mystic | 1aa612c673e0e8506776c3b8740894f0947bb33bd7b5f22dc14212289801a024

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0dcb286edd11d6940d1a6019389bb64a1dd0d5f45b9d086f976170c1c151532.exe
Size

632KB
MD5

70cde4431c748a02ed9e6ed7ea19498f
SHA1

cb0638996cea6fcf6830f09b0936d92629d8b8f8
SHA256

f0dcb286edd11d6940d1a6019389bb64a1dd0d5f45b9d086f976170c1c151532
SHA512

5115a25020d2c5ccc8595eddaeb7df9f3df85bbe04ffc9b3ef7a5699d07fe2c124ca7d31eb1a956c6deb306b980a5921131f341547d1bae58f2d641c1a4fe06e
SSDEEP

12288:2Mrvy90AJpi54h/bwTz8z0fyx+3BYkL53D6QhpkNdITaYdom8r2vgZWZri:JyDJceb4AIfyxS+YywTGmRkEi

Score

10^/10

mystic redline jokes infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

jokes

77.91.124.82:19071

Attributes

auth_value
fb7b36b70ae30fb2b72f789037350cdb

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral18/files/0x0008000000023415-19.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral18/files/0x0007000000023416-22.dat	family_redline
behavioral18/memory/4560-24-0x00000000004C0000-0x00000000004F0000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
3904	y3097657.exe
4340	y2038456.exe
2132	m8485708.exe
4560	n5577960.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y3097657.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y2038456.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f0dcb286edd11d6940d1a6019389bb64a1dd0d5f45b9d086f976170c1c151532.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3272 wrote to memory of 3904	3272	f0dcb286edd11d6940d1a6019389bb64a1dd0d5f45b9d086f976170c1c151532.exe	84
PID 3272 wrote to memory of 3904	3272	f0dcb286edd11d6940d1a6019389bb64a1dd0d5f45b9d086f976170c1c151532.exe	84
PID 3272 wrote to memory of 3904	3272	f0dcb286edd11d6940d1a6019389bb64a1dd0d5f45b9d086f976170c1c151532.exe	84
PID 3904 wrote to memory of 4340	3904	y3097657.exe	85
PID 3904 wrote to memory of 4340	3904	y3097657.exe	85
PID 3904 wrote to memory of 4340	3904	y3097657.exe	85
PID 4340 wrote to memory of 2132	4340	y2038456.exe	86
PID 4340 wrote to memory of 2132	4340	y2038456.exe	86
PID 4340 wrote to memory of 2132	4340	y2038456.exe	86
PID 4340 wrote to memory of 4560	4340	y2038456.exe	87
PID 4340 wrote to memory of 4560	4340	y2038456.exe	87
PID 4340 wrote to memory of 4560	4340	y2038456.exe	87

C:\Users\Admin\AppData\Local\Temp\f0dcb286edd11d6940d1a6019389bb64a1dd0d5f45b9d086f976170c1c151532.exe
"C:\Users\Admin\AppData\Local\Temp\f0dcb286edd11d6940d1a6019389bb64a1dd0d5f45b9d086f976170c1c151532.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3272
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3097657.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3097657.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3904
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2038456.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2038456.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4340
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8485708.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8485708.exe
      4⤵
      Executes dropped EXE
      PID:2132
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5577960.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5577960.exe
      4⤵
      Executes dropped EXE
      PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3097657.exe

Filesize
530KB

MD5
bf5cb506a8b0fef98ecce9cdd9dda739

SHA1
e22e31afd4d7083463e560f6748676a231bab296

SHA256
d3eccf84e6b326168454bb2968170f21c7f679d499a7f1cc0b7b1b27fe6f3edf

SHA512
8ea04b5969dc2ecf7141c8e6ba9c18084bd6063228ec44a0f34e023f12386264f52fc6f9bf675a31bf11ca34d4430599422ea591b2fe81febc146f8d47fb7553

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2038456.exe

Filesize
271KB

MD5
b923cee12857b9209eaf69d7ec68b0df

SHA1
a91c491028c2d61d4dcdc06bc5f1dd4745c30a4d

SHA256
36508119eb08fc3c75e712be8ce166086764150a56432f55220faad401716e58

SHA512
e2b33b385e44b052ea2d37677331a8ef19bc496991c76a03becae3bbb1c465e8dc2e5c93ad01a42e1e69f05e744b13ef7f0487e8adfc99bc40ac605ab126be0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8485708.exe

Filesize
140KB

MD5
11dc9c9ecac47c9982b2c2ee50b14f1a

SHA1
97e78cb35788e88b7bfb413467e79c2911f9ed57

SHA256
f03b6d0047a233a24d1f48c94f22bc96cf58df09088269052fe7c65458f5c110

SHA512
44396516a877290d48e52cf81c605b3a9eab97c5f8481eaa21d71c9f6350b7ab5305998e432ba1b12ab99e1a9af21fa19225e3295d49501b56f131997ae81203

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5577960.exe

Filesize
174KB

MD5
37e70406178fef75e3a053fb57a2c648

SHA1
e5db5f1f6a8492258d66cc38b104bebf5c4d4965

SHA256
749190eed4546678a52cfcf2c4a3aa557cdf1c5b90670ccaf3b64e314830e657

SHA512
2ca719943a63c86a45bc269cf8c8446e440377e526641a1f7afc9fb580cdf5ece5432fbc29b9bc00ca22d5f80966009b8f92de84aaff2706d1d00d00af5a5a6c

Download Submit
memory/4560-24-0x00000000004C0000-0x00000000004F0000-memory.dmp

Filesize
192KB

Download
memory/4560-25-0x0000000002850000-0x0000000002856000-memory.dmp

Filesize
24KB

Download
memory/4560-26-0x00000000054E0000-0x0000000005AF8000-memory.dmp

Filesize
6.1MB

Download
memory/4560-27-0x0000000004FD0000-0x00000000050DA000-memory.dmp

Filesize
1.0MB

Download
memory/4560-28-0x0000000004E40000-0x0000000004E52000-memory.dmp

Filesize
72KB

Download
memory/4560-29-0x0000000004EC0000-0x0000000004EFC000-memory.dmp

Filesize
240KB

Download
memory/4560-30-0x0000000004F00000-0x0000000004F4C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads