mystic | 176abc5d4c53fc1397a77e15c4028591fc335ce9464a700eddd56742d55dd10d

Analysis

max time kernel
145s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2cce909eca03fb472266113aeed9ab44c81218fb6b4de31949151b9543a1f10.exe
Size

271KB
MD5

14785244df56dafbcba731e754f337b7
SHA1

fa1b26096b380b30ffb942684daa38d27c32121c
SHA256

f2cce909eca03fb472266113aeed9ab44c81218fb6b4de31949151b9543a1f10
SHA512

37d93d6d187e2566b2a1554351642405020a3d6c8687fd0c7f93ba7dedf0a88c0164aa27cc330fb746f77faed0684133c5b39ab971404748c9172bd9d68cdffd
SSDEEP

6144:Kiy+bnr+kp0yN90QE1d3Y9nv/kYJknL1PxMba4:aMroy90vdo9nvQZE

Score

10^/10

mystic redline virad infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

virad

77.91.124.82:19071

Attributes

auth_value
434dd63619ca8bbf10125913fb40ca28

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m5866127.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n7650476.exe	family_redline
behavioral21/memory/548-11-0x00000000000A0000-0x00000000000D0000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

Processes:

m5866127.exen7650476.exe

pid process

3124 m5866127.exe
548 n7650476.exe

pid	process
3124	m5866127.exe
548	n7650476.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f2cce909eca03fb472266113aeed9ab44c81218fb6b4de31949151b9543a1f10.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f2cce909eca03fb472266113aeed9ab44c81218fb6b4de31949151b9543a1f10.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

f2cce909eca03fb472266113aeed9ab44c81218fb6b4de31949151b9543a1f10.exe

description	pid	process	target process
PID 4820 wrote to memory of 3124	4820	f2cce909eca03fb472266113aeed9ab44c81218fb6b4de31949151b9543a1f10.exe	m5866127.exe
PID 4820 wrote to memory of 3124	4820	f2cce909eca03fb472266113aeed9ab44c81218fb6b4de31949151b9543a1f10.exe	m5866127.exe
PID 4820 wrote to memory of 3124	4820	f2cce909eca03fb472266113aeed9ab44c81218fb6b4de31949151b9543a1f10.exe	m5866127.exe
PID 4820 wrote to memory of 548	4820	f2cce909eca03fb472266113aeed9ab44c81218fb6b4de31949151b9543a1f10.exe	n7650476.exe
PID 4820 wrote to memory of 548	4820	f2cce909eca03fb472266113aeed9ab44c81218fb6b4de31949151b9543a1f10.exe	n7650476.exe
PID 4820 wrote to memory of 548	4820	f2cce909eca03fb472266113aeed9ab44c81218fb6b4de31949151b9543a1f10.exe	n7650476.exe

C:\Users\Admin\AppData\Local\Temp\f2cce909eca03fb472266113aeed9ab44c81218fb6b4de31949151b9543a1f10.exe
"C:\Users\Admin\AppData\Local\Temp\f2cce909eca03fb472266113aeed9ab44c81218fb6b4de31949151b9543a1f10.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4820

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m5866127.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m5866127.exe
2⤵
- Executes dropped EXE
PID:3124

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n7650476.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n7650476.exe
2⤵
- Executes dropped EXE
PID:548

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m5866127.exe
Filesize
141KB

MD5
8451f8d13ffcce226ae36033c3e6ad2b

SHA1
1b31c7441ea79f6ccd04aebdcbbb6835e4c5a951

SHA256
cdb414688bffff299a1b6b13fbfdb4623791ac4d4995c721b8051240bf88700b

SHA512
5d3eb6f8e8ad3dfe697a112827dc9b9a8bbe7dbc51d3d896d8417befa00ca0332badaa7a3d298d02025d2c0ced7e5dba30139814b7daedb66be1eae1a317355f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n7650476.exe
Filesize
175KB

MD5
56b71bdd64b7dcb7d4f73f78df3e7587

SHA1
f0cf562a4f7e7f67c68e3605ffb40ed9e91c8799

SHA256
31a466c0c05f4feced392f0ffd93d372c9bd322f6bfb3ee81469c43472458ba0

SHA512
49ec197872531ccbfd0d67766dfdc51713a45ca3a119b10e84dea745a4ac0334094ed1ed6bf4a76f88ed73be2606ee3db014987a7c82d5dd38f4d2e7c86f2d26

Download Submit
memory/548-10-0x00000000743AE000-0x00000000743AF000-memory.dmp

Filesize
4KB

Download
memory/548-11-0x00000000000A0000-0x00000000000D0000-memory.dmp

Filesize
192KB

Download
memory/548-12-0x00000000023D0000-0x00000000023D6000-memory.dmp

Filesize
24KB

Download
memory/548-13-0x00000000050F0000-0x0000000005708000-memory.dmp

Filesize
6.1MB

Download
memory/548-14-0x0000000004BE0000-0x0000000004CEA000-memory.dmp

Filesize
1.0MB

Download
memory/548-15-0x0000000004920000-0x0000000004932000-memory.dmp

Filesize
72KB

Download
memory/548-16-0x00000000743A0000-0x0000000074B50000-memory.dmp

Filesize
7.7MB

Download
memory/548-17-0x0000000004980000-0x00000000049BC000-memory.dmp

Filesize
240KB

Download
memory/548-18-0x0000000004AD0000-0x0000000004B1C000-memory.dmp

Filesize
304KB

Download
memory/548-19-0x00000000743AE000-0x00000000743AF000-memory.dmp

Filesize
4KB

Download
memory/548-20-0x00000000743A0000-0x0000000074B50000-memory.dmp

Filesize
7.7MB

Download