mystic | a44d7397ca2486a37cfbc6cd473037b204a5fe4678303dd2f187c814c85f25db

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8bf7b5c22a787af15a42638894b8f1eccc3320134f42f09939f4932df0cc796.exe
Size

1.2MB
MD5

ed974ae3de86c69a6f5c807463948ccb
SHA1

769f8bd5816eed350070769627d06525f76f12f8
SHA256

e8bf7b5c22a787af15a42638894b8f1eccc3320134f42f09939f4932df0cc796
SHA512

36e359c4e8003aa0cb67c86c9726672746d9f8183e8dc02a8d66f6c3368a9d395c04e381c5d1c2c51bdc6f7264dfb29e6736513c1538717218e2c4eef37a5708
SSDEEP

24576:fyeUyRGbDVQC1PTwuV1ceIL7iVJp81sv7xl5of92:qouCCtTwuV1e7ibplCf

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral19/memory/4612-35-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral19/memory/4612-38-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral19/memory/4612-36-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2jm787uT.exe	family_redline
behavioral19/memory/640-42-0x0000000000A70000-0x0000000000AAE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

ez7qH7Hl.exeKZ5Cj4UV.exeTu1gZ7Ae.exeLB6Oj5xu.exe1nC21jB0.exe2jm787uT.exe

pid process

232 ez7qH7Hl.exe
5064 KZ5Cj4UV.exe
2096 Tu1gZ7Ae.exe
4420 LB6Oj5xu.exe
3464 1nC21jB0.exe
640 2jm787uT.exe

pid	process
232	ez7qH7Hl.exe
5064	KZ5Cj4UV.exe
2096	Tu1gZ7Ae.exe
4420	LB6Oj5xu.exe
3464	1nC21jB0.exe
640	2jm787uT.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e8bf7b5c22a787af15a42638894b8f1eccc3320134f42f09939f4932df0cc796.exeez7qH7Hl.exeKZ5Cj4UV.exeTu1gZ7Ae.exeLB6Oj5xu.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e8bf7b5c22a787af15a42638894b8f1eccc3320134f42f09939f4932df0cc796.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ez7qH7Hl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	KZ5Cj4UV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Tu1gZ7Ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	LB6Oj5xu.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1nC21jB0.exe

description pid process target process

PID 3464 set thread context of 4612 3464 1nC21jB0.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1040 3464 WerFault.exe 1nC21jB0.exe

description	pid	process	target process
PID 3464 set thread context of 4612	3464	1nC21jB0.exe	AppLaunch.exe

pid	pid_target	process	target process
1040	3464	WerFault.exe	1nC21jB0.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

e8bf7b5c22a787af15a42638894b8f1eccc3320134f42f09939f4932df0cc796.exeez7qH7Hl.exeKZ5Cj4UV.exeTu1gZ7Ae.exeLB6Oj5xu.exe1nC21jB0.exe

description	pid	process	target process
PID 3544 wrote to memory of 232	3544	e8bf7b5c22a787af15a42638894b8f1eccc3320134f42f09939f4932df0cc796.exe	ez7qH7Hl.exe
PID 3544 wrote to memory of 232	3544	e8bf7b5c22a787af15a42638894b8f1eccc3320134f42f09939f4932df0cc796.exe	ez7qH7Hl.exe
PID 3544 wrote to memory of 232	3544	e8bf7b5c22a787af15a42638894b8f1eccc3320134f42f09939f4932df0cc796.exe	ez7qH7Hl.exe
PID 232 wrote to memory of 5064	232	ez7qH7Hl.exe	KZ5Cj4UV.exe
PID 232 wrote to memory of 5064	232	ez7qH7Hl.exe	KZ5Cj4UV.exe
PID 232 wrote to memory of 5064	232	ez7qH7Hl.exe	KZ5Cj4UV.exe
PID 5064 wrote to memory of 2096	5064	KZ5Cj4UV.exe	Tu1gZ7Ae.exe
PID 5064 wrote to memory of 2096	5064	KZ5Cj4UV.exe	Tu1gZ7Ae.exe
PID 5064 wrote to memory of 2096	5064	KZ5Cj4UV.exe	Tu1gZ7Ae.exe
PID 2096 wrote to memory of 4420	2096	Tu1gZ7Ae.exe	LB6Oj5xu.exe
PID 2096 wrote to memory of 4420	2096	Tu1gZ7Ae.exe	LB6Oj5xu.exe
PID 2096 wrote to memory of 4420	2096	Tu1gZ7Ae.exe	LB6Oj5xu.exe
PID 4420 wrote to memory of 3464	4420	LB6Oj5xu.exe	1nC21jB0.exe
PID 4420 wrote to memory of 3464	4420	LB6Oj5xu.exe	1nC21jB0.exe
PID 4420 wrote to memory of 3464	4420	LB6Oj5xu.exe	1nC21jB0.exe
PID 3464 wrote to memory of 4612	3464	1nC21jB0.exe	AppLaunch.exe
PID 3464 wrote to memory of 4612	3464	1nC21jB0.exe	AppLaunch.exe
PID 3464 wrote to memory of 4612	3464	1nC21jB0.exe	AppLaunch.exe
PID 3464 wrote to memory of 4612	3464	1nC21jB0.exe	AppLaunch.exe
PID 3464 wrote to memory of 4612	3464	1nC21jB0.exe	AppLaunch.exe
PID 3464 wrote to memory of 4612	3464	1nC21jB0.exe	AppLaunch.exe
PID 3464 wrote to memory of 4612	3464	1nC21jB0.exe	AppLaunch.exe
PID 3464 wrote to memory of 4612	3464	1nC21jB0.exe	AppLaunch.exe
PID 3464 wrote to memory of 4612	3464	1nC21jB0.exe	AppLaunch.exe
PID 3464 wrote to memory of 4612	3464	1nC21jB0.exe	AppLaunch.exe
PID 4420 wrote to memory of 640	4420	LB6Oj5xu.exe	2jm787uT.exe
PID 4420 wrote to memory of 640	4420	LB6Oj5xu.exe	2jm787uT.exe
PID 4420 wrote to memory of 640	4420	LB6Oj5xu.exe	2jm787uT.exe

C:\Users\Admin\AppData\Local\Temp\e8bf7b5c22a787af15a42638894b8f1eccc3320134f42f09939f4932df0cc796.exe
"C:\Users\Admin\AppData\Local\Temp\e8bf7b5c22a787af15a42638894b8f1eccc3320134f42f09939f4932df0cc796.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3544

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ez7qH7Hl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ez7qH7Hl.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:232

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KZ5Cj4UV.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KZ5Cj4UV.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5064

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tu1gZ7Ae.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tu1gZ7Ae.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2096

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LB6Oj5xu.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LB6Oj5xu.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4420

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nC21jB0.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nC21jB0.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 596
7⤵
- Program crash
PID:1040

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2jm787uT.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2jm787uT.exe
6⤵
- Executes dropped EXE
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3464 -ip 3464
1⤵
PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ez7qH7Hl.exe
Filesize
1.0MB

MD5
b7082bd6ffbd108facae7a48c0ee3288

SHA1
32b654e2bb9dfab58479b09fe338ff88873a0725

SHA256
305fedb6ded7251e991835d640652072ad971465935386335c8a12c846c895fb

SHA512
69abe778489e2b84262a141e3e414812fcd5365957ab70a31f87107fe3a8fd779da31d9598963f822a10b661eb02bbb8ba1b4c68456b503ea3c4bb4d407ce762

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KZ5Cj4UV.exe
Filesize
884KB

MD5
8ba63232d9e9bb04767bb158c234ec3d

SHA1
d7e1aaf252796fa97b942ec16111249e15927491

SHA256
7ef92e3c87f4a2074a2cba8ba4bc7275b6ce070e182eb5647ead3ededeae7718

SHA512
8d4cb571c6ccd1bad09dddf78b4b4e557e5e92745a101a8e80bab5c050dea536b9246aedd584210f5b42a873846a2ec54f5ee3db2519783c8224234bddbabd24

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tu1gZ7Ae.exe
Filesize
590KB

MD5
2adfbdff71a6b437129e88d5fe05acfc

SHA1
e8b46ba22a6986f2242fbd7acc3ab5ca1753d622

SHA256
2693ed0e12f978d06aebb89cc23ed483902ae40330ba2c3e8d219896b93bd2b3

SHA512
dbc78c802c1ece32c1f28a078bb53c00bba66aa7c5ed60761ffe462d98867393866b39a93dc2301730cb2d8e2c6593d48a60258b74b9e52a30add34e42d374ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LB6Oj5xu.exe
Filesize
417KB

MD5
759eff040727f8b3c3c7030fd6a8e9dd

SHA1
39db7a440be528b329066b9a64f30902143b715d

SHA256
9c99a7b55895d236cf1659d937cd34bb9045cf8e477b8904619e25d04ade9d9f

SHA512
fa4279e7011a2fac51059988422305fb8145edfbb61290779aa8657023258cde29e8aaefe4868c27534edfd21d5c62abdcf7803ea6563bb5288eb5d928bff1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nC21jB0.exe
Filesize
378KB

MD5
e1a5beaf63fbf2a3b7e2a718e79e005f

SHA1
67b6a43eb744d16a7acf2054e9cf112266ef69b1

SHA256
cea219782ac66dc7556943acd0da465ce591d75e8bf368a1323793604753cee8

SHA512
27f2a2223ffc2e961c5c1e1bf510df2fa9496868fb0643f8a04b7713767511dc887008253c84fa9e4b4bdb737d3f7dd7ba9a2ac7e5ad26302164890d770d21c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2jm787uT.exe
Filesize
231KB

MD5
406c34ff6a8b7c77cb8c7eae9b3c93fb

SHA1
21e8948cdae257fc32a8f5c1ed867d865e7738ae

SHA256
e33329291b25a0544bb2ea12f9af925bc8dfab946cc92b105a372c8cf1b4dfb0

SHA512
b1c1c6355d840189312633253f7436a7f2536d590256498f62ff68c26a537ce4f85e8d5af167d9d26bb5c59f12e932729daa3c3fefbce806e22bc9648749c6f7

Download Submit
memory/640-42-0x0000000000A70000-0x0000000000AAE000-memory.dmp

Filesize
248KB

Download
memory/640-43-0x0000000007D50000-0x00000000082F4000-memory.dmp

Filesize
5.6MB

Download
memory/640-44-0x0000000007840000-0x00000000078D2000-memory.dmp

Filesize
584KB

Download
memory/640-45-0x0000000002CA0000-0x0000000002CAA000-memory.dmp

Filesize
40KB

Download
memory/640-46-0x0000000008920000-0x0000000008F38000-memory.dmp

Filesize
6.1MB

Download
memory/640-47-0x0000000007B30000-0x0000000007C3A000-memory.dmp

Filesize
1.0MB

Download
memory/640-48-0x0000000007A40000-0x0000000007A52000-memory.dmp

Filesize
72KB

Download
memory/640-49-0x0000000007AA0000-0x0000000007ADC000-memory.dmp

Filesize
240KB

Download
memory/640-50-0x0000000007AE0000-0x0000000007B2C000-memory.dmp

Filesize
304KB

Download
memory/4612-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4612-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4612-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download