mystic | 5e831beab1114ac9acd665a6dc93e4478c72f9985bcae804c34864e3b6ee4705

Analysis

max time kernel
136s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d85805160cf3294fe4b79968f7cee19fdaf73c0a9ed5ab8fffa11fa7fd3bddb3.exe
Size

271KB
MD5

3365ae14e21dd529bf5f2da0b58d4de7
SHA1

acd8613b430a252cc8ebdd937f6563a2c8ae638b
SHA256

d85805160cf3294fe4b79968f7cee19fdaf73c0a9ed5ab8fffa11fa7fd3bddb3
SHA512

0ea07e2bcd6b72c92f3323aca76b27d11005ef67211dd2a6836251ea9fc71b9ab04c0ceea0669354797a48a066c5cb43be0dbe3cab209a4303b4d64bce27eb3f
SSDEEP

6144:KPy+bnr+op0yN90QEqd3Y9nl/kYFod56xg7w8+:pMrAy90Edo9nlcd9W

Score

10^/10

mystic redline virad infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

virad

77.91.124.82:19071

Attributes

auth_value
434dd63619ca8bbf10125913fb40ca28

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral17/files/0x0008000000023536-5.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral17/files/0x0007000000023537-8.dat	family_redline
behavioral17/memory/3976-11-0x0000000000CB0000-0x0000000000CE0000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

pid	Process
2336	m0447872.exe
3976	n1029900.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d85805160cf3294fe4b79968f7cee19fdaf73c0a9ed5ab8fffa11fa7fd3bddb3.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2336	2960	d85805160cf3294fe4b79968f7cee19fdaf73c0a9ed5ab8fffa11fa7fd3bddb3.exe	90
PID 2960 wrote to memory of 2336	2960	d85805160cf3294fe4b79968f7cee19fdaf73c0a9ed5ab8fffa11fa7fd3bddb3.exe	90
PID 2960 wrote to memory of 2336	2960	d85805160cf3294fe4b79968f7cee19fdaf73c0a9ed5ab8fffa11fa7fd3bddb3.exe	90
PID 2960 wrote to memory of 3976	2960	d85805160cf3294fe4b79968f7cee19fdaf73c0a9ed5ab8fffa11fa7fd3bddb3.exe	91
PID 2960 wrote to memory of 3976	2960	d85805160cf3294fe4b79968f7cee19fdaf73c0a9ed5ab8fffa11fa7fd3bddb3.exe	91
PID 2960 wrote to memory of 3976	2960	d85805160cf3294fe4b79968f7cee19fdaf73c0a9ed5ab8fffa11fa7fd3bddb3.exe	91

C:\Users\Admin\AppData\Local\Temp\d85805160cf3294fe4b79968f7cee19fdaf73c0a9ed5ab8fffa11fa7fd3bddb3.exe
"C:\Users\Admin\AppData\Local\Temp\d85805160cf3294fe4b79968f7cee19fdaf73c0a9ed5ab8fffa11fa7fd3bddb3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m0447872.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m0447872.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n1029900.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n1029900.exe
  2⤵
  - Executes dropped EXE
  PID:3976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4460,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=1300 /prefetch:8
1⤵
PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m0447872.exe

Filesize
141KB

MD5
2fc9fd4ddc9657ec7ba8308a407c81a1

SHA1
0c595adde3182ba29db6ce8987762186b35dc3e7

SHA256
796f7591278b469648111e83e291fbedb9291544b5a88e38506891d277ea739b

SHA512
935770a402257435b3ca502cb0e89715c3e1bd468b78a49124d17784ce302fe3da9aa2d5c50b363f44c6d2dfe1e4f767c6aa6d6d7b458b098e8abe468f79f64f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n1029900.exe

Filesize
175KB

MD5
063f7e906f6d423d25cb9a493a546692

SHA1
597408b44e7b5520e94f545dc7788acf95588866

SHA256
f4d56cbd8ac1769a7d42ba4eb7b20d7ca78cab6b1a1b19a30d39f996a46908bf

SHA512
526f369f358672855bbd6752f94c4af0e5df5fc6eec77f43c072af11744f8bbfa21520b211554289b5241c71df53f31001c3b0a5069a338531c9a5319a13c0e9

Download Submit
memory/3976-10-0x000000007427E000-0x000000007427F000-memory.dmp

Filesize
4KB

Download
memory/3976-11-0x0000000000CB0000-0x0000000000CE0000-memory.dmp

Filesize
192KB

Download
memory/3976-12-0x0000000002F40000-0x0000000002F46000-memory.dmp

Filesize
24KB

Download
memory/3976-13-0x0000000005CC0000-0x00000000062D8000-memory.dmp

Filesize
6.1MB

Download
memory/3976-14-0x00000000057B0000-0x00000000058BA000-memory.dmp

Filesize
1.0MB

Download
memory/3976-15-0x0000000005530000-0x0000000005542000-memory.dmp

Filesize
72KB

Download
memory/3976-16-0x00000000056A0000-0x00000000056DC000-memory.dmp

Filesize
240KB

Download
memory/3976-17-0x0000000074270000-0x0000000074A20000-memory.dmp

Filesize
7.7MB

Download
memory/3976-18-0x00000000056E0000-0x000000000572C000-memory.dmp

Filesize
304KB

Download
memory/3976-19-0x000000007427E000-0x000000007427F000-memory.dmp

Filesize
4KB

Download
memory/3976-20-0x0000000074270000-0x0000000074A20000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads