mystic | 5e831beab1114ac9acd665a6dc93e4478c72f9985bcae804c34864e3b6ee4705

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a9919325da63b8484a6bd765fb24e43189e13130d5740306b71aac0ea7178ce.exe
Size

649KB
MD5

7897dce0ec3212cd7eecbda6398e6b13
SHA1

428468b73988ef217d1651c7fa3106fcdc733f68
SHA256

1a9919325da63b8484a6bd765fb24e43189e13130d5740306b71aac0ea7178ce
SHA512

404eab7e914bafe2ee9a7f5e2c342888ead440e7791cca278ee2fd44fed1a7b81abffb5d68e3df8edc72e8d66640d36212e45ebf3060be86044b964bd94c109a
SSDEEP

12288:OMrhy90ogYfURQidiOadxA//doAunUg8Y8oJ1ZTGme7TjPhrzMV:3yfgYf2QidiOM0/mA6LX5GVLhrzMV

Score

10^/10

mystic redline virad infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

virad

77.91.124.82:19071

Attributes

auth_value
434dd63619ca8bbf10125913fb40ca28

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5033490.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6383049.exe	family_redline
behavioral3/memory/1164-24-0x00000000004E0000-0x0000000000510000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

y6670028.exey4413852.exem5033490.exen6383049.exe

pid process

2280 y6670028.exe
2552 y4413852.exe
1028 m5033490.exe
1164 n6383049.exe

pid	process
2280	y6670028.exe
2552	y4413852.exe
1028	m5033490.exe
1164	n6383049.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1a9919325da63b8484a6bd765fb24e43189e13130d5740306b71aac0ea7178ce.exey6670028.exey4413852.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1a9919325da63b8484a6bd765fb24e43189e13130d5740306b71aac0ea7178ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y6670028.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y4413852.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1a9919325da63b8484a6bd765fb24e43189e13130d5740306b71aac0ea7178ce.exey6670028.exey4413852.exe

description	pid	process	target process
PID 2440 wrote to memory of 2280	2440	1a9919325da63b8484a6bd765fb24e43189e13130d5740306b71aac0ea7178ce.exe	y6670028.exe
PID 2440 wrote to memory of 2280	2440	1a9919325da63b8484a6bd765fb24e43189e13130d5740306b71aac0ea7178ce.exe	y6670028.exe
PID 2440 wrote to memory of 2280	2440	1a9919325da63b8484a6bd765fb24e43189e13130d5740306b71aac0ea7178ce.exe	y6670028.exe
PID 2280 wrote to memory of 2552	2280	y6670028.exe	y4413852.exe
PID 2280 wrote to memory of 2552	2280	y6670028.exe	y4413852.exe
PID 2280 wrote to memory of 2552	2280	y6670028.exe	y4413852.exe
PID 2552 wrote to memory of 1028	2552	y4413852.exe	m5033490.exe
PID 2552 wrote to memory of 1028	2552	y4413852.exe	m5033490.exe
PID 2552 wrote to memory of 1028	2552	y4413852.exe	m5033490.exe
PID 2552 wrote to memory of 1164	2552	y4413852.exe	n6383049.exe
PID 2552 wrote to memory of 1164	2552	y4413852.exe	n6383049.exe
PID 2552 wrote to memory of 1164	2552	y4413852.exe	n6383049.exe

C:\Users\Admin\AppData\Local\Temp\1a9919325da63b8484a6bd765fb24e43189e13130d5740306b71aac0ea7178ce.exe
"C:\Users\Admin\AppData\Local\Temp\1a9919325da63b8484a6bd765fb24e43189e13130d5740306b71aac0ea7178ce.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2440

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6670028.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6670028.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2280

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4413852.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4413852.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2552

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5033490.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5033490.exe
4⤵
- Executes dropped EXE
PID:1028

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6383049.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6383049.exe
4⤵
- Executes dropped EXE
PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6670028.exe

Filesize
548KB

MD5
7d167f11001e81ae9de536d660be67c5

SHA1
f28c61d979e3178d7d3ddf6378bb2ccf7062d95f

SHA256
e1d6e976808c8081f81d00daad0409756605111ffc9e41e67f58f98a6565b6fa

SHA512
2e39a7a9193fd772db2d4d7860e7c5ba7e448f00f9ddff8a82672e4f6bde9a632ca0da4e996827e4c167dc1f1b38e48a6341fd1bc55e719b39629a510dce395f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4413852.exe

Filesize
271KB

MD5
69cd62dd1807a3f3ed07f3828ee0a149

SHA1
5e1f177ce86d6da85975bb009de1bd5f3f98ec93

SHA256
5e69862b29c7fe4ce5498185f281c3bdbe55a1fc882bc2089fd020c48fa17b35

SHA512
6c44f5a290e7a25b0db758e9232accb8ae6ac67b1ed6bd0fffaad3c4b670418c4cae4dc41527c7bd34a2ea252341e1ea4eaeedcc36057d33bce2ae16787b323f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5033490.exe

Filesize
140KB

MD5
b9c72a6902c1b14f2e054497232b5e14

SHA1
39291f76b1a94185d76c160980dffb1f9fbf41d3

SHA256
0118ef88749345f4ada8bb2281f71b0601117b952cc9d67666a3d5c02f486ccf

SHA512
521e05913bf9b0f1bae38b1d32746efe22bcb5ca821d4c4e11962f80bf04f27461881f201a4382156480c3c739cbba9389e7ad2ff4d782bfd7c552e97549d2da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6383049.exe

Filesize
174KB

MD5
1b276d9e94d340bed48c1a253a60796c

SHA1
b7c3c4cefe1529536b455eeee0e2b88057f5a34a

SHA256
6322738bdf57adddd1d5afe6cd9c4a1f39a23df63707375de59a51360f869e82

SHA512
c8c5136525861a94da38a3a7792b9a86e22daaf829066e3e666859d610d073352e9c1ac6f217a349f4b9adb42587c7cd5f2e48d6e489b5b5e5a089ff8666bd80

Download Submit
memory/1164-24-0x00000000004E0000-0x0000000000510000-memory.dmp

Filesize
192KB

Download
memory/1164-25-0x0000000002690000-0x0000000002696000-memory.dmp

Filesize
24KB

Download
memory/1164-28-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

Filesize
72KB

Download
memory/1164-27-0x00000000050F0000-0x00000000051FA000-memory.dmp

Filesize
1.0MB

Download
memory/1164-26-0x0000000005600000-0x0000000005C18000-memory.dmp

Filesize
6.1MB

Download
memory/1164-29-0x0000000005020000-0x000000000505C000-memory.dmp

Filesize
240KB

Download
memory/1164-30-0x0000000005060000-0x00000000050AC000-memory.dmp

Filesize
304KB

Download