mystic | 176abc5d4c53fc1397a77e15c4028591fc335ce9464a700eddd56742d55dd10d

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15fd14ba215a3a52dd8119cc0a0383f0cac34dab2c608f1481d6dac8a34084b7.exe
Size

662KB
MD5

79bbc0fb3cff6f6d43592e01aa84b316
SHA1

57b7c1381104fae85ef7b0ce4e6b2aee20875847
SHA256

15fd14ba215a3a52dd8119cc0a0383f0cac34dab2c608f1481d6dac8a34084b7
SHA512

82e20aee065c822400a5bb02e2b92fddd746a64d4ac97b5da91b1d9783f1533844288bbc8443bf09acbfd5fb4a536b6742e855baa09f8356a3e2019d9f12a676
SSDEEP

12288:2MrYy90RFBZ+zIa/4HenwehiEEzs/e6QnQ1s4WJqEo:aySo4enth0o/kn6s44qEo

Score

10^/10

mystic redline virad infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

virad

77.91.124.82:19071

Attributes

auth_value
434dd63619ca8bbf10125913fb40ca28

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5666113.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6376615.exe	family_redline
behavioral2/memory/3732-24-0x0000000000C40000-0x0000000000C70000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

y5950056.exey0486381.exem5666113.exen6376615.exe

pid process

4324 y5950056.exe
4916 y0486381.exe
3484 m5666113.exe
3732 n6376615.exe

pid	process
4324	y5950056.exe
4916	y0486381.exe
3484	m5666113.exe
3732	n6376615.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

y0486381.exe15fd14ba215a3a52dd8119cc0a0383f0cac34dab2c608f1481d6dac8a34084b7.exey5950056.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y0486381.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	15fd14ba215a3a52dd8119cc0a0383f0cac34dab2c608f1481d6dac8a34084b7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y5950056.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

15fd14ba215a3a52dd8119cc0a0383f0cac34dab2c608f1481d6dac8a34084b7.exey5950056.exey0486381.exe

description	pid	process	target process
PID 4596 wrote to memory of 4324	4596	15fd14ba215a3a52dd8119cc0a0383f0cac34dab2c608f1481d6dac8a34084b7.exe	y5950056.exe
PID 4596 wrote to memory of 4324	4596	15fd14ba215a3a52dd8119cc0a0383f0cac34dab2c608f1481d6dac8a34084b7.exe	y5950056.exe
PID 4596 wrote to memory of 4324	4596	15fd14ba215a3a52dd8119cc0a0383f0cac34dab2c608f1481d6dac8a34084b7.exe	y5950056.exe
PID 4324 wrote to memory of 4916	4324	y5950056.exe	y0486381.exe
PID 4324 wrote to memory of 4916	4324	y5950056.exe	y0486381.exe
PID 4324 wrote to memory of 4916	4324	y5950056.exe	y0486381.exe
PID 4916 wrote to memory of 3484	4916	y0486381.exe	m5666113.exe
PID 4916 wrote to memory of 3484	4916	y0486381.exe	m5666113.exe
PID 4916 wrote to memory of 3484	4916	y0486381.exe	m5666113.exe
PID 4916 wrote to memory of 3732	4916	y0486381.exe	n6376615.exe
PID 4916 wrote to memory of 3732	4916	y0486381.exe	n6376615.exe
PID 4916 wrote to memory of 3732	4916	y0486381.exe	n6376615.exe

C:\Users\Admin\AppData\Local\Temp\15fd14ba215a3a52dd8119cc0a0383f0cac34dab2c608f1481d6dac8a34084b7.exe
"C:\Users\Admin\AppData\Local\Temp\15fd14ba215a3a52dd8119cc0a0383f0cac34dab2c608f1481d6dac8a34084b7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4596

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5950056.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5950056.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4324

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0486381.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0486381.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4916

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5666113.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5666113.exe
4⤵
- Executes dropped EXE
PID:3484

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6376615.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6376615.exe
4⤵
- Executes dropped EXE
PID:3732

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5950056.exe
Filesize
560KB

MD5
24af034cad74ef9dbdc015fcd9e6b4b6

SHA1
7577e7182eac2e722c253cf9201d3099c42e3931

SHA256
e990f7dbfecbf2cc9328350b1fe093b37cd850784f784d4e6f3e593c05e577cf

SHA512
922abace954daf6132cd678f53ce5f2d44c084f8a172c8109ad6f8236ae89a4b8b9f4b6b358b46340735fa97ba14369b8288a7f6d4d40f93bc0e36e7a9679e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0486381.exe
Filesize
271KB

MD5
387bb3ab9a421ecdefb38d1864280d8e

SHA1
95877d3f49046568532f289d3e376b64823c3fd2

SHA256
9c03980a06d70669e903d7eb9e08ccaf4448f4e71d703c65dc2e54bd585dfc0b

SHA512
10d1255890df5ede30473adafaeb801b933e2ace9ba81423585be09f171d56bdd35774a3f29feb577d3439b8610808251b30e414dbf5f86c1a73c02b1817b52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m5666113.exe
Filesize
141KB

MD5
c74d1b16bfcba94570d6327d736ea8b9

SHA1
f36636b86136755a9b8fa48b8584d5d9d18e6492

SHA256
15e892cfaad73e52c69e3600484b1ba1473904a00bd13b8fd037a370a640e3af

SHA512
de46583133773050ac0d9300ce283f7ec370f37509e50acd56be393f7b8eed2fd2863058bab778e690fbb4ba8771ee155b1c4e39bc042b85c57ceea84f3fc5ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6376615.exe
Filesize
175KB

MD5
992e13b9a684e8040c28eb635e355d22

SHA1
fca160cee7b72bb5733a67cb6088cefcbe4079d6

SHA256
b2bd94258b54bb6ed4648031a9c7d40931eff630cdc1a416df28bf5dcdd18803

SHA512
dfa3b89bf8ab95be1ba92c9157a968e87d18aede63250a60e3ff46191e5e04507e387bfd6507242cc7119844aa43714898801185ef6de7212430bd5a4c435e0a

Download Submit
memory/3732-24-0x0000000000C40000-0x0000000000C70000-memory.dmp

Filesize
192KB

Download
memory/3732-25-0x0000000003070000-0x0000000003076000-memory.dmp

Filesize
24KB

Download
memory/3732-26-0x000000000B150000-0x000000000B768000-memory.dmp

Filesize
6.1MB

Download
memory/3732-27-0x000000000AC40000-0x000000000AD4A000-memory.dmp

Filesize
1.0MB

Download
memory/3732-28-0x000000000AB30000-0x000000000AB42000-memory.dmp

Filesize
72KB

Download
memory/3732-29-0x000000000AB90000-0x000000000ABCC000-memory.dmp

Filesize
240KB

Download
memory/3732-30-0x00000000050C0000-0x000000000510C000-memory.dmp

Filesize
304KB

Download