mystic | 176abc5d4c53fc1397a77e15c4028591fc335ce9464a700eddd56742d55dd10d

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ada5308889c1e0686823a15717a0ebb9de3bbf2d5e47447e5a340ce70ef33f6d.exe
Size

1.6MB
MD5

5e713e98cdb9d4b0c9ed7afbc3299142
SHA1

826c184cec78577030a84973d2abb9df13e1581c
SHA256

ada5308889c1e0686823a15717a0ebb9de3bbf2d5e47447e5a340ce70ef33f6d
SHA512

660597cd472c30d52b072fbb04938788c64e2af8d77466e933df65dc4e60c0ce222d64ba27fb7d13ca58d81842e272c3a991049c725b6e4ed74d658e93acd168
SSDEEP

24576:SynVFJ+dWSyd+G7YmDo3fvmWQAXBvkNiMNbEDgAw8GUdPjhspubgavjYkHZv7P:5nvJh/+GK32g+hbEDlwihsp8p0k5z

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral15/memory/1912-36-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral15/memory/1912-38-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral15/memory/1912-35-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2vy375Fq.exe	family_redline
behavioral15/memory/4248-42-0x0000000000BF0000-0x0000000000C2E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

Om2Av8Ts.exegu9Sw6MI.exedT3cH8Js.exeac0cl2GG.exe1rb68Sz3.exe2vy375Fq.exe

pid process

3260 Om2Av8Ts.exe
4064 gu9Sw6MI.exe
3736 dT3cH8Js.exe
2192 ac0cl2GG.exe
1252 1rb68Sz3.exe
4248 2vy375Fq.exe

pid	process
3260	Om2Av8Ts.exe
4064	gu9Sw6MI.exe
3736	dT3cH8Js.exe
2192	ac0cl2GG.exe
1252	1rb68Sz3.exe
4248	2vy375Fq.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

gu9Sw6MI.exedT3cH8Js.exeac0cl2GG.exeada5308889c1e0686823a15717a0ebb9de3bbf2d5e47447e5a340ce70ef33f6d.exeOm2Av8Ts.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	gu9Sw6MI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	dT3cH8Js.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	ac0cl2GG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ada5308889c1e0686823a15717a0ebb9de3bbf2d5e47447e5a340ce70ef33f6d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Om2Av8Ts.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1rb68Sz3.exe

description pid process target process

PID 1252 set thread context of 1912 1252 1rb68Sz3.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4912 1252 WerFault.exe 1rb68Sz3.exe

description	pid	process	target process
PID 1252 set thread context of 1912	1252	1rb68Sz3.exe	AppLaunch.exe

pid	pid_target	process	target process
4912	1252	WerFault.exe	1rb68Sz3.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

ada5308889c1e0686823a15717a0ebb9de3bbf2d5e47447e5a340ce70ef33f6d.exeOm2Av8Ts.exegu9Sw6MI.exedT3cH8Js.exeac0cl2GG.exe1rb68Sz3.exe

description	pid	process	target process
PID 4036 wrote to memory of 3260	4036	ada5308889c1e0686823a15717a0ebb9de3bbf2d5e47447e5a340ce70ef33f6d.exe	Om2Av8Ts.exe
PID 4036 wrote to memory of 3260	4036	ada5308889c1e0686823a15717a0ebb9de3bbf2d5e47447e5a340ce70ef33f6d.exe	Om2Av8Ts.exe
PID 4036 wrote to memory of 3260	4036	ada5308889c1e0686823a15717a0ebb9de3bbf2d5e47447e5a340ce70ef33f6d.exe	Om2Av8Ts.exe
PID 3260 wrote to memory of 4064	3260	Om2Av8Ts.exe	gu9Sw6MI.exe
PID 3260 wrote to memory of 4064	3260	Om2Av8Ts.exe	gu9Sw6MI.exe
PID 3260 wrote to memory of 4064	3260	Om2Av8Ts.exe	gu9Sw6MI.exe
PID 4064 wrote to memory of 3736	4064	gu9Sw6MI.exe	dT3cH8Js.exe
PID 4064 wrote to memory of 3736	4064	gu9Sw6MI.exe	dT3cH8Js.exe
PID 4064 wrote to memory of 3736	4064	gu9Sw6MI.exe	dT3cH8Js.exe
PID 3736 wrote to memory of 2192	3736	dT3cH8Js.exe	ac0cl2GG.exe
PID 3736 wrote to memory of 2192	3736	dT3cH8Js.exe	ac0cl2GG.exe
PID 3736 wrote to memory of 2192	3736	dT3cH8Js.exe	ac0cl2GG.exe
PID 2192 wrote to memory of 1252	2192	ac0cl2GG.exe	1rb68Sz3.exe
PID 2192 wrote to memory of 1252	2192	ac0cl2GG.exe	1rb68Sz3.exe
PID 2192 wrote to memory of 1252	2192	ac0cl2GG.exe	1rb68Sz3.exe
PID 1252 wrote to memory of 1912	1252	1rb68Sz3.exe	AppLaunch.exe
PID 1252 wrote to memory of 1912	1252	1rb68Sz3.exe	AppLaunch.exe
PID 1252 wrote to memory of 1912	1252	1rb68Sz3.exe	AppLaunch.exe
PID 1252 wrote to memory of 1912	1252	1rb68Sz3.exe	AppLaunch.exe
PID 1252 wrote to memory of 1912	1252	1rb68Sz3.exe	AppLaunch.exe
PID 1252 wrote to memory of 1912	1252	1rb68Sz3.exe	AppLaunch.exe
PID 1252 wrote to memory of 1912	1252	1rb68Sz3.exe	AppLaunch.exe
PID 1252 wrote to memory of 1912	1252	1rb68Sz3.exe	AppLaunch.exe
PID 1252 wrote to memory of 1912	1252	1rb68Sz3.exe	AppLaunch.exe
PID 1252 wrote to memory of 1912	1252	1rb68Sz3.exe	AppLaunch.exe
PID 2192 wrote to memory of 4248	2192	ac0cl2GG.exe	2vy375Fq.exe
PID 2192 wrote to memory of 4248	2192	ac0cl2GG.exe	2vy375Fq.exe
PID 2192 wrote to memory of 4248	2192	ac0cl2GG.exe	2vy375Fq.exe

C:\Users\Admin\AppData\Local\Temp\ada5308889c1e0686823a15717a0ebb9de3bbf2d5e47447e5a340ce70ef33f6d.exe
"C:\Users\Admin\AppData\Local\Temp\ada5308889c1e0686823a15717a0ebb9de3bbf2d5e47447e5a340ce70ef33f6d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4036

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Om2Av8Ts.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Om2Av8Ts.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3260

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gu9Sw6MI.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gu9Sw6MI.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4064

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dT3cH8Js.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dT3cH8Js.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3736

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ac0cl2GG.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ac0cl2GG.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2192

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1rb68Sz3.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1rb68Sz3.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 580
7⤵
- Program crash
PID:4912

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2vy375Fq.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2vy375Fq.exe
6⤵
- Executes dropped EXE
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1252 -ip 1252
1⤵
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Om2Av8Ts.exe

Filesize
1.5MB

MD5
b696731f0667bda55cf8f66fb0b4b27d

SHA1
5a2143412ed83f1df909ffea3b245d2b25ba74af

SHA256
c6cf83305d2564b219191ca75990d60ed7e55d5549b7d11e7805e0855ee80347

SHA512
073c6b1625c4dab53304d28e6cf72b9bad62b3c25079625ca696626ff0b94b1628d590ed197ed1d4bb1d3dbd39aae2e6c5109e0c9c74abf237d7fe5a1ac86f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gu9Sw6MI.exe

Filesize
1.3MB

MD5
c283ebc9d8a746ed281a9f0a36d18f6c

SHA1
4590ab1682798a3eee44c7d490b82bd0e870fd01

SHA256
ee5e4746f23dfe9920e80c00d1078b5dca6331624c351e8c001111f7841f2d1a

SHA512
46c4f3779a9ba18420863e5bca55f6c38d9f97dc9a91194bca44b5bb1d96dedcfe493866d60d1e0c247998b99d04026d8b47dfc3caf5a4445f6f9ea3fa661a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dT3cH8Js.exe

Filesize
822KB

MD5
444e74fc0e894e43631e5b8b145393e0

SHA1
e8b26c9a2e43fc7ef0befbf768926e0a533f70ed

SHA256
a5a60081768366506e97cd48ef2f2a5e5a124519df2dae80fe81ff88189cef0e

SHA512
3a5912889a2adf5595c901882f5163319eb874d932b46d83dfa3c51e9e19950c83281fba32bfdfbe4ca7e1e7299ed17570ec51eaac3b20926ebed4953fc9b0f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ac0cl2GG.exe

Filesize
649KB

MD5
29236ae89c284277ce032d1398688013

SHA1
f3d2f9bd2dae624431acd907ccd2e6361a2f8c90

SHA256
9f3ad6b46d0bfa49952e99aeae74ab22ee70f5406bdc4a32fe8560df7a6f66be

SHA512
ae5a93b300f9ab9d40536e25b00dfeee2d19e4fb16596256f4e92085d2960b74cc9cbd7053b08d6cee61bad56b97375aec76bb09d53475a17ecab3c88da66c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1rb68Sz3.exe

Filesize
1.7MB

MD5
8e7e83a912dc297ff461a04baa84fbbf

SHA1
9fc085dd366353a8aa1434df62df2b2257f96c2f

SHA256
33240b411c6c8712b120137e61030cd46bf125151e22804e24e7676fbd643b0f

SHA512
f498814a3394567ec5adecd56a85e404ecebb6e7a149c6bf3772ba90dbc3b35db29d3c237fadaeb51626e2591c255cd0da266e15f040cdc1fcb7b103a6540cf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2vy375Fq.exe

Filesize
230KB

MD5
1d011415cbaf5291613ea901079a96b2

SHA1
c952aab4af4636fc9939b86b8c0736dc9e74e268

SHA256
324ead5f1361f981bd5af9c5363fa088de546912b4a42c020de19a9a2ea86f6d

SHA512
3db8d9cf4ab6c45e049d9c3f081b49fe884374373c65097ada0e06bf18fe8167bac878619f77d9177217935c4760adb63ca0c3b0414a980f6d6e67a5e51166ff

Download Submit
memory/1912-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1912-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1912-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4248-42-0x0000000000BF0000-0x0000000000C2E000-memory.dmp

Filesize
248KB

Download
memory/4248-43-0x0000000007F00000-0x00000000084A4000-memory.dmp

Filesize
5.6MB

Download
memory/4248-44-0x00000000079F0000-0x0000000007A82000-memory.dmp

Filesize
584KB

Download
memory/4248-45-0x0000000004F80000-0x0000000004F8A000-memory.dmp

Filesize
40KB

Download
memory/4248-46-0x0000000008AD0000-0x00000000090E8000-memory.dmp

Filesize
6.1MB

Download
memory/4248-47-0x0000000007CF0000-0x0000000007DFA000-memory.dmp

Filesize
1.0MB

Download
memory/4248-48-0x0000000007BA0000-0x0000000007BB2000-memory.dmp

Filesize
72KB

Download
memory/4248-49-0x0000000007C20000-0x0000000007C5C000-memory.dmp

Filesize
240KB

Download
memory/4248-50-0x0000000007C60000-0x0000000007CAC000-memory.dmp

Filesize
304KB

Download