mystic | a44d7397ca2486a37cfbc6cd473037b204a5fe4678303dd2f187c814c85f25db

Analysis

max time kernel
145s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d63c4114c36e73dd975c0cc4a3dc67316e090266f64cd492ec17a7dabcdbe686.exe
Size

396KB
MD5

e7d5f8175739a99197745f7d356e9f03
SHA1

85e5e78ec7d4751ed9e445e6792d3d2535d98f73
SHA256

d63c4114c36e73dd975c0cc4a3dc67316e090266f64cd492ec17a7dabcdbe686
SHA512

c26a167ebbcbc8f512bda727eaf50c4053125749e756009f61295d654249241713e024d3f6fa3fa9d7fdc9fb0b1df1212a765ab528b64a05cd77648b6c5c6c25
SSDEEP

6144:KGy+bnr+Fp0yN90QEukMJOlJbl/txy9ebMWv/i0OWRTlsgf3VwWxg/tA0FRVz1hL:GMrNy90s9JOn5qO7DxRGEFr6ZhEjfbO

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral12/memory/2996-7-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral12/memory/2996-9-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral12/memory/2996-11-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral12/memory/2996-8-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral12/files/0x0007000000023444-14.dat	family_redline
behavioral12/memory/4036-16-0x0000000000E00000-0x0000000000E3E000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

pid	Process
2216	1sJ49TU3.exe
4036	2Lt249rl.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d63c4114c36e73dd975c0cc4a3dc67316e090266f64cd492ec17a7dabcdbe686.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2216 set thread context of 2996	2216	1sJ49TU3.exe	86

Program crash 1 IoCs

pid	pid_target	Process	procid_target
664	2996	WerFault.exe	86

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 2216	4720	d63c4114c36e73dd975c0cc4a3dc67316e090266f64cd492ec17a7dabcdbe686.exe	84
PID 4720 wrote to memory of 2216	4720	d63c4114c36e73dd975c0cc4a3dc67316e090266f64cd492ec17a7dabcdbe686.exe	84
PID 4720 wrote to memory of 2216	4720	d63c4114c36e73dd975c0cc4a3dc67316e090266f64cd492ec17a7dabcdbe686.exe	84
PID 2216 wrote to memory of 1324	2216	1sJ49TU3.exe	85
PID 2216 wrote to memory of 1324	2216	1sJ49TU3.exe	85
PID 2216 wrote to memory of 1324	2216	1sJ49TU3.exe	85
PID 2216 wrote to memory of 2996	2216	1sJ49TU3.exe	86
PID 2216 wrote to memory of 2996	2216	1sJ49TU3.exe	86
PID 2216 wrote to memory of 2996	2216	1sJ49TU3.exe	86
PID 2216 wrote to memory of 2996	2216	1sJ49TU3.exe	86
PID 2216 wrote to memory of 2996	2216	1sJ49TU3.exe	86
PID 2216 wrote to memory of 2996	2216	1sJ49TU3.exe	86
PID 2216 wrote to memory of 2996	2216	1sJ49TU3.exe	86
PID 2216 wrote to memory of 2996	2216	1sJ49TU3.exe	86
PID 2216 wrote to memory of 2996	2216	1sJ49TU3.exe	86
PID 2216 wrote to memory of 2996	2216	1sJ49TU3.exe	86
PID 4720 wrote to memory of 4036	4720	d63c4114c36e73dd975c0cc4a3dc67316e090266f64cd492ec17a7dabcdbe686.exe	87
PID 4720 wrote to memory of 4036	4720	d63c4114c36e73dd975c0cc4a3dc67316e090266f64cd492ec17a7dabcdbe686.exe	87
PID 4720 wrote to memory of 4036	4720	d63c4114c36e73dd975c0cc4a3dc67316e090266f64cd492ec17a7dabcdbe686.exe	87

C:\Users\Admin\AppData\Local\Temp\d63c4114c36e73dd975c0cc4a3dc67316e090266f64cd492ec17a7dabcdbe686.exe
"C:\Users\Admin\AppData\Local\Temp\d63c4114c36e73dd975c0cc4a3dc67316e090266f64cd492ec17a7dabcdbe686.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1sJ49TU3.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1sJ49TU3.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:1324
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:2996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 540
      4⤵
      Program crash
      PID:664
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Lt249rl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Lt249rl.exe
  2⤵
  - Executes dropped EXE
  PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2996 -ip 2996
1⤵
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1sJ49TU3.exe

Filesize
314KB

MD5
1378c28be7212b4d9a5ce3b8eecba1fc

SHA1
e373e5f67d97fea1affaaabc1547901a445bcc08

SHA256
3fd9d98850a9a3537436ff29ae6b1664971fc529f417d7bde93741c9edeceff7

SHA512
e4a70667f9fcd1baed825c452b98036a3070dc7b86af1e1a2edf1f7b821ae5864979d1e22bf6f2b4eecc6ed1e9a4aff15e2f2b59b3329f49944b8de7a3ba65ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Lt249rl.exe

Filesize
222KB

MD5
28f02d65eb597418f8ce81109dc56639

SHA1
13ce97487ac0d894dfebd1c877ca03089b309587

SHA256
18f80fff5cbe91b4cd865cbffc873da356221c000a05b348e3cc302ebdc281c2

SHA512
2ccbe86450012c666ea24c0f58fa0a5c3aa7328ebe622f800f85cc09942ff03b70696e8f97c7a5799dcaabee45b1e4758835c29552bc7a8aec031eebdfef884b

Download Submit
memory/2996-7-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2996-9-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2996-11-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2996-8-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4036-17-0x00000000080F0000-0x0000000008694000-memory.dmp

Filesize
5.6MB

Download
memory/4036-16-0x0000000000E00000-0x0000000000E3E000-memory.dmp

Filesize
248KB

Download
memory/4036-15-0x000000007479E000-0x000000007479F000-memory.dmp

Filesize
4KB

Download
memory/4036-18-0x0000000007C20000-0x0000000007CB2000-memory.dmp

Filesize
584KB

Download
memory/4036-19-0x0000000003070000-0x000000000307A000-memory.dmp

Filesize
40KB

Download
memory/4036-20-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/4036-21-0x0000000008CC0000-0x00000000092D8000-memory.dmp

Filesize
6.1MB

Download
memory/4036-22-0x00000000086A0000-0x00000000087AA000-memory.dmp

Filesize
1.0MB

Download
memory/4036-23-0x0000000007DF0000-0x0000000007E02000-memory.dmp

Filesize
72KB

Download
memory/4036-24-0x0000000007F80000-0x0000000007FBC000-memory.dmp

Filesize
240KB

Download
memory/4036-25-0x0000000007E20000-0x0000000007E6C000-memory.dmp

Filesize
304KB

Download
memory/4036-26-0x000000007479E000-0x000000007479F000-memory.dmp

Filesize
4KB

Download
memory/4036-27-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads