mystic | e19e97a334ecb39058fd976080222a46cc2159e34c85df371a9eaf0088ee80eb

Analysis

max time kernel
140s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bbde9df8818bd31a5563ee46a1512cc0d05c5d11e8469ef5c7ec394bb8ed020.exe
Size

1.5MB
MD5

c8300b6950b7d72d3b59a352609e3c56
SHA1

972cf57fe17290050684f2f291d866aacd7d2c54
SHA256

0bbde9df8818bd31a5563ee46a1512cc0d05c5d11e8469ef5c7ec394bb8ed020
SHA512

5605a80e79c4926c3c72bc1aebd3b4065268cf66dbdc911c2f5413fdabecbb7c2fa372782b407270ab1d2fcbdc80180dcd546d273a4f914ed59bf3bca83055a1
SSDEEP

24576:Ay8LugT4ZToAo074txPEcwbOHXJ0OyqGqBven4ZMbtxppZRvCII:H8L7T4JoAqtxCSZPFG8vHZWPVv

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1332-35-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/1332-38-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/1332-40-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nt525Xq.exe	family_redline
behavioral1/memory/628-42-0x00000000008B0000-0x00000000008EE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

Af8RI0Ie.exeYH2Og3Jc.exeKq5QL1VX.exeET9lF9Bu.exe1gk37JI4.exe2nt525Xq.exe

pid process

1652 Af8RI0Ie.exe
380 YH2Og3Jc.exe
724 Kq5QL1VX.exe
4288 ET9lF9Bu.exe
4392 1gk37JI4.exe
628 2nt525Xq.exe

pid	process
1652	Af8RI0Ie.exe
380	YH2Og3Jc.exe
724	Kq5QL1VX.exe
4288	ET9lF9Bu.exe
4392	1gk37JI4.exe
628	2nt525Xq.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Af8RI0Ie.exeYH2Og3Jc.exeKq5QL1VX.exeET9lF9Bu.exe0bbde9df8818bd31a5563ee46a1512cc0d05c5d11e8469ef5c7ec394bb8ed020.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Af8RI0Ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	YH2Og3Jc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Kq5QL1VX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	ET9lF9Bu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0bbde9df8818bd31a5563ee46a1512cc0d05c5d11e8469ef5c7ec394bb8ed020.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1gk37JI4.exe

description pid process target process

PID 4392 set thread context of 1332 4392 1gk37JI4.exe AppLaunch.exe

description	pid	process	target process
PID 4392 set thread context of 1332	4392	1gk37JI4.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

0bbde9df8818bd31a5563ee46a1512cc0d05c5d11e8469ef5c7ec394bb8ed020.exeAf8RI0Ie.exeYH2Og3Jc.exeKq5QL1VX.exeET9lF9Bu.exe1gk37JI4.exe

description	pid	process	target process
PID 1532 wrote to memory of 1652	1532	0bbde9df8818bd31a5563ee46a1512cc0d05c5d11e8469ef5c7ec394bb8ed020.exe	Af8RI0Ie.exe
PID 1532 wrote to memory of 1652	1532	0bbde9df8818bd31a5563ee46a1512cc0d05c5d11e8469ef5c7ec394bb8ed020.exe	Af8RI0Ie.exe
PID 1532 wrote to memory of 1652	1532	0bbde9df8818bd31a5563ee46a1512cc0d05c5d11e8469ef5c7ec394bb8ed020.exe	Af8RI0Ie.exe
PID 1652 wrote to memory of 380	1652	Af8RI0Ie.exe	YH2Og3Jc.exe
PID 1652 wrote to memory of 380	1652	Af8RI0Ie.exe	YH2Og3Jc.exe
PID 1652 wrote to memory of 380	1652	Af8RI0Ie.exe	YH2Og3Jc.exe
PID 380 wrote to memory of 724	380	YH2Og3Jc.exe	Kq5QL1VX.exe
PID 380 wrote to memory of 724	380	YH2Og3Jc.exe	Kq5QL1VX.exe
PID 380 wrote to memory of 724	380	YH2Og3Jc.exe	Kq5QL1VX.exe
PID 724 wrote to memory of 4288	724	Kq5QL1VX.exe	ET9lF9Bu.exe
PID 724 wrote to memory of 4288	724	Kq5QL1VX.exe	ET9lF9Bu.exe
PID 724 wrote to memory of 4288	724	Kq5QL1VX.exe	ET9lF9Bu.exe
PID 4288 wrote to memory of 4392	4288	ET9lF9Bu.exe	1gk37JI4.exe
PID 4288 wrote to memory of 4392	4288	ET9lF9Bu.exe	1gk37JI4.exe
PID 4288 wrote to memory of 4392	4288	ET9lF9Bu.exe	1gk37JI4.exe
PID 4392 wrote to memory of 1332	4392	1gk37JI4.exe	AppLaunch.exe
PID 4392 wrote to memory of 1332	4392	1gk37JI4.exe	AppLaunch.exe
PID 4392 wrote to memory of 1332	4392	1gk37JI4.exe	AppLaunch.exe
PID 4392 wrote to memory of 1332	4392	1gk37JI4.exe	AppLaunch.exe
PID 4392 wrote to memory of 1332	4392	1gk37JI4.exe	AppLaunch.exe
PID 4392 wrote to memory of 1332	4392	1gk37JI4.exe	AppLaunch.exe
PID 4392 wrote to memory of 1332	4392	1gk37JI4.exe	AppLaunch.exe
PID 4392 wrote to memory of 1332	4392	1gk37JI4.exe	AppLaunch.exe
PID 4392 wrote to memory of 1332	4392	1gk37JI4.exe	AppLaunch.exe
PID 4392 wrote to memory of 1332	4392	1gk37JI4.exe	AppLaunch.exe
PID 4288 wrote to memory of 628	4288	ET9lF9Bu.exe	2nt525Xq.exe
PID 4288 wrote to memory of 628	4288	ET9lF9Bu.exe	2nt525Xq.exe
PID 4288 wrote to memory of 628	4288	ET9lF9Bu.exe	2nt525Xq.exe

C:\Users\Admin\AppData\Local\Temp\0bbde9df8818bd31a5563ee46a1512cc0d05c5d11e8469ef5c7ec394bb8ed020.exe
"C:\Users\Admin\AppData\Local\Temp\0bbde9df8818bd31a5563ee46a1512cc0d05c5d11e8469ef5c7ec394bb8ed020.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Af8RI0Ie.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Af8RI0Ie.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YH2Og3Jc.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YH2Og3Jc.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:380
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kq5QL1VX.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kq5QL1VX.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:724
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ET9lF9Bu.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ET9lF9Bu.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4288
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gk37JI4.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gk37JI4.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1332
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nt525Xq.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nt525Xq.exe
        6⤵
        Executes dropped EXE
        
        PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Af8RI0Ie.exe

Filesize
1.3MB

MD5
7aa537ae0a9f7b5540187726d4a7fe78

SHA1
1a511834bf82fe512dccb4dbee9bbcb1734825c6

SHA256
60b78beb4087088fad593d16af47076e2ec887ae3d79d882819aecf895d0d0ed

SHA512
ede8b5f67cd6f10421d56a512a50c3b881a3842b93246f46d870a6696744416da683e38ccd26c71015b9cac2b10dcc6c4bd19ee56422aedaeeced0fa0cd8180a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YH2Og3Jc.exe

Filesize
1.1MB

MD5
a6b6cb545c884c90acf729a9f6d968f5

SHA1
be4e7220bc6cc53dc6725847f2b3b81e205f294c

SHA256
6752da517ee3c6ab662e567131e194337416990736590d66456f6aa0de3f4aa5

SHA512
1e081e1a825b4814de28addafdb4375818ab27b88323e054e2f6939bf4ca56d83f751b18c56db2189aeee250a1da7459eec424f57be8aae5d0acd123cdadab39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kq5QL1VX.exe

Filesize
759KB

MD5
17bf3d3e2ad4da0b32c834386087fb89

SHA1
070e7dc64877a8d22499509600db23dfcc78f125

SHA256
30fa8e5b8d943ea0d6cef95946b81bbade3bcf4320251fdbe413a2d60e2e6b25

SHA512
1580e13665d7943acac390f1d37e5033fa43e3c48f340a1bfb60c400aff5d219e08358ffe76d3e5f269718d422e9e1056132b41c60e62f6ecd489296f1d0af0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ET9lF9Bu.exe

Filesize
563KB

MD5
9bcb99b59e64a1495408ed4665ae0dd0

SHA1
309a421488aeeff17f4d2c7e35508b0e65f1c2bd

SHA256
742f8905fb22252704c7420f81e18088321c7a0ee6fe09a0c0b572e49b8bed65

SHA512
bf5184b423c8e895f0afcff7e7762952a362c1852b246931b69565f018fdbca76ca8d80b78836af2a57209303560b65c8b54c6d9faa2eae44fc5473069bf9238

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gk37JI4.exe

Filesize
1.1MB

MD5
a29766e64062c9482a379a14878dc8df

SHA1
a5e98a91d641851d7c7c00a78d74b7e4f6f568c8

SHA256
f620f27f93ce916b2b84c785fd3e5124fb610f8e4453eee820ef98200ec40192

SHA512
b520f64f219a7b91077d341b1d1cb9f1cbd93cedda86f5e97a6588a39a018ab9db68d516e1bd4cdafe72e2c3f97311d85da4f10c0547bf26e08077b51c8e8e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nt525Xq.exe

Filesize
221KB

MD5
a763c13abbca649b7659894bc9e356a8

SHA1
1155ef499dcba22905cc6aee6d984fa76f3fcb6b

SHA256
93c835f9102f7405390dd40576460c5e9c8de912d98612346af095fca210949a

SHA512
78a021f44c5789a92d65c6e468b760fa3eadd295e489e449df6bc886bddea72aa2bfad30b3017640c05824e0b788f63d1ad864810f7b1fa33d634c4ef155f27e

Download Submit
memory/628-45-0x0000000002B30000-0x0000000002B3A000-memory.dmp

Filesize
40KB

Download
memory/628-42-0x00000000008B0000-0x00000000008EE000-memory.dmp

Filesize
248KB

Download
memory/628-43-0x0000000007CE0000-0x0000000008284000-memory.dmp

Filesize
5.6MB

Download
memory/628-44-0x0000000007730000-0x00000000077C2000-memory.dmp

Filesize
584KB

Download
memory/628-46-0x00000000088B0000-0x0000000008EC8000-memory.dmp

Filesize
6.1MB

Download
memory/628-47-0x0000000007A30000-0x0000000007B3A000-memory.dmp

Filesize
1.0MB

Download
memory/628-48-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/628-49-0x0000000007920000-0x000000000795C000-memory.dmp

Filesize
240KB

Download
memory/628-50-0x0000000007960000-0x00000000079AC000-memory.dmp

Filesize
304KB

Download
memory/1332-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1332-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1332-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download