mystic | a44d7397ca2486a37cfbc6cd473037b204a5fe4678303dd2f187c814c85f25db

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f94dabf691f3432b26ad16c1f7ecb24292db785b9562faeb1131ea9306e6a6d.exe
Size

1.2MB
MD5

afec0a32010542d6eef2c43f978d401b
SHA1

a0024019ef66f21995cbc6957c32fcfde507a951
SHA256

5f94dabf691f3432b26ad16c1f7ecb24292db785b9562faeb1131ea9306e6a6d
SHA512

e005ddcb3b276dcf635ae96423f6d78b86bfe06febba57f3cb9fba0fc31f11002e9c20a1ae02e5c2bf6129cd08fa95f02c7c3db8608888b57aff802f57256d63
SSDEEP

24576:PyerYcveCuhO4DWmHJKjEZmmU4r+De38aPD/dLvJJXOMdJ:a4JvzeWmHJKA08rfsqFvJvd

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral3/memory/2672-35-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral3/memory/2672-38-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral3/memory/2672-36-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2kW114ny.exe	family_redline
behavioral3/memory/3748-42-0x0000000000A60000-0x0000000000A9E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

Ie5WI1xg.exeXH8Ks7qi.exehv4YD0gy.exeIi1ir6vd.exe1dq15SY9.exe2kW114ny.exe

pid process

60 Ie5WI1xg.exe
8 XH8Ks7qi.exe
2356 hv4YD0gy.exe
3276 Ii1ir6vd.exe
536 1dq15SY9.exe
3748 2kW114ny.exe

pid	process
60	Ie5WI1xg.exe
8	XH8Ks7qi.exe
2356	hv4YD0gy.exe
3276	Ii1ir6vd.exe
536	1dq15SY9.exe
3748	2kW114ny.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

hv4YD0gy.exeIi1ir6vd.exe5f94dabf691f3432b26ad16c1f7ecb24292db785b9562faeb1131ea9306e6a6d.exeIe5WI1xg.exeXH8Ks7qi.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	hv4YD0gy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Ii1ir6vd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5f94dabf691f3432b26ad16c1f7ecb24292db785b9562faeb1131ea9306e6a6d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Ie5WI1xg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	XH8Ks7qi.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1dq15SY9.exe

description pid process target process

PID 536 set thread context of 2672 536 1dq15SY9.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1232 536 WerFault.exe 1dq15SY9.exe

description	pid	process	target process
PID 536 set thread context of 2672	536	1dq15SY9.exe	AppLaunch.exe

pid	pid_target	process	target process
1232	536	WerFault.exe	1dq15SY9.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

5f94dabf691f3432b26ad16c1f7ecb24292db785b9562faeb1131ea9306e6a6d.exeIe5WI1xg.exeXH8Ks7qi.exehv4YD0gy.exeIi1ir6vd.exe1dq15SY9.exe

description	pid	process	target process
PID 4160 wrote to memory of 60	4160	5f94dabf691f3432b26ad16c1f7ecb24292db785b9562faeb1131ea9306e6a6d.exe	Ie5WI1xg.exe
PID 4160 wrote to memory of 60	4160	5f94dabf691f3432b26ad16c1f7ecb24292db785b9562faeb1131ea9306e6a6d.exe	Ie5WI1xg.exe
PID 4160 wrote to memory of 60	4160	5f94dabf691f3432b26ad16c1f7ecb24292db785b9562faeb1131ea9306e6a6d.exe	Ie5WI1xg.exe
PID 60 wrote to memory of 8	60	Ie5WI1xg.exe	XH8Ks7qi.exe
PID 60 wrote to memory of 8	60	Ie5WI1xg.exe	XH8Ks7qi.exe
PID 60 wrote to memory of 8	60	Ie5WI1xg.exe	XH8Ks7qi.exe
PID 8 wrote to memory of 2356	8	XH8Ks7qi.exe	hv4YD0gy.exe
PID 8 wrote to memory of 2356	8	XH8Ks7qi.exe	hv4YD0gy.exe
PID 8 wrote to memory of 2356	8	XH8Ks7qi.exe	hv4YD0gy.exe
PID 2356 wrote to memory of 3276	2356	hv4YD0gy.exe	Ii1ir6vd.exe
PID 2356 wrote to memory of 3276	2356	hv4YD0gy.exe	Ii1ir6vd.exe
PID 2356 wrote to memory of 3276	2356	hv4YD0gy.exe	Ii1ir6vd.exe
PID 3276 wrote to memory of 536	3276	Ii1ir6vd.exe	1dq15SY9.exe
PID 3276 wrote to memory of 536	3276	Ii1ir6vd.exe	1dq15SY9.exe
PID 3276 wrote to memory of 536	3276	Ii1ir6vd.exe	1dq15SY9.exe
PID 536 wrote to memory of 2672	536	1dq15SY9.exe	AppLaunch.exe
PID 536 wrote to memory of 2672	536	1dq15SY9.exe	AppLaunch.exe
PID 536 wrote to memory of 2672	536	1dq15SY9.exe	AppLaunch.exe
PID 536 wrote to memory of 2672	536	1dq15SY9.exe	AppLaunch.exe
PID 536 wrote to memory of 2672	536	1dq15SY9.exe	AppLaunch.exe
PID 536 wrote to memory of 2672	536	1dq15SY9.exe	AppLaunch.exe
PID 536 wrote to memory of 2672	536	1dq15SY9.exe	AppLaunch.exe
PID 536 wrote to memory of 2672	536	1dq15SY9.exe	AppLaunch.exe
PID 536 wrote to memory of 2672	536	1dq15SY9.exe	AppLaunch.exe
PID 536 wrote to memory of 2672	536	1dq15SY9.exe	AppLaunch.exe
PID 3276 wrote to memory of 3748	3276	Ii1ir6vd.exe	2kW114ny.exe
PID 3276 wrote to memory of 3748	3276	Ii1ir6vd.exe	2kW114ny.exe
PID 3276 wrote to memory of 3748	3276	Ii1ir6vd.exe	2kW114ny.exe

C:\Users\Admin\AppData\Local\Temp\5f94dabf691f3432b26ad16c1f7ecb24292db785b9562faeb1131ea9306e6a6d.exe
"C:\Users\Admin\AppData\Local\Temp\5f94dabf691f3432b26ad16c1f7ecb24292db785b9562faeb1131ea9306e6a6d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ie5WI1xg.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ie5WI1xg.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XH8Ks7qi.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XH8Ks7qi.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:8
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hv4YD0gy.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hv4YD0gy.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2356
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ii1ir6vd.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ii1ir6vd.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3276
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dq15SY9.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dq15SY9.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 152
        7⤵
        Program crash
        
        PID:1232
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2kW114ny.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2kW114ny.exe
        6⤵
        Executes dropped EXE
        
        PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 536 -ip 536
1⤵
PID:4040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ie5WI1xg.exe

Filesize
1.0MB

MD5
29e5166714861916d6928fa82a3eb914

SHA1
bf5b4f5c3a7633098ae024ba5e5b5d22df722874

SHA256
7fa3dd3690cf75ed676fc07c8547923658d76679a824e982bb3e8ed6e28774c4

SHA512
291df911e2baf0dee7027e9a074110d872f73874b6e9de4edc1e8038177325f4a36936bd420caf5e1288443e7e0b2179204e1bbbbcde38b5c4007f3be568f20a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XH8Ks7qi.exe

Filesize
884KB

MD5
371da857c9eabeb754e39426063cafc4

SHA1
87b79ad5726d499946a208740ecf2d69dd331229

SHA256
a297abe360750e258587d0e4baaadc7aeb96a87a70d411c2f9b5146e1624007f

SHA512
d243612243513d67a5dd8b1bee1f56be80ffd7dc7759b773349413bf419200a64192bf08964b44cd6e9b754ff7190497d413a19fd2685df6db6799665bebdc3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hv4YD0gy.exe

Filesize
590KB

MD5
b32810979fd7f8256d0c846b3acf50af

SHA1
7a59a94ef9094b9f4ffa67b582e6dbcc30ed559d

SHA256
6692c60f2483b5fe5c686259be2664a9c061c1033a95ed9b0675610d4ff12c5f

SHA512
c2f6825aecb9fe9068d461681514cc4f99d0a5d3ae3218affecfbeb84e10a4f01e9b38c2a8e5a03d5d70ad9db0b84f4610430b43359f2a9c842417ada33b8a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ii1ir6vd.exe

Filesize
417KB

MD5
3f2a41a75c7b5a327aa8c40b4a0a026c

SHA1
1bfdc49528320ac1d39b61ab28ff473c844488af

SHA256
f5282228634bac6da6f78d909a005f21551fd067bb8153009809b5114d52d616

SHA512
2286e87eff25b2053e5f7934bdb84f8cbdcbee3fa5b50ef33544a167fac0bddbb77d98b66326043320e13fca65a148ab300ec6e15c976b16f49ba1840dd6413a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dq15SY9.exe

Filesize
378KB

MD5
c0ff76f293d1f3685ee33070e7fe3c5c

SHA1
0aa3d9025549e823e03933e5c7d3a09232395681

SHA256
8af785979292fb266052650af73c5a49df59cc8a7bdd1cc53a22978e4d72748c

SHA512
7fc9e3c22e984d66e59162f6395ff626c7bfec014817dcb06672e38c6024e2bdba429ffa77506bd79f6d3a5fb327438734b48e65d7135739e5acb9508ea9435d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2kW114ny.exe

Filesize
231KB

MD5
4c7e65161f26ed57ed3250c2c2b8557d

SHA1
577831d9f302f9272c0dda85046925b286bf02b9

SHA256
0a6e29af91adc9c581159e52b46a9a0efb6cb87ea5d0e78366b3919eb75ac358

SHA512
a98c6655b2c0c333ab19cae4a5f771a981a6e1b95b9405478fb8def4a7dcdb2aa95b2e73bf660976cd3918033f8ebc567f64e18de16a4545cf56c58c56406cf5

Download Submit
memory/2672-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2672-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2672-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3748-42-0x0000000000A60000-0x0000000000A9E000-memory.dmp

Filesize
248KB

Download
memory/3748-43-0x0000000007CF0000-0x0000000008294000-memory.dmp

Filesize
5.6MB

Download
memory/3748-44-0x0000000007820000-0x00000000078B2000-memory.dmp

Filesize
584KB

Download
memory/3748-45-0x0000000004E30000-0x0000000004E3A000-memory.dmp

Filesize
40KB

Download
memory/3748-46-0x00000000088C0000-0x0000000008ED8000-memory.dmp

Filesize
6.1MB

Download
memory/3748-47-0x0000000007B80000-0x0000000007C8A000-memory.dmp

Filesize
1.0MB

Download
memory/3748-48-0x0000000007A10000-0x0000000007A22000-memory.dmp

Filesize
72KB

Download
memory/3748-49-0x0000000007A70000-0x0000000007AAC000-memory.dmp

Filesize
240KB

Download
memory/3748-50-0x0000000007AB0000-0x0000000007AFC000-memory.dmp

Filesize
304KB

Download