mystic | 1aa612c673e0e8506776c3b8740894f0947bb33bd7b5f22dc14212289801a024

Analysis

max time kernel
141s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec317a24ef2ba5bee688aaad8667b8e438ce19cc1b84eb2972099c8e95eebba3.exe
Size

662KB
MD5

6980000f944887fce276684c7c66bb01
SHA1

06f4e14cdb875469c215c71254463165c1b6eba5
SHA256

ec317a24ef2ba5bee688aaad8667b8e438ce19cc1b84eb2972099c8e95eebba3
SHA512

1ba6a235f6caee47200cd99aa3952b76dae9f5024e1349e2fcc0310ce8eed2eec495435e245535542d100dac69962517accec22e3f1893eee3889cc0520cf052
SSDEEP

12288:WMruy90fRdPF1+2uJQbMt2mSXrYxZIEjxzIDAUZFAIVvyBWp/cRGEnXox:syEPPP8t2NeZVGbZFnVT/cU7

Score

10^/10

mystic redline virad infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

virad

77.91.124.82:19071

Attributes

auth_value
434dd63619ca8bbf10125913fb40ca28

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral17/files/0x0008000000023436-19.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral17/files/0x0007000000023437-22.dat	family_redline
behavioral17/memory/3280-24-0x0000000000120000-0x0000000000150000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
5108	y2839536.exe
3516	y2406189.exe
2496	m5866127.exe
3280	n7650476.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ec317a24ef2ba5bee688aaad8667b8e438ce19cc1b84eb2972099c8e95eebba3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y2839536.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y2406189.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 428 wrote to memory of 5108	428	ec317a24ef2ba5bee688aaad8667b8e438ce19cc1b84eb2972099c8e95eebba3.exe	83
PID 428 wrote to memory of 5108	428	ec317a24ef2ba5bee688aaad8667b8e438ce19cc1b84eb2972099c8e95eebba3.exe	83
PID 428 wrote to memory of 5108	428	ec317a24ef2ba5bee688aaad8667b8e438ce19cc1b84eb2972099c8e95eebba3.exe	83
PID 5108 wrote to memory of 3516	5108	y2839536.exe	84
PID 5108 wrote to memory of 3516	5108	y2839536.exe	84
PID 5108 wrote to memory of 3516	5108	y2839536.exe	84
PID 3516 wrote to memory of 2496	3516	y2406189.exe	85
PID 3516 wrote to memory of 2496	3516	y2406189.exe	85
PID 3516 wrote to memory of 2496	3516	y2406189.exe	85
PID 3516 wrote to memory of 3280	3516	y2406189.exe	86
PID 3516 wrote to memory of 3280	3516	y2406189.exe	86
PID 3516 wrote to memory of 3280	3516	y2406189.exe	86

C:\Users\Admin\AppData\Local\Temp\ec317a24ef2ba5bee688aaad8667b8e438ce19cc1b84eb2972099c8e95eebba3.exe
"C:\Users\Admin\AppData\Local\Temp\ec317a24ef2ba5bee688aaad8667b8e438ce19cc1b84eb2972099c8e95eebba3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:428
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2839536.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2839536.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2406189.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2406189.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3516
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5866127.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5866127.exe
      4⤵
      Executes dropped EXE
      PID:2496
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7650476.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7650476.exe
      4⤵
      Executes dropped EXE
      PID:3280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2839536.exe

Filesize
561KB

MD5
9837bf5b7f849536a7903aa1f84c3374

SHA1
e8ec13995568c9168e00db73bf03c10f5a0c5141

SHA256
33699f0af7475ba50854d518a41bdeaf9f0e65934ea125b32aa15b70f13df0f9

SHA512
d7c864a2248d15a1bd3d928e2af552e39a8a4067775ea7b4a6ba86dc328a117082a0fb1c10ab2798dfc8b89c2278d2c663db1026da4bb64b9cee2b39eb8506b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2406189.exe

Filesize
271KB

MD5
14785244df56dafbcba731e754f337b7

SHA1
fa1b26096b380b30ffb942684daa38d27c32121c

SHA256
f2cce909eca03fb472266113aeed9ab44c81218fb6b4de31949151b9543a1f10

SHA512
37d93d6d187e2566b2a1554351642405020a3d6c8687fd0c7f93ba7dedf0a88c0164aa27cc330fb746f77faed0684133c5b39ab971404748c9172bd9d68cdffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5866127.exe

Filesize
141KB

MD5
8451f8d13ffcce226ae36033c3e6ad2b

SHA1
1b31c7441ea79f6ccd04aebdcbbb6835e4c5a951

SHA256
cdb414688bffff299a1b6b13fbfdb4623791ac4d4995c721b8051240bf88700b

SHA512
5d3eb6f8e8ad3dfe697a112827dc9b9a8bbe7dbc51d3d896d8417befa00ca0332badaa7a3d298d02025d2c0ced7e5dba30139814b7daedb66be1eae1a317355f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7650476.exe

Filesize
175KB

MD5
56b71bdd64b7dcb7d4f73f78df3e7587

SHA1
f0cf562a4f7e7f67c68e3605ffb40ed9e91c8799

SHA256
31a466c0c05f4feced392f0ffd93d372c9bd322f6bfb3ee81469c43472458ba0

SHA512
49ec197872531ccbfd0d67766dfdc51713a45ca3a119b10e84dea745a4ac0334094ed1ed6bf4a76f88ed73be2606ee3db014987a7c82d5dd38f4d2e7c86f2d26

Download Submit
memory/3280-24-0x0000000000120000-0x0000000000150000-memory.dmp

Filesize
192KB

Download
memory/3280-25-0x0000000004940000-0x0000000004946000-memory.dmp

Filesize
24KB

Download
memory/3280-26-0x000000000A5A0000-0x000000000ABB8000-memory.dmp

Filesize
6.1MB

Download
memory/3280-27-0x000000000A0D0000-0x000000000A1DA000-memory.dmp

Filesize
1.0MB

Download
memory/3280-28-0x000000000A010000-0x000000000A022000-memory.dmp

Filesize
72KB

Download
memory/3280-29-0x000000000A070000-0x000000000A0AC000-memory.dmp

Filesize
240KB

Download
memory/3280-30-0x0000000002300000-0x000000000234C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads