mystic | e660be79de0932d6c5c0f1b65dc5d842ed790962625d5dd8731c30f46ae264a2

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84d690a678e5c3055ce0a83992c921f35e5bf7b165506a695de85c34cf7b138a.exe
Size

662KB
MD5

8df33ce8eb6e2fc9f9cd72481a3abf11
SHA1

5a41106311300a7cf84d02ea3692a9eab1dddbbe
SHA256

84d690a678e5c3055ce0a83992c921f35e5bf7b165506a695de85c34cf7b138a
SHA512

6cb9024a6b69ec9a4a7b0a6f563b61cdb081a16932a1485028ba3209d2a66adef0dc8d7789133f6bb7d88b7ee93d68dd83e875adb85a5d5eb4e14a7776497fe5
SSDEEP

12288:3MrEy90XWNlckmX5WMBu4F4SPzNIoPdH8Xkfg+PcWFNqM4tZpcn4sUAha:Dy+SlcwALWk5VHVfVPcqcMKpcn4sUv

Score

10^/10

mystic redline virad infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

virad

77.91.124.82:19071

Attributes

auth_value
434dd63619ca8bbf10125913fb40ca28

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0271660.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7981435.exe	family_redline
behavioral20/memory/4200-24-0x0000000000160000-0x0000000000190000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

y6415248.exey0098848.exem0271660.exen7981435.exe

pid process

4040 y6415248.exe
1288 y0098848.exe
996 m0271660.exe
4200 n7981435.exe

pid	process
4040	y6415248.exe
1288	y0098848.exe
996	m0271660.exe
4200	n7981435.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

84d690a678e5c3055ce0a83992c921f35e5bf7b165506a695de85c34cf7b138a.exey6415248.exey0098848.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	84d690a678e5c3055ce0a83992c921f35e5bf7b165506a695de85c34cf7b138a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y6415248.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y0098848.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

84d690a678e5c3055ce0a83992c921f35e5bf7b165506a695de85c34cf7b138a.exey6415248.exey0098848.exe

description	pid	process	target process
PID 1736 wrote to memory of 4040	1736	84d690a678e5c3055ce0a83992c921f35e5bf7b165506a695de85c34cf7b138a.exe	y6415248.exe
PID 1736 wrote to memory of 4040	1736	84d690a678e5c3055ce0a83992c921f35e5bf7b165506a695de85c34cf7b138a.exe	y6415248.exe
PID 1736 wrote to memory of 4040	1736	84d690a678e5c3055ce0a83992c921f35e5bf7b165506a695de85c34cf7b138a.exe	y6415248.exe
PID 4040 wrote to memory of 1288	4040	y6415248.exe	y0098848.exe
PID 4040 wrote to memory of 1288	4040	y6415248.exe	y0098848.exe
PID 4040 wrote to memory of 1288	4040	y6415248.exe	y0098848.exe
PID 1288 wrote to memory of 996	1288	y0098848.exe	m0271660.exe
PID 1288 wrote to memory of 996	1288	y0098848.exe	m0271660.exe
PID 1288 wrote to memory of 996	1288	y0098848.exe	m0271660.exe
PID 1288 wrote to memory of 4200	1288	y0098848.exe	n7981435.exe
PID 1288 wrote to memory of 4200	1288	y0098848.exe	n7981435.exe
PID 1288 wrote to memory of 4200	1288	y0098848.exe	n7981435.exe

C:\Users\Admin\AppData\Local\Temp\84d690a678e5c3055ce0a83992c921f35e5bf7b165506a695de85c34cf7b138a.exe
"C:\Users\Admin\AppData\Local\Temp\84d690a678e5c3055ce0a83992c921f35e5bf7b165506a695de85c34cf7b138a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6415248.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6415248.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4040
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0098848.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0098848.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1288
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0271660.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0271660.exe
      4⤵
      Executes dropped EXE
      PID:996
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7981435.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7981435.exe
      4⤵
      Executes dropped EXE
      PID:4200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6415248.exe

Filesize
560KB

MD5
ae230ea20027c49298e8e6670dfeb568

SHA1
cab226cfda86f2a8f422497ad5169e301e8a4896

SHA256
2569feb3f137ce2278a5204badab017425bb9f37d5cff3731b68f3ff8ab8ba44

SHA512
01a49ddcaa4748dc19bb4f72e1b10bb56fdf9661721e715c5f3141dc52c409fd1175e839df3711d39594bdd33312bad459ff0f256dbca1c6fadf3cd0907a1147

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0098848.exe

Filesize
271KB

MD5
d86f0dafd6f4e5fa634fd26531efc46c

SHA1
811fd79dfc694928a12da8cd8b64df6a60357539

SHA256
6dfb7afc98c664835070ab9679f4b82763f5e6e0495e361e0a3c392c81672886

SHA512
379ada350eb55d02767b5c1e47b68d908ecac0f5f0d3655dddd59240e0847b206e1f5ecf5919592093907de28cb97477edeb98da72b10c51134aa552bfc3a3ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0271660.exe

Filesize
141KB

MD5
7fb482226b7c4074ff0f4bfb921d4e15

SHA1
983cfb3854722dee5e625bc0ca172e680dbfac26

SHA256
b37c58f57003a505c20286c9306f1fb6f9876f1e2c74a42b679055155c9664da

SHA512
a8742a8123bda91b81b0e8c72d3dca3d7e56979d8967b1ed5f714e6d04d4c24f3b2e9fcfc064e6a29154eef80ea77896e612e055bdc5337876e77a511120425a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7981435.exe

Filesize
175KB

MD5
92d6a2cef0880a1828b679b5acf57056

SHA1
039eda30884efd4be194a8b0febf0300e22d3f03

SHA256
ef3f11dc7432443c964ff0991abab69787cfa23af793fc0dfb55c3cc943c5aa2

SHA512
a70b81aacc1400c4d3d680e3f10160c60043f2ea96f85c43c91c9bcdd578fe581639d854eb465af9002e0ee371c3319b8b8ac456d48f1879256691fe4f16589d

Download Submit
memory/4200-24-0x0000000000160000-0x0000000000190000-memory.dmp

Filesize
192KB

Download
memory/4200-25-0x0000000004A80000-0x0000000004A86000-memory.dmp

Filesize
24KB

Download
memory/4200-26-0x000000000A590000-0x000000000ABA8000-memory.dmp

Filesize
6.1MB

Download
memory/4200-27-0x000000000A110000-0x000000000A21A000-memory.dmp

Filesize
1.0MB

Download
memory/4200-28-0x000000000A050000-0x000000000A062000-memory.dmp

Filesize
72KB

Download
memory/4200-29-0x000000000A0B0000-0x000000000A0EC000-memory.dmp

Filesize
240KB

Download
memory/4200-30-0x0000000002310000-0x000000000235C000-memory.dmp

Filesize
304KB

Download