mystic | 5e831beab1114ac9acd665a6dc93e4478c72f9985bcae804c34864e3b6ee4705

Analysis

max time kernel
138s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0845c677fbb6f6769b22ee306bf30e9c9d49caa3bfd274fceb91e91bd6ee061.exe
Size

631KB
MD5

02a6385cadccaae01686ff068e1019e7
SHA1

409d5af29477ee6436c37917b567ae4e10fad5c0
SHA256

b0845c677fbb6f6769b22ee306bf30e9c9d49caa3bfd274fceb91e91bd6ee061
SHA512

744b153ddf945f75399e44bbdce8a3cfc3b1af8050a9e667c503b705adc609db8db79603300c46bcdf6afa6b6a4b47a475b16cc57f7af0df78294d3732de7bcc
SSDEEP

12288:YMrVy90ob0MnsCU2toDypXWVm218sXdx2gVQDOM/b+w:dyPogZqDy1WHP3VQDOMz3

Score

10^/10

mystic redline jokes infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

jokes

77.91.124.82:19071

Attributes

auth_value
fb7b36b70ae30fb2b72f789037350cdb

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral13/files/0x0008000000023456-20.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral13/files/0x0007000000023457-22.dat	family_redline
behavioral13/memory/3404-24-0x00000000001C0000-0x00000000001F0000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
4872	y0821680.exe
3148	y4164106.exe
3176	m1123121.exe
3404	n8191002.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b0845c677fbb6f6769b22ee306bf30e9c9d49caa3bfd274fceb91e91bd6ee061.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y0821680.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y4164106.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 940 wrote to memory of 4872	940	b0845c677fbb6f6769b22ee306bf30e9c9d49caa3bfd274fceb91e91bd6ee061.exe	83
PID 940 wrote to memory of 4872	940	b0845c677fbb6f6769b22ee306bf30e9c9d49caa3bfd274fceb91e91bd6ee061.exe	83
PID 940 wrote to memory of 4872	940	b0845c677fbb6f6769b22ee306bf30e9c9d49caa3bfd274fceb91e91bd6ee061.exe	83
PID 4872 wrote to memory of 3148	4872	y0821680.exe	84
PID 4872 wrote to memory of 3148	4872	y0821680.exe	84
PID 4872 wrote to memory of 3148	4872	y0821680.exe	84
PID 3148 wrote to memory of 3176	3148	y4164106.exe	85
PID 3148 wrote to memory of 3176	3148	y4164106.exe	85
PID 3148 wrote to memory of 3176	3148	y4164106.exe	85
PID 3148 wrote to memory of 3404	3148	y4164106.exe	86
PID 3148 wrote to memory of 3404	3148	y4164106.exe	86
PID 3148 wrote to memory of 3404	3148	y4164106.exe	86

C:\Users\Admin\AppData\Local\Temp\b0845c677fbb6f6769b22ee306bf30e9c9d49caa3bfd274fceb91e91bd6ee061.exe
"C:\Users\Admin\AppData\Local\Temp\b0845c677fbb6f6769b22ee306bf30e9c9d49caa3bfd274fceb91e91bd6ee061.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:940
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0821680.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0821680.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4164106.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4164106.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3148
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1123121.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1123121.exe
      4⤵
      Executes dropped EXE
      PID:3176
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8191002.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8191002.exe
      4⤵
      Executes dropped EXE
      PID:3404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0821680.exe

Filesize
529KB

MD5
c4ef82bf9146dba1ac57af69fa171ec4

SHA1
25bc458a4f8e27ee8843452d882a56273ddbcaf3

SHA256
03fb8e879271f1a778b2b337fe606d74946f7bb5af8167710f06027b0d4e6014

SHA512
efce5ca82546aabe1572797de3098654f08a12b2abc982e0084a3e8c18e9386aed6431dce28ffd6244f178879ed485eb19e3ff6b8fcdad67dbd3f4b6f1d1f383

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4164106.exe

Filesize
271KB

MD5
a784c6700f6328fba461904ae0899cd3

SHA1
2056c365ebdb83e75c171e8562969695b3d35313

SHA256
1777dd86cfc93b80776acc6181e382dbb4e4a79f1dbdfffa03d8427e56fe1e30

SHA512
434fcf070841b5d35d9eb1fe499020ef291607a046a926b8ca5d3f926a6b0ad9414d772978e216e835c8683bbb6b68748e6b6c879af7998798829623adc6900a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1123121.exe

Filesize
140KB

MD5
ab69f362d44403dc240dc3aa887eb8d2

SHA1
3a8ab030886a2f5d876337c1e02f8e6c866b5ac3

SHA256
5843114a10718017c2bc777f1b26ab82c1fab55ad2ef2f3c16a90bdd5ad17923

SHA512
5f6c21b20245b67cc89dda670af03292aecc46f00400804b4770178007de4c16e0b0ece4ec128e74d320faf9edfa07f55893e30f1d20e89169b5938e74867f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8191002.exe

Filesize
174KB

MD5
6aa320f8d3db292e485cd0ce078a524c

SHA1
966856b80c18ce605e8dc9539584bc68915b9ce7

SHA256
c577aa03db9df7ad1b553ce8f960986ea1f604135ebe3c8cc0617bd883770145

SHA512
f1e4008311ead2ad87dcfce95325e2ed4cfccc040af4a8c2d4d6bebb97b07d1d08341fd82929bb34b1af3869db75e001ebb91a1ef43dc43fcbdcd8dbe5a2d77c

Download Submit
memory/3404-24-0x00000000001C0000-0x00000000001F0000-memory.dmp

Filesize
192KB

Download
memory/3404-25-0x0000000002410000-0x0000000002416000-memory.dmp

Filesize
24KB

Download
memory/3404-26-0x000000000A510000-0x000000000AB28000-memory.dmp

Filesize
6.1MB

Download
memory/3404-27-0x000000000A030000-0x000000000A13A000-memory.dmp

Filesize
1.0MB

Download
memory/3404-28-0x0000000009F70000-0x0000000009F82000-memory.dmp

Filesize
72KB

Download
memory/3404-29-0x0000000009FD0000-0x000000000A00C000-memory.dmp

Filesize
240KB

Download
memory/3404-30-0x0000000002390000-0x00000000023DC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads