mystic | 1aa612c673e0e8506776c3b8740894f0947bb33bd7b5f22dc14212289801a024

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e267ce7005abcc25524e9395554aeb50630246fae2d26c6832285538cac766a3.exe
Size

657KB
MD5

4ca1ea735e9998270a86f8053fc38e42
SHA1

1d72eb587bb77853daf9b6a186debcd515d207cd
SHA256

e267ce7005abcc25524e9395554aeb50630246fae2d26c6832285538cac766a3
SHA512

1cb1f727a9a9d16e684aa60e9834b42da72327d2a767955fe37f8511ecac8ecc6e100a5eb3e1e7c8891dc6e309d7ad223cfb86f5e221bd0baad1a16fb8b4438f
SSDEEP

12288:nMrmy90laJQJdJOMY3QrBPBT0odoug0bHAYxCf/EligsQiY:RyBCfJOMYWBPB7muVbgYxCDY

Score

10^/10

mystic redline virad infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

virad

77.91.124.82:19071

Attributes

auth_value
434dd63619ca8bbf10125913fb40ca28

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral16/files/0x00080000000233d9-19.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral16/files/0x00070000000233da-22.dat	family_redline
behavioral16/memory/1864-24-0x00000000004A0000-0x00000000004D0000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
4312	y2933667.exe
3116	y8025403.exe
4380	m2051793.exe
1864	n5776162.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y2933667.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y8025403.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e267ce7005abcc25524e9395554aeb50630246fae2d26c6832285538cac766a3.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 4312	2612	e267ce7005abcc25524e9395554aeb50630246fae2d26c6832285538cac766a3.exe	82
PID 2612 wrote to memory of 4312	2612	e267ce7005abcc25524e9395554aeb50630246fae2d26c6832285538cac766a3.exe	82
PID 2612 wrote to memory of 4312	2612	e267ce7005abcc25524e9395554aeb50630246fae2d26c6832285538cac766a3.exe	82
PID 4312 wrote to memory of 3116	4312	y2933667.exe	83
PID 4312 wrote to memory of 3116	4312	y2933667.exe	83
PID 4312 wrote to memory of 3116	4312	y2933667.exe	83
PID 3116 wrote to memory of 4380	3116	y8025403.exe	84
PID 3116 wrote to memory of 4380	3116	y8025403.exe	84
PID 3116 wrote to memory of 4380	3116	y8025403.exe	84
PID 3116 wrote to memory of 1864	3116	y8025403.exe	85
PID 3116 wrote to memory of 1864	3116	y8025403.exe	85
PID 3116 wrote to memory of 1864	3116	y8025403.exe	85

C:\Users\Admin\AppData\Local\Temp\e267ce7005abcc25524e9395554aeb50630246fae2d26c6832285538cac766a3.exe
"C:\Users\Admin\AppData\Local\Temp\e267ce7005abcc25524e9395554aeb50630246fae2d26c6832285538cac766a3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2933667.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2933667.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8025403.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8025403.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3116
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2051793.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2051793.exe
      4⤵
      Executes dropped EXE
      PID:4380
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5776162.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5776162.exe
      4⤵
      Executes dropped EXE
      PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2933667.exe

Filesize
555KB

MD5
ac6fb4ec0f2137053e88f2b19e24f641

SHA1
1bedccf4fdabfd115daa6b4ced8530cabdb7108e

SHA256
9f442a05b8465267ede485bcf0b643e048dc7e58e3cb65688e11399d279f33fc

SHA512
307a010d3c0afbcd06925733b90fa2a95ae2c647b2e81589df2fe5a0e0560cb8a095eff3bbfb8629b8df2fefb9d36978882e47f26777898c779b20e75ae8c52d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8025403.exe

Filesize
271KB

MD5
e213de80d6fb70a76f3c87c5fdb931cf

SHA1
39fec2f7a60f9894377edbf32ca304ef494e38c8

SHA256
1dfd4878eb8d4911a6c435e02fc15ce8672d6328f35fd3544b4328287d4fbf42

SHA512
cfc9534ecc5cd538d4f1bf499bce8d4d445de1853b0ef334ef1635bbac6a05155d222d228e1f1321d31c67231793d412955128e9ec25ca4c4fba229b3b98e64f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2051793.exe

Filesize
141KB

MD5
45141e8d8ee9549044e91d79a98aff65

SHA1
bcf7b5afad855f5646f610f94e25bcb320aca290

SHA256
963f8a17cad9bd13e69c6df3b988e416290e0d66ffdc90903c3470384cafe1ed

SHA512
80d39da4f2e72cbd785d63a6ec1ee91ee765efca4add6b9618b7aae65354276f9d9f8e0a87affa12074a9534fdea497e14e1ecf08261764e976262bcbfde09f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5776162.exe

Filesize
175KB

MD5
3dc38877fd37b24d6ad6989f0e670222

SHA1
d6624039967c9615fadb48b2c0f4a234ae7e34ab

SHA256
e62faf472024fc18ac34cc86c94d85d92a9e8aa844c5545472c3424f3295eff9

SHA512
892946068f408e8e3fd89c0e05f6ff7e27c552d42e91fcb2210a0eb4ebce99007425383aaa99c9ad73f20b69a56cf544d825b43c2f38ee3ae38e6e4380a721d0

Download Submit
memory/1864-24-0x00000000004A0000-0x00000000004D0000-memory.dmp

Filesize
192KB

Download
memory/1864-25-0x0000000004CC0000-0x0000000004CC6000-memory.dmp

Filesize
24KB

Download
memory/1864-26-0x0000000005420000-0x0000000005A38000-memory.dmp

Filesize
6.1MB

Download
memory/1864-27-0x0000000004F10000-0x000000000501A000-memory.dmp

Filesize
1.0MB

Download
memory/1864-28-0x0000000004E30000-0x0000000004E42000-memory.dmp

Filesize
72KB

Download
memory/1864-29-0x0000000004E90000-0x0000000004ECC000-memory.dmp

Filesize
240KB

Download
memory/1864-30-0x0000000005020000-0x000000000506C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads