mystic | e660be79de0932d6c5c0f1b65dc5d842ed790962625d5dd8731c30f46ae264a2

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b843b5d1795644ec9e6dd14071ee33ee66683585f07a6c89d61ec113d763d278.exe
Size

663KB
MD5

238b4b74881d18adce47b5f3aab7b845
SHA1

4cfbfff0dd0e1319883811ffeacf67630b321411
SHA256

b843b5d1795644ec9e6dd14071ee33ee66683585f07a6c89d61ec113d763d278
SHA512

a2c2810aa377570f4108027cf1da051bb8fa270731ee1945f34fe16b12da9fcf1192d89102e8e88f5c077249cd8504650b4a2ddc94a279c9a9a0b3750c153fb2
SSDEEP

12288:VMrKy90ePhiqUgy3QDdoUqNChDe2LB0SEwToQetkaO:ry3pik5mUCEWSFTo/q

Score

10^/10

mystic redline virad infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

virad

77.91.124.82:19071

Attributes

auth_value
434dd63619ca8bbf10125913fb40ca28

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral24/files/0x000800000002342b-19.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral24/files/0x000700000002342c-22.dat	family_redline
behavioral24/memory/1840-24-0x00000000005A0000-0x00000000005D0000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
4400	y7416613.exe
2052	y8313359.exe
3444	m3627044.exe
1840	n8262525.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b843b5d1795644ec9e6dd14071ee33ee66683585f07a6c89d61ec113d763d278.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y7416613.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y8313359.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 4400	4480	b843b5d1795644ec9e6dd14071ee33ee66683585f07a6c89d61ec113d763d278.exe	83
PID 4480 wrote to memory of 4400	4480	b843b5d1795644ec9e6dd14071ee33ee66683585f07a6c89d61ec113d763d278.exe	83
PID 4480 wrote to memory of 4400	4480	b843b5d1795644ec9e6dd14071ee33ee66683585f07a6c89d61ec113d763d278.exe	83
PID 4400 wrote to memory of 2052	4400	y7416613.exe	84
PID 4400 wrote to memory of 2052	4400	y7416613.exe	84
PID 4400 wrote to memory of 2052	4400	y7416613.exe	84
PID 2052 wrote to memory of 3444	2052	y8313359.exe	85
PID 2052 wrote to memory of 3444	2052	y8313359.exe	85
PID 2052 wrote to memory of 3444	2052	y8313359.exe	85
PID 2052 wrote to memory of 1840	2052	y8313359.exe	86
PID 2052 wrote to memory of 1840	2052	y8313359.exe	86
PID 2052 wrote to memory of 1840	2052	y8313359.exe	86

C:\Users\Admin\AppData\Local\Temp\b843b5d1795644ec9e6dd14071ee33ee66683585f07a6c89d61ec113d763d278.exe
"C:\Users\Admin\AppData\Local\Temp\b843b5d1795644ec9e6dd14071ee33ee66683585f07a6c89d61ec113d763d278.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7416613.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7416613.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8313359.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8313359.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3627044.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3627044.exe
      4⤵
      Executes dropped EXE
      PID:3444
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8262525.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8262525.exe
      4⤵
      Executes dropped EXE
      PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7416613.exe

Filesize
561KB

MD5
c1df997e1d445498ba5f746c7d013959

SHA1
b797066507fb4e4180a8a10725132e4975e12b24

SHA256
cacea714da7f047fcb8bc72f403accb45247fedb6e3cdead10de5a3ec0e8d434

SHA512
934c93bcc8d7efecd5b3a9350cac85442ee46f6a054eb3536ac9cc8235925207083bede7844730daf2922f3b9ccc1d9a0ddcb82ceefddaa970650314cf735cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8313359.exe

Filesize
271KB

MD5
a74374e6b693927c202c9b7506b455f0

SHA1
b95eb04372b2b8c3799a4fb357decda7e13e1237

SHA256
3d7c99673b8ce64eb0aab2659170c66a13159db31c4d183178754edb17ae005e

SHA512
7aab06c2556912f10763fc06956b22b66b9c913f6015bd635f8414dea95ad0e278b2d00fd247192ab6c32c02229b4ea811f48cb26d2851083fdd2b134070bf83

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3627044.exe

Filesize
141KB

MD5
808430a643b86353862b05aa9f816ef1

SHA1
a60baf69ac79f2bdb850012b8d6ade2b62b12a50

SHA256
f4e3c353d94a4be2b1d34ba85a64d46b559cb24fbc8f7c21d0876b210a8f7342

SHA512
27b22f51e77e7b99cb688ecdc3327816ae494184ed6d057ffe43bac369563af72cbe99f270130ec0169ad025880cfc86e5c86423c2500150eceb9dabfc5f8da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8262525.exe

Filesize
175KB

MD5
979277eefe7e00fd3b7d0b4ee6d762de

SHA1
a3113802a6fd0fd3444c9506d53497dee413ead9

SHA256
79d1fd5f298cf546520404b7bf7800bf0a33f0edfb22343926c66b3fc90bf8c0

SHA512
2f27d53458e61fe252cab8b04654ff0849f08b6b372e306056a0ccdc3dcfa8a90c6b6b96ff9f6aa303bde99c3a56e075a1a7b45d7a033002541f28310b4e06c4

Download Submit
memory/1840-24-0x00000000005A0000-0x00000000005D0000-memory.dmp

Filesize
192KB

Download
memory/1840-25-0x0000000004EC0000-0x0000000004EC6000-memory.dmp

Filesize
24KB

Download
memory/1840-26-0x000000000A9F0000-0x000000000B008000-memory.dmp

Filesize
6.1MB

Download
memory/1840-27-0x000000000A550000-0x000000000A65A000-memory.dmp

Filesize
1.0MB

Download
memory/1840-28-0x000000000A490000-0x000000000A4A2000-memory.dmp

Filesize
72KB

Download
memory/1840-29-0x000000000A4F0000-0x000000000A52C000-memory.dmp

Filesize
240KB

Download
memory/1840-30-0x00000000048A0000-0x00000000048EC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads