mystic | 5e831beab1114ac9acd665a6dc93e4478c72f9985bcae804c34864e3b6ee4705

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b565f7ed39bcb3768a8d15009e2ee03870984f6900010642cd696ee9c5efc1d.exe
Size

658KB
MD5

9fe44f8f66e8c285d022d74989629cfa
SHA1

c54ea90ee09577e198354aee1c8ef1e2ffeaddee
SHA256

1b565f7ed39bcb3768a8d15009e2ee03870984f6900010642cd696ee9c5efc1d
SHA512

df870280de60a3387ac188d17b496f5ab16b8b151fb97499165d7ae1d2af59beaa93bec5936c6dd31179ea3e7bc8a42a2a45471df6c1d1bd722742d98d27baae
SSDEEP

12288:dMrMy90K4zuhOnbcMcmoBoUk4Ic11QCeguckH+IRCUmWwZT:JyXfPMcmoV9X1yCegw+IZwl

Score

10^/10

mystic redline virad infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

virad

77.91.124.82:19071

Attributes

auth_value
434dd63619ca8bbf10125913fb40ca28

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral4/files/0x0008000000023428-19.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral4/files/0x0007000000023429-22.dat	family_redline
behavioral4/memory/4488-24-0x0000000000500000-0x0000000000530000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
1440	y1583749.exe
4148	y3593506.exe
3812	m5553823.exe
4488	n1806562.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1b565f7ed39bcb3768a8d15009e2ee03870984f6900010642cd696ee9c5efc1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y1583749.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y3593506.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 1440	744	1b565f7ed39bcb3768a8d15009e2ee03870984f6900010642cd696ee9c5efc1d.exe	82
PID 744 wrote to memory of 1440	744	1b565f7ed39bcb3768a8d15009e2ee03870984f6900010642cd696ee9c5efc1d.exe	82
PID 744 wrote to memory of 1440	744	1b565f7ed39bcb3768a8d15009e2ee03870984f6900010642cd696ee9c5efc1d.exe	82
PID 1440 wrote to memory of 4148	1440	y1583749.exe	83
PID 1440 wrote to memory of 4148	1440	y1583749.exe	83
PID 1440 wrote to memory of 4148	1440	y1583749.exe	83
PID 4148 wrote to memory of 3812	4148	y3593506.exe	85
PID 4148 wrote to memory of 3812	4148	y3593506.exe	85
PID 4148 wrote to memory of 3812	4148	y3593506.exe	85
PID 4148 wrote to memory of 4488	4148	y3593506.exe	86
PID 4148 wrote to memory of 4488	4148	y3593506.exe	86
PID 4148 wrote to memory of 4488	4148	y3593506.exe	86

C:\Users\Admin\AppData\Local\Temp\1b565f7ed39bcb3768a8d15009e2ee03870984f6900010642cd696ee9c5efc1d.exe
"C:\Users\Admin\AppData\Local\Temp\1b565f7ed39bcb3768a8d15009e2ee03870984f6900010642cd696ee9c5efc1d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:744
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1583749.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1583749.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3593506.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3593506.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4148
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5553823.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5553823.exe
      4⤵
      Executes dropped EXE
      PID:3812
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1806562.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1806562.exe
      4⤵
      Executes dropped EXE
      PID:4488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1583749.exe

Filesize
556KB

MD5
86d0f6675a1d10ac990b8ccc99a14bd3

SHA1
8bf73de085bfee21d0dbe6088edceee41e32dcbb

SHA256
7353e7977afd7f1c1b619605f18558812a860eed096d2fc4584098ccd040be69

SHA512
fc3cc76d82aad95cd4c8ba880dc16f3e60d620710776d29de0707d64a5dcd57510aae0b76949da3ddb6da943d909c022eb14061e4beee873aa0118987c4e791c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3593506.exe

Filesize
271KB

MD5
e5f2f7a71ba59df14212b3bdfde569d3

SHA1
23e30a0c7eb837e7a335f13669f46f4402906985

SHA256
eb20f32ce95e436a9c056588c4d5ac255c251fd2e49a061b3ab4c283558c1236

SHA512
fc690e789070902f04e63985e01c5e879602653fe77388fe16a025a7a0d9026c0d0732fa020612f5fb59348af9390b90607a9e1baa4078c3e73b970e144ab59a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5553823.exe

Filesize
141KB

MD5
91645dbf7f45c96242f49baf9d1a566b

SHA1
aa9a72f22cab006d4fd6549f2618e30b68bb8e85

SHA256
3b95fe9395fa6ab64c07b139f35981197bd7dc4e6e9ad0229a23721337f4a396

SHA512
3ffd8955c024b46afb237a6767f73401781d3d1d37271a7d7bf8cc34d4106984c4cdba52e284520288d46ab8b62124b7bed1279b5e6b4daf3aebae7b566048f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1806562.exe

Filesize
174KB

MD5
9c007a8b61fe5d7a9528cbfaa8e7d1c5

SHA1
2fa5fc763492e31dfc65f00e74e77f76d41315c6

SHA256
7fb37e6440a8e6975bc30ce708ab68c2d2c3e93d120af6cfacfe8e1eabe9ca8b

SHA512
469535742843f94ba8ecfcca1401074671f37f8f5ec5b6af01dfe89cb5cf94a120b652cab38a8d8c82b40911d2ad273ce28feb17cc7e5bd68f2bcaa3d3f177a7

Download Submit
memory/4488-24-0x0000000000500000-0x0000000000530000-memory.dmp

Filesize
192KB

Download
memory/4488-25-0x0000000004D20000-0x0000000004D26000-memory.dmp

Filesize
24KB

Download
memory/4488-26-0x0000000005480000-0x0000000005A98000-memory.dmp

Filesize
6.1MB

Download
memory/4488-27-0x0000000004F70000-0x000000000507A000-memory.dmp

Filesize
1.0MB

Download
memory/4488-28-0x0000000004E90000-0x0000000004EA2000-memory.dmp

Filesize
72KB

Download
memory/4488-29-0x0000000004EF0000-0x0000000004F2C000-memory.dmp

Filesize
240KB

Download
memory/4488-30-0x0000000005080000-0x00000000050CC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads