mystic | 176abc5d4c53fc1397a77e15c4028591fc335ce9464a700eddd56742d55dd10d

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d264f872fb903372cc6951f97478ade2ed4cea3c43c1ac9c7b62d645b0d804d.exe
Size

555KB
MD5

d5b30a90542911576b7a5abdfbc9a18d
SHA1

7b249e8fe9a27ccc36f91bcf3bb99b82e7bd55e1
SHA256

4d264f872fb903372cc6951f97478ade2ed4cea3c43c1ac9c7b62d645b0d804d
SHA512

5370714ff505c9397f20a6096525e5405cc86f491821b4ac70550f25434b00299f6f4559d52a7c9c96c8af22e96df4d5b599dc73f4f8271838a243fdb35b0981
SSDEEP

12288:jMrDy900n9doqngAn/2J8wLU2ulOoT/V:gy/9mqgA+JtAlOoh

Score

10^/10

mystic redline virad infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

virad

77.91.124.82:19071

Attributes

auth_value
434dd63619ca8bbf10125913fb40ca28

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral11/files/0x0008000000023438-12.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral11/files/0x0007000000023439-15.dat	family_redline
behavioral11/memory/4656-18-0x00000000005C0000-0x00000000005F0000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
2864	y9218658.exe
2148	m8256906.exe
4656	n5847666.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4d264f872fb903372cc6951f97478ade2ed4cea3c43c1ac9c7b62d645b0d804d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y9218658.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2864	2904	4d264f872fb903372cc6951f97478ade2ed4cea3c43c1ac9c7b62d645b0d804d.exe	83
PID 2904 wrote to memory of 2864	2904	4d264f872fb903372cc6951f97478ade2ed4cea3c43c1ac9c7b62d645b0d804d.exe	83
PID 2904 wrote to memory of 2864	2904	4d264f872fb903372cc6951f97478ade2ed4cea3c43c1ac9c7b62d645b0d804d.exe	83
PID 2864 wrote to memory of 2148	2864	y9218658.exe	84
PID 2864 wrote to memory of 2148	2864	y9218658.exe	84
PID 2864 wrote to memory of 2148	2864	y9218658.exe	84
PID 2864 wrote to memory of 4656	2864	y9218658.exe	85
PID 2864 wrote to memory of 4656	2864	y9218658.exe	85
PID 2864 wrote to memory of 4656	2864	y9218658.exe	85

C:\Users\Admin\AppData\Local\Temp\4d264f872fb903372cc6951f97478ade2ed4cea3c43c1ac9c7b62d645b0d804d.exe
"C:\Users\Admin\AppData\Local\Temp\4d264f872fb903372cc6951f97478ade2ed4cea3c43c1ac9c7b62d645b0d804d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9218658.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9218658.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m8256906.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m8256906.exe
    3⤵
    - Executes dropped EXE
    PID:2148
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n5847666.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n5847666.exe
    3⤵
    - Executes dropped EXE
    PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9218658.exe

Filesize
271KB

MD5
5e08641cb85fd7653994e6070b116819

SHA1
d754427b1e7305e5a40cd13e76a54331ba6b8ed6

SHA256
c4972b8f7324cd94fd5cee918b58f16d3d00ce1a18d11f5287511a089a446027

SHA512
5ea9bac1e4864868152917c5cd2e1a3af2ebac5433d267bf1ead10ba8c8630d39d403c7d57b794e58c2d244eee1beb98dd1ccc58f6794691e26c4613f4fe1479

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m8256906.exe

Filesize
141KB

MD5
eedc938ada21a570e2f3cdfd7b70829b

SHA1
ab5b6b65c549fa4f9dc17c593f8008b0ef2f24a6

SHA256
34285496635aac8f70ebcdc9055f46c750fb3e451bcc239755416406ecacf78d

SHA512
4741abfdd33cca51b7306a9d96e9925416e894a55f5eea5d6d2209f87237811eeb8d20df475d596922909811be6d46023e00e28221814e268dad945823945983

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n5847666.exe

Filesize
175KB

MD5
5a5cad43d79a99f2757e90a7c063b21c

SHA1
89283d956d58d8ebd1e5cb6b9a6e80b809c71248

SHA256
49c578061c4eee2ddf0e5ff33052ee0ac0011f24e49c8968a0c9f82f2cd79c6f

SHA512
0e2a373974308043756d6b3a49d4e2d1a4cc00679a2e274b42d462e4a603eee5115bd14d59948a643df5c872756317d74e7ca21451bc20792bc3438c458499e4

Download Submit
memory/4656-17-0x000000007494E000-0x000000007494F000-memory.dmp

Filesize
4KB

Download
memory/4656-18-0x00000000005C0000-0x00000000005F0000-memory.dmp

Filesize
192KB

Download
memory/4656-19-0x0000000002900000-0x0000000002906000-memory.dmp

Filesize
24KB

Download
memory/4656-20-0x0000000005730000-0x0000000005D48000-memory.dmp

Filesize
6.1MB

Download
memory/4656-21-0x0000000005220000-0x000000000532A000-memory.dmp

Filesize
1.0MB

Download
memory/4656-22-0x0000000004E80000-0x0000000004E92000-memory.dmp

Filesize
72KB

Download
memory/4656-23-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/4656-24-0x0000000005110000-0x000000000514C000-memory.dmp

Filesize
240KB

Download
memory/4656-25-0x0000000005150000-0x000000000519C000-memory.dmp

Filesize
304KB

Download
memory/4656-26-0x000000007494E000-0x000000007494F000-memory.dmp

Filesize
4KB

Download
memory/4656-27-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads