mystic | 4ce71244da4dd5d9b0b7535c6b62aebf516adc87a36195170af93efa3a630b9f

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

825d0619a846701eef20b8c0a10ac730a81fefda0f8afdbe06a54bd4251541ce.exe
Size

1.2MB
MD5

af9935a5730feb37c4978612c4edf672
SHA1

372775e1dd875989d6a340045c4751b3a8240daa
SHA256

825d0619a846701eef20b8c0a10ac730a81fefda0f8afdbe06a54bd4251541ce
SHA512

37a5cd9dd4ad956c4de847584d414c7025fba4bcefcf55745df352674a911d58f7dcdf24caee628a71efd9878dc5c387d1c45f34246032fe939cfa809e47261f
SSDEEP

24576:iy8cCiOZdnMRXmt+VyAxtnrPo+DzCfo336ABzS0fe+T6TqciV:JEMIt0zrQWv6A1P6mci

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral16/memory/1256-35-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral16/memory/1256-38-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral16/memory/1256-36-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZI453MP.exe	family_redline
behavioral16/memory/3760-42-0x0000000000AE0000-0x0000000000B1E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

En3mi5kd.exesV8So6oi.exerA2ke2Lm.exeYV0uq1IQ.exe1Yg24GF1.exe2ZI453MP.exe

pid process

4848 En3mi5kd.exe
2776 sV8So6oi.exe
3028 rA2ke2Lm.exe
1196 YV0uq1IQ.exe
4124 1Yg24GF1.exe
3760 2ZI453MP.exe

pid	process
4848	En3mi5kd.exe
2776	sV8So6oi.exe
3028	rA2ke2Lm.exe
1196	YV0uq1IQ.exe
4124	1Yg24GF1.exe
3760	2ZI453MP.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

En3mi5kd.exesV8So6oi.exerA2ke2Lm.exeYV0uq1IQ.exe825d0619a846701eef20b8c0a10ac730a81fefda0f8afdbe06a54bd4251541ce.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	En3mi5kd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	sV8So6oi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	rA2ke2Lm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	YV0uq1IQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	825d0619a846701eef20b8c0a10ac730a81fefda0f8afdbe06a54bd4251541ce.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1Yg24GF1.exe

description pid process target process

PID 4124 set thread context of 1256 4124 1Yg24GF1.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1348 4124 WerFault.exe 1Yg24GF1.exe

description	pid	process	target process
PID 4124 set thread context of 1256	4124	1Yg24GF1.exe	AppLaunch.exe

pid	pid_target	process	target process
1348	4124	WerFault.exe	1Yg24GF1.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

825d0619a846701eef20b8c0a10ac730a81fefda0f8afdbe06a54bd4251541ce.exeEn3mi5kd.exesV8So6oi.exerA2ke2Lm.exeYV0uq1IQ.exe1Yg24GF1.exe

description	pid	process	target process
PID 2280 wrote to memory of 4848	2280	825d0619a846701eef20b8c0a10ac730a81fefda0f8afdbe06a54bd4251541ce.exe	En3mi5kd.exe
PID 2280 wrote to memory of 4848	2280	825d0619a846701eef20b8c0a10ac730a81fefda0f8afdbe06a54bd4251541ce.exe	En3mi5kd.exe
PID 2280 wrote to memory of 4848	2280	825d0619a846701eef20b8c0a10ac730a81fefda0f8afdbe06a54bd4251541ce.exe	En3mi5kd.exe
PID 4848 wrote to memory of 2776	4848	En3mi5kd.exe	sV8So6oi.exe
PID 4848 wrote to memory of 2776	4848	En3mi5kd.exe	sV8So6oi.exe
PID 4848 wrote to memory of 2776	4848	En3mi5kd.exe	sV8So6oi.exe
PID 2776 wrote to memory of 3028	2776	sV8So6oi.exe	rA2ke2Lm.exe
PID 2776 wrote to memory of 3028	2776	sV8So6oi.exe	rA2ke2Lm.exe
PID 2776 wrote to memory of 3028	2776	sV8So6oi.exe	rA2ke2Lm.exe
PID 3028 wrote to memory of 1196	3028	rA2ke2Lm.exe	YV0uq1IQ.exe
PID 3028 wrote to memory of 1196	3028	rA2ke2Lm.exe	YV0uq1IQ.exe
PID 3028 wrote to memory of 1196	3028	rA2ke2Lm.exe	YV0uq1IQ.exe
PID 1196 wrote to memory of 4124	1196	YV0uq1IQ.exe	1Yg24GF1.exe
PID 1196 wrote to memory of 4124	1196	YV0uq1IQ.exe	1Yg24GF1.exe
PID 1196 wrote to memory of 4124	1196	YV0uq1IQ.exe	1Yg24GF1.exe
PID 4124 wrote to memory of 1256	4124	1Yg24GF1.exe	AppLaunch.exe
PID 4124 wrote to memory of 1256	4124	1Yg24GF1.exe	AppLaunch.exe
PID 4124 wrote to memory of 1256	4124	1Yg24GF1.exe	AppLaunch.exe
PID 4124 wrote to memory of 1256	4124	1Yg24GF1.exe	AppLaunch.exe
PID 4124 wrote to memory of 1256	4124	1Yg24GF1.exe	AppLaunch.exe
PID 4124 wrote to memory of 1256	4124	1Yg24GF1.exe	AppLaunch.exe
PID 4124 wrote to memory of 1256	4124	1Yg24GF1.exe	AppLaunch.exe
PID 4124 wrote to memory of 1256	4124	1Yg24GF1.exe	AppLaunch.exe
PID 4124 wrote to memory of 1256	4124	1Yg24GF1.exe	AppLaunch.exe
PID 4124 wrote to memory of 1256	4124	1Yg24GF1.exe	AppLaunch.exe
PID 1196 wrote to memory of 3760	1196	YV0uq1IQ.exe	2ZI453MP.exe
PID 1196 wrote to memory of 3760	1196	YV0uq1IQ.exe	2ZI453MP.exe
PID 1196 wrote to memory of 3760	1196	YV0uq1IQ.exe	2ZI453MP.exe

C:\Users\Admin\AppData\Local\Temp\825d0619a846701eef20b8c0a10ac730a81fefda0f8afdbe06a54bd4251541ce.exe
"C:\Users\Admin\AppData\Local\Temp\825d0619a846701eef20b8c0a10ac730a81fefda0f8afdbe06a54bd4251541ce.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2280

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\En3mi5kd.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\En3mi5kd.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4848

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sV8So6oi.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sV8So6oi.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2776

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rA2ke2Lm.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rA2ke2Lm.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3028

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YV0uq1IQ.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YV0uq1IQ.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1196

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Yg24GF1.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Yg24GF1.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 152
7⤵
- Program crash
PID:1348

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZI453MP.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZI453MP.exe
6⤵
- Executes dropped EXE
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4124 -ip 4124
1⤵
PID:900

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\En3mi5kd.exe
Filesize
1.0MB

MD5
93be75e8a3816193f546cbde869c2e0d

SHA1
d31f57488d1c6b1c75469f0ca488a2ea4d2f59f7

SHA256
2c97a0aec7bd7f754afa0f3f5ddc293e08541e1366a8aaee24b2ea95275932ac

SHA512
10374d6e29304825ac9fdfefd7d3e7f4bacb9effa18ffdfe50218169092e0d02bb5e8ffed24fc15be5c379bd814232a29d05d3c4b69eb8a37196fc2e761cd357

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sV8So6oi.exe
Filesize
884KB

MD5
57bbe47a3df8488ade37b772e4d03233

SHA1
a8ab7edc5bf51733a57a5f1ddf626dd154c0cde4

SHA256
8c9c5a5acd23cc2ad72a340ae890e4192429cc52c4240250c3ecca9cb3677b90

SHA512
85814dcbc5259927c56da1719273725c7ea62a6d29fc7334080bb0b5757c7dd21751b565926c9bf5f5589cc74f65f4e5326e05924a6442feb0ba6f9b2b85aefc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rA2ke2Lm.exe
Filesize
590KB

MD5
775f3cf2413fa3e3276da74df020fa51

SHA1
735e5e3e13edfcb389dfc749c30f8043d28a76c6

SHA256
051278c62a75606978acf746f55d1a6662e14305f3a9c793f7fa3f61d6276183

SHA512
bca5a61488e57471224062ee413e6b58419718fdf9d13f4c0e887214a7310158c685bfa245231ae26cddaae9eafb1256c30ecb106f3deb4f0a7fecb1ec8155da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YV0uq1IQ.exe
Filesize
417KB

MD5
1359765780e39000eefce6916f75e3b2

SHA1
c7fad61183241c5f99f906a419b77d9d5385ac10

SHA256
b5e6fbe56dd2f1805c90861f6f34be2a58202685bd4f775bfa213e158f12c6ac

SHA512
ac2890301b601bc7c162d582f02ad21958a50bc79e58e2d909238e209b4f1a019926013a63104861cf12a997717491f829ebefa7ef655211df9a819b9eaa1fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Yg24GF1.exe
Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZI453MP.exe
Filesize
231KB

MD5
5cbbf70b11d1f6776addc964c4ceddd7

SHA1
9301e9a63d43dbbc0ca1dd5f84912b80e67ce99a

SHA256
c83de57c35f4636aa2182a3675132155cd3b757bfb14f57bda270ef0a4249b2a

SHA512
d17da9467b5460f6fccd89b2196fa29dbd0004edfc50f66ccc2ac83fc2386e818215ea248a55f40e49ebaec3c6399cc780b4b753ee8f5cc66049b866f3ea10ae

Download Submit
memory/1256-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1256-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1256-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3760-42-0x0000000000AE0000-0x0000000000B1E000-memory.dmp

Filesize
248KB

Download
memory/3760-43-0x0000000007EC0000-0x0000000008464000-memory.dmp

Filesize
5.6MB

Download
memory/3760-44-0x00000000079F0000-0x0000000007A82000-memory.dmp

Filesize
584KB

Download
memory/3760-45-0x0000000002E30000-0x0000000002E3A000-memory.dmp

Filesize
40KB

Download
memory/3760-46-0x0000000008A90000-0x00000000090A8000-memory.dmp

Filesize
6.1MB

Download
memory/3760-47-0x0000000007CF0000-0x0000000007DFA000-memory.dmp

Filesize
1.0MB

Download
memory/3760-48-0x0000000007C00000-0x0000000007C12000-memory.dmp

Filesize
72KB

Download
memory/3760-49-0x0000000007C60000-0x0000000007C9C000-memory.dmp

Filesize
240KB

Download
memory/3760-50-0x0000000007CA0000-0x0000000007CEC000-memory.dmp

Filesize
304KB

Download