID 1484 wrote to memory of 4980	1484	ee5fj4HH.exe	1Kj33LC4.exe
PID 1484 wrote to memory of 4980	1484	ee5fj4HH.exe	1Kj33LC4.exe
PID 1484 wrote to memory of 4980	1484	ee5fj4HH.exe	1Kj33LC4.exe
PID 4980 wrote to memory of 2916	4980	1Kj33LC4.exe	AppLaunch.exe
PID 4980 wrote to memory of 2916	4980	1Kj33LC4.exe	AppLaunch.exe
PID 4980 wrote to memory of 2916	4980	1Kj33LC4.exe	AppLaunch.exe
PID 4980 wrote to memory of 2916	4980	1Kj33LC4.exe	AppLaunch.exe
PID 4980 wrote to memory of 2916	4980	1Kj33LC4.exe	AppLaunch.exe
PID 4980 wrote to memory of 2916	4980	1Kj33LC4.exe	AppLaunch.exe
PID 4980 wrote to memory of 2916	4980	1Kj33LC4.exe	AppLaunch.exe
PID 4980 wrote to memory of 2916	4980	1Kj33LC4.exe	AppLaunch.exe
PID 4980 wrote to memory of 2916	4980	1Kj33LC4.exe	AppLaunch.exe
PID 4980 wrote to memory of 2916	4980	1Kj33LC4.exe	AppLaunch.exe
PID 1484 wrote to memory of 4896	1484	ee5fj4HH.exe	2Gf969Yd.exe
PID 1484 wrote to memory of 4896	1484	ee5fj4HH.exe	2Gf969Yd.exe
PID 1484 wrote to memory of 4896	1484	ee5fj4HH.exe	2Gf969Yd.exe

C:\Users\Admin\AppData\Local\Temp\9697ffb24dfe38f4a40e3cf91464543c6f5a47170c56b58a949e1a93ab9df050.exe
"C:\Users\Admin\AppData\Local\Temp\9697ffb24dfe38f4a40e3cf91464543c6f5a47170c56b58a949e1a93ab9df050.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3208

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\na1kC4Bb.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\na1kC4Bb.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4400

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZY7uv4SC.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZY7uv4SC.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5080

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nP8sj5RW.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nP8sj5RW.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3708

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ee5fj4HH.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ee5fj4HH.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1484

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kj33LC4.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kj33LC4.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:2916

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Gf969Yd.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Gf969Yd.exe
6⤵
- Executes dropped EXE
PID:4896

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\na1kC4Bb.exe
Filesize
1.3MB

MD5
b42441576c3fae1111cfff9b01baaf44

SHA1
6a5a543c0dc2f216e8e1f2efd3bf07ff2a3d124f

SHA256
09002c1598c9d0ecc8204f35133c15a3a0d3b26fff9b7b3ee124eb9eee66a1fb

SHA512
79e2b022db37666ca032e98b32a087468fd9086ee363f7a4a5b9a86066a4ae407c108f7fd5fb96e4596451e59be528d8b6391314da588f86b7885783e28099ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZY7uv4SC.exe
Filesize
1.2MB

MD5
6e2ca063b5ef2c46f610faf3e6fe09aa

SHA1
a8ed15cefa6936b6775cf0cfbcba73996a3f128d

SHA256
1e1436d71b16fb0c3bd243f2e3737285d7a28b8237d0905ae6e0aaa409a45c03

SHA512
793ad10847f2c2c5174e2afb9bfb77d9209d6bf2227ae2dc58e21ba74f9c026c18de8626d9a5d840cc7287da350b6f0cb8268432e56ee2953f23528c9cd989dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nP8sj5RW.exe
Filesize
761KB

MD5
bc46592f388e928f9762b5514a86ec94

SHA1
30632a3e344d9942f2585a5da38fba5b91e0114c

SHA256
228cc8716a7ddf36cadadf64441f02ad9b5cbf87a3b6b214b60f542a91786da3

SHA512
7b94ee93bb029a6c7d4581c7a8f3d080ce6890467312706761f5c5d627984a192ed051d4592171f9f2438459f16d7091572ed6e16397e65e1be2cd370ecdc8de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ee5fj4HH.exe
Filesize
565KB

MD5
88f6abea62ac6255cc733600523415ab

SHA1
6c2bb40399ab8427e0fa0e89ddf1a402ca538869

SHA256
8ff9750981d74a52b9ba98cebcb3e361c368abae0e91d66ddb1fc319d6622146

SHA512
1493b37226058b57a11ae9ed5142cfb2afd73134aa095d42e72c80b53129ea99ae36467cf8941ef07bde15db0a279da0d2a95137da640460e8514da51f439c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Kj33LC4.exe
Filesize
1.1MB

MD5
2302ab0ccaa1a21458f893e4b982e6fd

SHA1
60d30b1b123a7e337c333032224074811622e16d

SHA256
7779e272578e4a52b6ab4f20919df9d94f51808f7d2ae697f437b4f9f703db79

SHA512
a900c8c289f0782379a52e82b8787af7e6d932144f3c048c6b9981c3f1f862e7d229c6eb651f0e9e0ff9d7ab7be9b380cd51e920e96075b891753b24f830589d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Gf969Yd.exe
Filesize
221KB

MD5
2dd46fed4e062f7343714db1895371b5

SHA1
f450e8f8f5af864b26e022bb5f09aac4a33ffc04

SHA256
4bf8a364803741ead6d7b71d0fca8f46c0ef374240accc75c58798cdc09ed1af

SHA512
cf0b4a79f9ef302ed189fd47b930a38059ac8006b6662068bdf446f5db5374c5d9e619f9e2e1b790a56c2efb51b2126b053deb9590ab4d2d5586a60a0b20ed36

Download Submit
memory/2916-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-42-0x0000000000E60000-0x0000000000E9E000-memory.dmp

Filesize
248KB

Download
memory/4896-43-0x0000000008240000-0x00000000087E4000-memory.dmp

Filesize
5.6MB

Download
memory/4896-44-0x0000000007D70000-0x0000000007E02000-memory.dmp

Filesize
584KB

Download
memory/4896-45-0x00000000031A0000-0x00000000031AA000-memory.dmp

Filesize
40KB

Download
memory/4896-46-0x0000000008E10000-0x0000000009428000-memory.dmp

Filesize
6.1MB

Download
memory/4896-47-0x0000000008040000-0x000000000814A000-memory.dmp

Filesize
1.0MB

Download
memory/4896-48-0x0000000007F50000-0x0000000007F62000-memory.dmp

Filesize
72KB

Download
memory/4896-49-0x0000000007FB0000-0x0000000007FEC000-memory.dmp

Filesize
240KB

Download
memory/4896-50-0x0000000008150000-0x000000000819C000-memory.dmp

Filesize
304KB

Download