mystic | b0707ded6960936877cf4a2a4a5a7191894ea5c19ee70296e7004b5431f5044e

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c5911fd0a616aa00118b87a5216b4c3312dd590b4988b62bf0651b91fc5b29f.exe
Size

1.5MB
MD5

b61170f2b227f99ed0257b938906f686
SHA1

f6a839a52f0af527b1ae2a4b37946941b18da532
SHA256

2c5911fd0a616aa00118b87a5216b4c3312dd590b4988b62bf0651b91fc5b29f
SHA512

97ba944bc336d05f72362828c87f6101ffd639d8edf47d52e94648396a5075b771dfd46bdfc5347a911460647d4d10eb91032d848374e21b53341a1f1ad86c94
SSDEEP

24576:Ey0Xn/cq0cXV5RSiGOQqZFoZiQVrRmG47oeQBVx6WolM2y32bRu9MzkWfB0yxNlV:T0UwXVuHOvmRr48eQV6Woy52bR0ikgXN

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral2/memory/2720-35-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral2/memory/2720-36-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral2/memory/2720-38-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00070000000233ee-41.dat	family_redline
behavioral2/memory/752-42-0x0000000000CC0000-0x0000000000CFE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
4600	rb1iO5dt.exe
3940	az8gH1bQ.exe
4924	hv1Zo4YT.exe
2556	DB4Dh1xd.exe
2856	1Ql97iH7.exe
752	2WD944JN.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2c5911fd0a616aa00118b87a5216b4c3312dd590b4988b62bf0651b91fc5b29f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	rb1iO5dt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	az8gH1bQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	hv1Zo4YT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	DB4Dh1xd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2856 set thread context of 2720	2856	1Ql97iH7.exe	87

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 3796 wrote to memory of 4600	3796	2c5911fd0a616aa00118b87a5216b4c3312dd590b4988b62bf0651b91fc5b29f.exe	81
PID 3796 wrote to memory of 4600	3796	2c5911fd0a616aa00118b87a5216b4c3312dd590b4988b62bf0651b91fc5b29f.exe	81
PID 3796 wrote to memory of 4600	3796	2c5911fd0a616aa00118b87a5216b4c3312dd590b4988b62bf0651b91fc5b29f.exe	81
PID 4600 wrote to memory of 3940	4600	rb1iO5dt.exe	82
PID 4600 wrote to memory of 3940	4600	rb1iO5dt.exe	82
PID 4600 wrote to memory of 3940	4600	rb1iO5dt.exe	82
PID 3940 wrote to memory of 4924	3940	az8gH1bQ.exe	83
PID 3940 wrote to memory of 4924	3940	az8gH1bQ.exe	83
PID 3940 wrote to memory of 4924	3940	az8gH1bQ.exe	83
PID 4924 wrote to memory of 2556	4924	hv1Zo4YT.exe	84
PID 4924 wrote to memory of 2556	4924	hv1Zo4YT.exe	84
PID 4924 wrote to memory of 2556	4924	hv1Zo4YT.exe	84
PID 2556 wrote to memory of 2856	2556	DB4Dh1xd.exe	85
PID 2556 wrote to memory of 2856	2556	DB4Dh1xd.exe	85
PID 2556 wrote to memory of 2856	2556	DB4Dh1xd.exe	85
PID 2856 wrote to memory of 908	2856	1Ql97iH7.exe	86
PID 2856 wrote to memory of 908	2856	1Ql97iH7.exe	86
PID 2856 wrote to memory of 908	2856	1Ql97iH7.exe	86
PID 2856 wrote to memory of 2720	2856	1Ql97iH7.exe	87
PID 2856 wrote to memory of 2720	2856	1Ql97iH7.exe	87
PID 2856 wrote to memory of 2720	2856	1Ql97iH7.exe	87
PID 2856 wrote to memory of 2720	2856	1Ql97iH7.exe	87
PID 2856 wrote to memory of 2720	2856	1Ql97iH7.exe	87
PID 2856 wrote to memory of 2720	2856	1Ql97iH7.exe	87
PID 2856 wrote to memory of 2720	2856	1Ql97iH7.exe	87
PID 2856 wrote to memory of 2720	2856	1Ql97iH7.exe	87
PID 2856 wrote to memory of 2720	2856	1Ql97iH7.exe	87
PID 2856 wrote to memory of 2720	2856	1Ql97iH7.exe	87
PID 2556 wrote to memory of 752	2556	DB4Dh1xd.exe	88
PID 2556 wrote to memory of 752	2556	DB4Dh1xd.exe	88
PID 2556 wrote to memory of 752	2556	DB4Dh1xd.exe	88

C:\Users\Admin\AppData\Local\Temp\2c5911fd0a616aa00118b87a5216b4c3312dd590b4988b62bf0651b91fc5b29f.exe
"C:\Users\Admin\AppData\Local\Temp\2c5911fd0a616aa00118b87a5216b4c3312dd590b4988b62bf0651b91fc5b29f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3796
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rb1iO5dt.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rb1iO5dt.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\az8gH1bQ.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\az8gH1bQ.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3940
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hv1Zo4YT.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hv1Zo4YT.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4924
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\DB4Dh1xd.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\DB4Dh1xd.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2556
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ql97iH7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ql97iH7.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:908
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2720
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2WD944JN.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2WD944JN.exe
        6⤵
        Executes dropped EXE
        
        PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rb1iO5dt.exe

Filesize
1.3MB

MD5
3f4ca944008c4dcff46b5b997bb8a800

SHA1
9006ff43730ce592201644b01c511dab93c61e15

SHA256
6a3545cda45590fc91fec8603a3aac56b54d479cac9a6e087c42f91c570281c8

SHA512
e182896ae69ededa51f8d648e382fe6d1d760df0409c7d25704628f2789b93204a4c92e803403b8c0c5acf3f85ac6cae39714b320c8e325676a1193d4c28191c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\az8gH1bQ.exe

Filesize
1.2MB

MD5
f92e5e996f83e79374e278abadaa2c1a

SHA1
f3aaed4da0cd83acd9f9e886bd31752bab556455

SHA256
48e846285e801d49dd5d05f47221081d435a06c56c6589fe17eeac5717d719b2

SHA512
928c80c6f4c13dda769e1bc3ad9907f9aec00680982c10797c46a6d4430350c8e1b88ed50b5bda149196c18bfffa542039c14e6fc4673cda63aaa02b6342cead

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hv1Zo4YT.exe

Filesize
762KB

MD5
f88e3b791b17673243e1facd2c102508

SHA1
73e10c001843daf0871db5aba867d82b11d659c5

SHA256
150afc37eb14278d713b519bde711660f055deddf2d15da2426809b93afa6911

SHA512
d2817b3c1418088636b282b50989cc8f969e48d900fea9e4eb939b78648e02be22783b4d04ac479447137a779f0ae84249c31887059bb1e40c8932ecda215269

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\DB4Dh1xd.exe

Filesize
566KB

MD5
7fd6f9c72b2211a3179e68770a4364b8

SHA1
9f28f9f3009ca6d4882d6ea90a3f8412d7834aee

SHA256
b7cf97a41fc7ff3993a960bdb59bc68323c4991f67ec99fa6c26e527856df4e0

SHA512
b0e40ab2c016cb10618ed07588d0aadd57c29dcadcad4c6d323e6bc61c38a4596d78713ac64284f1aab301e38d1d022a64d1f7977e1ee5a54689bddf505c591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ql97iH7.exe

Filesize
1.1MB

MD5
a118fd63dea8b22dd475f652caf621c5

SHA1
5b52fd31b5ba0dfb104f8dd63c94f94a8b41b61c

SHA256
1bf5cec3c254448c4c70558dc424e41f1c52255d582ac0aabb0a64c028cddf9a

SHA512
4661862d7b6d82fc53fd1016b384a402d49eed6e72e200a10346d63cf34c979c5a2da303f2befba7cf31ebbaea08c693a9d30af27dd3d6b1bd2a04e4a7a1f156

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2WD944JN.exe

Filesize
221KB

MD5
f5549b39fbbdb4b0f3f642ef38983ee5

SHA1
259544067b74db1f8cb08a3c8b3413b3c3861f36

SHA256
8ed359cdd6330f9b84400f9ca839b074ac2a4af2d6839a942cbaf295f24076d8

SHA512
eb10566a644ea029fa51f72f528475847c72b9e564857e98c065c792fa6f6d31c21ada77e0f360117e78d23198093824119f984f99c072f77debda2f04edeb95

Download Submit
memory/752-45-0x0000000005070000-0x000000000507A000-memory.dmp

Filesize
40KB

Download
memory/752-42-0x0000000000CC0000-0x0000000000CFE000-memory.dmp

Filesize
248KB

Download
memory/752-43-0x0000000007F50000-0x00000000084F4000-memory.dmp

Filesize
5.6MB

Download
memory/752-44-0x0000000007A80000-0x0000000007B12000-memory.dmp

Filesize
584KB

Download
memory/752-46-0x0000000008B20000-0x0000000009138000-memory.dmp

Filesize
6.1MB

Download
memory/752-47-0x0000000007DF0000-0x0000000007EFA000-memory.dmp

Filesize
1.0MB

Download
memory/752-48-0x0000000007C60000-0x0000000007C72000-memory.dmp

Filesize
72KB

Download
memory/752-49-0x0000000007CE0000-0x0000000007D1C000-memory.dmp

Filesize
240KB

Download
memory/752-50-0x0000000007D20000-0x0000000007D6C000-memory.dmp

Filesize
304KB

Download
memory/2720-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads