mystic | a44d7397ca2486a37cfbc6cd473037b204a5fe4678303dd2f187c814c85f25db

Analysis

max time kernel
138s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7618ddb9e4a4f8eb9facccaca5f824467c35a2b211a133dc5f4f30148b77b907.exe
Size

272KB
MD5

37f45e7cc0fd688aa2cb32a549382d90
SHA1

c614ff464123a61ebe7c78f22dae2109b30be772
SHA256

7618ddb9e4a4f8eb9facccaca5f824467c35a2b211a133dc5f4f30148b77b907
SHA512

9c63e2f401ce2bded0f7f21d4cad2959cec78863ea007b9b92112633659938fc8f404a2fa07c88d7fd6e76645d0acb627914f34b1a36fc93e652cff67dc9b925
SSDEEP

6144:KMy+bnr+ip0yN90QEEdTwoe7P0PF+BR4OjfARI/S:0MrWy902w9L0iR4usUS

Score

10^/10

mystic redline moner infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

moner

77.91.124.82:19071

Attributes

auth_value
a94cd9e01643e1945b296c28a2f28707

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral6/files/0x0008000000023455-5.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral6/files/0x0007000000023456-8.dat	family_redline
behavioral6/memory/2020-11-0x0000000000DE0000-0x0000000000E10000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

pid	Process
4844	m0242086.exe
2020	n3811759.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7618ddb9e4a4f8eb9facccaca5f824467c35a2b211a133dc5f4f30148b77b907.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3868 wrote to memory of 4844	3868	7618ddb9e4a4f8eb9facccaca5f824467c35a2b211a133dc5f4f30148b77b907.exe	85
PID 3868 wrote to memory of 4844	3868	7618ddb9e4a4f8eb9facccaca5f824467c35a2b211a133dc5f4f30148b77b907.exe	85
PID 3868 wrote to memory of 4844	3868	7618ddb9e4a4f8eb9facccaca5f824467c35a2b211a133dc5f4f30148b77b907.exe	85
PID 3868 wrote to memory of 2020	3868	7618ddb9e4a4f8eb9facccaca5f824467c35a2b211a133dc5f4f30148b77b907.exe	86
PID 3868 wrote to memory of 2020	3868	7618ddb9e4a4f8eb9facccaca5f824467c35a2b211a133dc5f4f30148b77b907.exe	86
PID 3868 wrote to memory of 2020	3868	7618ddb9e4a4f8eb9facccaca5f824467c35a2b211a133dc5f4f30148b77b907.exe	86

C:\Users\Admin\AppData\Local\Temp\7618ddb9e4a4f8eb9facccaca5f824467c35a2b211a133dc5f4f30148b77b907.exe
"C:\Users\Admin\AppData\Local\Temp\7618ddb9e4a4f8eb9facccaca5f824467c35a2b211a133dc5f4f30148b77b907.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3868
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m0242086.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m0242086.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n3811759.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n3811759.exe
  2⤵
  - Executes dropped EXE
  PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m0242086.exe

Filesize
140KB

MD5
6339e999e26188d1bd02f3fdb3b8ced9

SHA1
ab12889c86b43a23e9f740456044502f7e51b7e1

SHA256
833828ea6d418e432258ddbacbc09dcdc29d7a10996235ed7c5e0dae93f6c6ba

SHA512
9b88fe24abfc706eb1aebd6dbc0a91f4d78237b1c2280683653ac4f28c30d5957d72311d3e346e295c4252eb59b40d3649c4af3bc100b99ffce78f259d28a1c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n3811759.exe

Filesize
174KB

MD5
330abaedf21dac290a125211597da538

SHA1
5fd999e353472d1f405a9f98c1946b45a87e1028

SHA256
0ea9d64ac078f7243e6fdedc8ed488ff2678667a674d2d523b7d9b5cba75155e

SHA512
d61f4feecebc34c3c689d6848fb307ebdc3257fbd957794a292e8dff3690bfdef65b74d64c920c9a2f7351767d52bba725b4f280bb66e0c3c03c6af98dedf41d

Download Submit
memory/2020-10-0x000000007479E000-0x000000007479F000-memory.dmp

Filesize
4KB

Download
memory/2020-11-0x0000000000DE0000-0x0000000000E10000-memory.dmp

Filesize
192KB

Download
memory/2020-12-0x0000000003030000-0x0000000003036000-memory.dmp

Filesize
24KB

Download
memory/2020-13-0x000000000B120000-0x000000000B738000-memory.dmp

Filesize
6.1MB

Download
memory/2020-14-0x000000000AC50000-0x000000000AD5A000-memory.dmp

Filesize
1.0MB

Download
memory/2020-15-0x000000000AB90000-0x000000000ABA2000-memory.dmp

Filesize
72KB

Download
memory/2020-17-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/2020-16-0x000000000ABF0000-0x000000000AC2C000-memory.dmp

Filesize
240KB

Download
memory/2020-18-0x0000000002F50000-0x0000000002F9C000-memory.dmp

Filesize
304KB

Download
memory/2020-19-0x000000007479E000-0x000000007479F000-memory.dmp

Filesize
4KB

Download
memory/2020-20-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads