mystic | 176abc5d4c53fc1397a77e15c4028591fc335ce9464a700eddd56742d55dd10d

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5dcad04e9c2aa52649ef1e07b38e5668f57adeaa2edee41a8ec26857ee232498.exe
Size

662KB
MD5

c248e1517a6179b7acc3b20cce371cc0
SHA1

9d6252a7582d36357c043ea0be48d909897c851a
SHA256

5dcad04e9c2aa52649ef1e07b38e5668f57adeaa2edee41a8ec26857ee232498
SHA512

64795b3eab9cbe155153ff569f7281f3ebe55838d2c59a5491628d859f9e7fb725d3ccd377d5ec0b18499b029d9fd9d0227532b7ad3bfb2e1fe413b135132846
SSDEEP

12288:mMr0y90pS7BgRbtp98YeWbSfz7dw32LBsDImm6RZvLfF2syFhvx27shDTI/:2yqSCRzSXfzRwsBsDIoRZT4syFhThTI/

Score

10^/10

mystic redline virad infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

virad

77.91.124.82:19071

Attributes

auth_value
434dd63619ca8bbf10125913fb40ca28

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6359351.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4607363.exe	family_redline
behavioral12/memory/2068-24-0x0000000000730000-0x0000000000760000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

y7662814.exey0040072.exem6359351.exen4607363.exe

pid process

2696 y7662814.exe
1408 y0040072.exe
3960 m6359351.exe
2068 n4607363.exe

pid	process
2696	y7662814.exe
1408	y0040072.exe
3960	m6359351.exe
2068	n4607363.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5dcad04e9c2aa52649ef1e07b38e5668f57adeaa2edee41a8ec26857ee232498.exey7662814.exey0040072.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5dcad04e9c2aa52649ef1e07b38e5668f57adeaa2edee41a8ec26857ee232498.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y7662814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y0040072.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5dcad04e9c2aa52649ef1e07b38e5668f57adeaa2edee41a8ec26857ee232498.exey7662814.exey0040072.exe

description	pid	process	target process
PID 3524 wrote to memory of 2696	3524	5dcad04e9c2aa52649ef1e07b38e5668f57adeaa2edee41a8ec26857ee232498.exe	y7662814.exe
PID 3524 wrote to memory of 2696	3524	5dcad04e9c2aa52649ef1e07b38e5668f57adeaa2edee41a8ec26857ee232498.exe	y7662814.exe
PID 3524 wrote to memory of 2696	3524	5dcad04e9c2aa52649ef1e07b38e5668f57adeaa2edee41a8ec26857ee232498.exe	y7662814.exe
PID 2696 wrote to memory of 1408	2696	y7662814.exe	y0040072.exe
PID 2696 wrote to memory of 1408	2696	y7662814.exe	y0040072.exe
PID 2696 wrote to memory of 1408	2696	y7662814.exe	y0040072.exe
PID 1408 wrote to memory of 3960	1408	y0040072.exe	m6359351.exe
PID 1408 wrote to memory of 3960	1408	y0040072.exe	m6359351.exe
PID 1408 wrote to memory of 3960	1408	y0040072.exe	m6359351.exe
PID 1408 wrote to memory of 2068	1408	y0040072.exe	n4607363.exe
PID 1408 wrote to memory of 2068	1408	y0040072.exe	n4607363.exe
PID 1408 wrote to memory of 2068	1408	y0040072.exe	n4607363.exe

C:\Users\Admin\AppData\Local\Temp\5dcad04e9c2aa52649ef1e07b38e5668f57adeaa2edee41a8ec26857ee232498.exe
"C:\Users\Admin\AppData\Local\Temp\5dcad04e9c2aa52649ef1e07b38e5668f57adeaa2edee41a8ec26857ee232498.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3524

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7662814.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7662814.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2696

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0040072.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0040072.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1408

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6359351.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6359351.exe
4⤵
- Executes dropped EXE
PID:3960

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4607363.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4607363.exe
4⤵
- Executes dropped EXE
PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7662814.exe

Filesize
560KB

MD5
8b5a884ba6bc639a9392a03df8e06dc4

SHA1
86c0f0fa5f1a854810cd735ac717da5445eace22

SHA256
c63c5e64af0297aa006cfacb0410f990e18042f833fe6ead4c1209209e696808

SHA512
4f5b83eec805d4edc6fcbfa79b286b83f3a46fc3d4e5510828b52fae1244aaac0000c08283decedb44b0a06dfea44ce922b973725707e03cd1ae6a47cdd886da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0040072.exe

Filesize
271KB

MD5
8a35c043df876ccaf7ac3c430d30916d

SHA1
f3b74468da3b223626e64dd8d118e6055cbbb9c1

SHA256
7522ea0e3e470c74ced327e8610b7d2bf30f7e9d38ea336345cc5100c66b38b5

SHA512
b11da9184134480594ab9136cf4d9cb4c7bd012b1165d2e8c54a6dcccba7fc555125d35d2f6ec85df031abeeba7a5683931a4d9283bd26b390cf26adc6b73ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m6359351.exe

Filesize
141KB

MD5
f563a37218e268e5604c20af88919931

SHA1
cefe0fc72600e979c3eb7296dd12e0939d1ddfe8

SHA256
2325b6b089cfe41cb165423e9ef26ca89cc6925584042ef5e99b0d7bdcd1b855

SHA512
a0763d2764216a597bd00fd680cf6babfa5a76ba4d52168657c6da6db480ca56ace02ece2f2a6c5ff29ce5abf21b4b8a94de6cd373a9ebdc1167e146b3024699

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4607363.exe

Filesize
175KB

MD5
b7df343c23997a08ba74199b5870f23c

SHA1
f3ee6567b3dda137218b3716d56a6e82dae7a01d

SHA256
91fc0b3067a4e495cebf79b6026ca1a887bcab248a478f6f0e3b373d40f7ebd1

SHA512
65c74545dc4f6910ab7e57c82397538bfd93f067237795d26ecb5d58e772b111b509fb4056270b907bf5e4fae98c1914fbea4296b780f05199308946952d9d40

Download Submit
memory/2068-24-0x0000000000730000-0x0000000000760000-memory.dmp

Filesize
192KB

Download
memory/2068-25-0x0000000002910000-0x0000000002916000-memory.dmp

Filesize
24KB

Download
memory/2068-26-0x0000000005700000-0x0000000005D18000-memory.dmp

Filesize
6.1MB

Download
memory/2068-27-0x00000000051F0000-0x00000000052FA000-memory.dmp

Filesize
1.0MB

Download
memory/2068-28-0x00000000050E0000-0x00000000050F2000-memory.dmp

Filesize
72KB

Download
memory/2068-29-0x0000000005140000-0x000000000517C000-memory.dmp

Filesize
240KB

Download
memory/2068-30-0x0000000005180000-0x00000000051CC000-memory.dmp

Filesize
304KB

Download