mystic | 5e831beab1114ac9acd665a6dc93e4478c72f9985bcae804c34864e3b6ee4705

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e5d421522773b4acede9491200eb6a0479ef03a8892230b81ba0d0ed10d98cb.exe
Size

272KB
MD5

b377b3cf4944e110382a96968449d034
SHA1

e38952501c935164ef7ef9c2fb33341936db56bb
SHA256

4e5d421522773b4acede9491200eb6a0479ef03a8892230b81ba0d0ed10d98cb
SHA512

b645b3690772419b94de5d2cc2910c415700f2ce2e0a7718b3db7d0c02513f9ea21309aef959dc263c6c2ff3b0937e20eaca1d32560ae22165382d44f91a0153
SSDEEP

6144:Kay+bnr+4p0yN90QEZd3Y9nO/kYSyZWBCpeUcmOpmL:2Mr8y90Tdo9nOvkCFq6

Score

10^/10

mystic redline moner infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

moner

77.91.124.82:19071

Attributes

auth_value
a94cd9e01643e1945b296c28a2f28707

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral7/files/0x0008000000023435-5.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral7/files/0x0007000000023436-8.dat	family_redline
behavioral7/memory/3516-11-0x0000000000D80000-0x0000000000DB0000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

pid	Process
1628	m9337626.exe
3516	n2328537.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4e5d421522773b4acede9491200eb6a0479ef03a8892230b81ba0d0ed10d98cb.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 1628	3452	4e5d421522773b4acede9491200eb6a0479ef03a8892230b81ba0d0ed10d98cb.exe	83
PID 3452 wrote to memory of 1628	3452	4e5d421522773b4acede9491200eb6a0479ef03a8892230b81ba0d0ed10d98cb.exe	83
PID 3452 wrote to memory of 1628	3452	4e5d421522773b4acede9491200eb6a0479ef03a8892230b81ba0d0ed10d98cb.exe	83
PID 3452 wrote to memory of 3516	3452	4e5d421522773b4acede9491200eb6a0479ef03a8892230b81ba0d0ed10d98cb.exe	84
PID 3452 wrote to memory of 3516	3452	4e5d421522773b4acede9491200eb6a0479ef03a8892230b81ba0d0ed10d98cb.exe	84
PID 3452 wrote to memory of 3516	3452	4e5d421522773b4acede9491200eb6a0479ef03a8892230b81ba0d0ed10d98cb.exe	84

C:\Users\Admin\AppData\Local\Temp\4e5d421522773b4acede9491200eb6a0479ef03a8892230b81ba0d0ed10d98cb.exe
"C:\Users\Admin\AppData\Local\Temp\4e5d421522773b4acede9491200eb6a0479ef03a8892230b81ba0d0ed10d98cb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m9337626.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m9337626.exe
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n2328537.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n2328537.exe
  2⤵
  - Executes dropped EXE
  PID:3516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m9337626.exe

Filesize
142KB

MD5
ec04ee1a38cd40fffaa88c9137ef0e93

SHA1
f491a9f9a2f2f9675a15263541a53131c83397d8

SHA256
4a3f6d64f9a7d57ec307a5ab973dff980df0f64595b1de131ac58302336982ae

SHA512
c5eca5fc21313405de4e32958cf4c320d540523df6f6b4f5aa4cc90e81fd86a234f4011389b173c23f434dcfd7b18482af7ddaacbfa41f830d3d8cdaa83d2d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n2328537.exe

Filesize
174KB

MD5
429faac50ef94d3699d61066fd94ddc5

SHA1
e3812a0cefca639cc61f9d4cdf9a87c25d33e858

SHA256
7f9c4f6f04b28b3b3c4953330e2097054161faa08ca25d654f17cfa3da2274a3

SHA512
1a4b84cc96c66b6363790f1cb67fe7730f5a6e19a442319daa179e1728e5baac0dcc0b8e275cf1b6527f424748028ea626939856b03715a07127c62ea36725d3

Download Submit
memory/3516-10-0x000000007457E000-0x000000007457F000-memory.dmp

Filesize
4KB

Download
memory/3516-11-0x0000000000D80000-0x0000000000DB0000-memory.dmp

Filesize
192KB

Download
memory/3516-12-0x00000000056A0000-0x00000000056A6000-memory.dmp

Filesize
24KB

Download
memory/3516-13-0x0000000005E20000-0x0000000006438000-memory.dmp

Filesize
6.1MB

Download
memory/3516-14-0x0000000005910000-0x0000000005A1A000-memory.dmp

Filesize
1.0MB

Download
memory/3516-15-0x0000000005850000-0x0000000005862000-memory.dmp

Filesize
72KB

Download
memory/3516-16-0x00000000058B0000-0x00000000058EC000-memory.dmp

Filesize
240KB

Download
memory/3516-17-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/3516-18-0x0000000005A20000-0x0000000005A6C000-memory.dmp

Filesize
304KB

Download
memory/3516-19-0x000000007457E000-0x000000007457F000-memory.dmp

Filesize
4KB

Download
memory/3516-20-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads