mystic | 1aa612c673e0e8506776c3b8740894f0947bb33bd7b5f22dc14212289801a024

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fd17debf93c6b9c9099ea8145bbb5ed0620fd59fc7ef7a3fe60decb9a2f2260.exe
Size

271KB
MD5

ff2aeb042bcd4a78ad38c3a8b8b52663
SHA1

9d792ac5d0197e75d2d3a447fe09c6ef9b6844d9
SHA256

6fd17debf93c6b9c9099ea8145bbb5ed0620fd59fc7ef7a3fe60decb9a2f2260
SHA512

49b5794c2919c707b0aaff299db25b1ec67fcda710283605dda2987289002b6197bfabb8be218349050d361a39f504a8a6123bbb186e7abbe5dc95bb2826773b
SSDEEP

6144:KSy+bnr+jp0yN90QEgd3Y9nG/kYihMT3xKr:yMrby90Gdo9nGqMzIr

Score

10^/10

mystic redline virad infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

virad

77.91.124.82:19071

Attributes

auth_value
434dd63619ca8bbf10125913fb40ca28

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral10/files/0x000800000002341a-5.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral10/files/0x000700000002341b-8.dat	family_redline
behavioral10/memory/3184-11-0x00000000002B0000-0x00000000002E0000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

pid	Process
2636	m9057627.exe
3184	n1199733.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6fd17debf93c6b9c9099ea8145bbb5ed0620fd59fc7ef7a3fe60decb9a2f2260.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 2636	1800	6fd17debf93c6b9c9099ea8145bbb5ed0620fd59fc7ef7a3fe60decb9a2f2260.exe	82
PID 1800 wrote to memory of 2636	1800	6fd17debf93c6b9c9099ea8145bbb5ed0620fd59fc7ef7a3fe60decb9a2f2260.exe	82
PID 1800 wrote to memory of 2636	1800	6fd17debf93c6b9c9099ea8145bbb5ed0620fd59fc7ef7a3fe60decb9a2f2260.exe	82
PID 1800 wrote to memory of 3184	1800	6fd17debf93c6b9c9099ea8145bbb5ed0620fd59fc7ef7a3fe60decb9a2f2260.exe	83
PID 1800 wrote to memory of 3184	1800	6fd17debf93c6b9c9099ea8145bbb5ed0620fd59fc7ef7a3fe60decb9a2f2260.exe	83
PID 1800 wrote to memory of 3184	1800	6fd17debf93c6b9c9099ea8145bbb5ed0620fd59fc7ef7a3fe60decb9a2f2260.exe	83

C:\Users\Admin\AppData\Local\Temp\6fd17debf93c6b9c9099ea8145bbb5ed0620fd59fc7ef7a3fe60decb9a2f2260.exe
"C:\Users\Admin\AppData\Local\Temp\6fd17debf93c6b9c9099ea8145bbb5ed0620fd59fc7ef7a3fe60decb9a2f2260.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m9057627.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m9057627.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n1199733.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n1199733.exe
  2⤵
  - Executes dropped EXE
  PID:3184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m9057627.exe

Filesize
140KB

MD5
bbd8320486923c843956fe944f1b224f

SHA1
e7630242d806b11a6773f44027e12012437eeaa1

SHA256
4ed69b506db3ef635f10d7769f0d72f72d6753d5407f71b80214548e5e8a2300

SHA512
effc63927b6f7251402254c085343c2e5288f2784980607cdb5727a2488aa65862616d1f2ce5026c7d824062c84e54c3c3d97eded1cef60fc9ba5f05ddce4f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n1199733.exe

Filesize
174KB

MD5
2d9a254f7fdeca9c0a20a776927e18d8

SHA1
159fbe5e0986a2d806d5642bd26ffe7ad9913b7d

SHA256
37d7afc537cd2c84f1414e1755073e6fb42e5f944a27b470d013f4558d0a3c67

SHA512
a21891251ead547dcc9594cccb3cf21595c9a6d43fab1ce7a55954e35b6a58e361429e91d93c713d4eaa843c9c3f8a9ad188580c39aa835eaabc2e7350e733ef

Download Submit
memory/3184-10-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

Filesize
4KB

Download
memory/3184-11-0x00000000002B0000-0x00000000002E0000-memory.dmp

Filesize
192KB

Download
memory/3184-12-0x0000000002780000-0x0000000002786000-memory.dmp

Filesize
24KB

Download
memory/3184-13-0x0000000005470000-0x0000000005A88000-memory.dmp

Filesize
6.1MB

Download
memory/3184-14-0x0000000004F60000-0x000000000506A000-memory.dmp

Filesize
1.0MB

Download
memory/3184-15-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/3184-16-0x0000000004CD0000-0x0000000004D0C000-memory.dmp

Filesize
240KB

Download
memory/3184-17-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/3184-18-0x0000000004E50000-0x0000000004E9C000-memory.dmp

Filesize
304KB

Download
memory/3184-19-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

Filesize
4KB

Download
memory/3184-20-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads