mystic | 176abc5d4c53fc1397a77e15c4028591fc335ce9464a700eddd56742d55dd10d

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2143b79ffb1f51097ecfe2735d76fc401ff83d0bcaf0fd826616f6d9d198fb90.exe
Size

884KB
MD5

5a711b648693d550f5392c789ba15673
SHA1

f1708783f04e9bbf1564cd3742ebafb6daa150fc
SHA256

2143b79ffb1f51097ecfe2735d76fc401ff83d0bcaf0fd826616f6d9d198fb90
SHA512

1767e351663c1d2efff89c69d1519d5dfac99fea37abf16b58547ec8169df7564b36af359633aa650470eb32466fe4dc4da58990c2a08cfd4b49b70d20633afa
SSDEEP

12288:DMrhy901daca+83cqHpVFIaslw/4+eoJiOcjpWoleMWoNBOXYTT7YMFem0DdcT+:myI43Hpf2w/4+KLdikcgHYa0ZcT+

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral5/memory/4884-21-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral5/memory/4884-24-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral5/memory/4884-22-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral5/files/0x0007000000023407-26.dat	family_redline
behavioral5/memory/1812-28-0x00000000002D0000-0x000000000030E000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
4264	TD4wX5Wm.exe
4468	LF7fp4Su.exe
948	1Tn96LC5.exe
1812	2QH382FH.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2143b79ffb1f51097ecfe2735d76fc401ff83d0bcaf0fd826616f6d9d198fb90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	TD4wX5Wm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	LF7fp4Su.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 948 set thread context of 4884	948	1Tn96LC5.exe	87

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4164	948	WerFault.exe	85

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 4264	1504	2143b79ffb1f51097ecfe2735d76fc401ff83d0bcaf0fd826616f6d9d198fb90.exe	83
PID 1504 wrote to memory of 4264	1504	2143b79ffb1f51097ecfe2735d76fc401ff83d0bcaf0fd826616f6d9d198fb90.exe	83
PID 1504 wrote to memory of 4264	1504	2143b79ffb1f51097ecfe2735d76fc401ff83d0bcaf0fd826616f6d9d198fb90.exe	83
PID 4264 wrote to memory of 4468	4264	TD4wX5Wm.exe	84
PID 4264 wrote to memory of 4468	4264	TD4wX5Wm.exe	84
PID 4264 wrote to memory of 4468	4264	TD4wX5Wm.exe	84
PID 4468 wrote to memory of 948	4468	LF7fp4Su.exe	85
PID 4468 wrote to memory of 948	4468	LF7fp4Su.exe	85
PID 4468 wrote to memory of 948	4468	LF7fp4Su.exe	85
PID 948 wrote to memory of 4884	948	1Tn96LC5.exe	87
PID 948 wrote to memory of 4884	948	1Tn96LC5.exe	87
PID 948 wrote to memory of 4884	948	1Tn96LC5.exe	87
PID 948 wrote to memory of 4884	948	1Tn96LC5.exe	87
PID 948 wrote to memory of 4884	948	1Tn96LC5.exe	87
PID 948 wrote to memory of 4884	948	1Tn96LC5.exe	87
PID 948 wrote to memory of 4884	948	1Tn96LC5.exe	87
PID 948 wrote to memory of 4884	948	1Tn96LC5.exe	87
PID 948 wrote to memory of 4884	948	1Tn96LC5.exe	87
PID 948 wrote to memory of 4884	948	1Tn96LC5.exe	87
PID 4468 wrote to memory of 1812	4468	LF7fp4Su.exe	93
PID 4468 wrote to memory of 1812	4468	LF7fp4Su.exe	93
PID 4468 wrote to memory of 1812	4468	LF7fp4Su.exe	93

C:\Users\Admin\AppData\Local\Temp\2143b79ffb1f51097ecfe2735d76fc401ff83d0bcaf0fd826616f6d9d198fb90.exe
"C:\Users\Admin\AppData\Local\Temp\2143b79ffb1f51097ecfe2735d76fc401ff83d0bcaf0fd826616f6d9d198fb90.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TD4wX5Wm.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TD4wX5Wm.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LF7fp4Su.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LF7fp4Su.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4468
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Tn96LC5.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Tn96LC5.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:948
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:4884
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 616
        5⤵
        Program crash
        
        PID:4164
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2QH382FH.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2QH382FH.exe
      4⤵
      Executes dropped EXE
      PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 948 -ip 948
1⤵
PID:4036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TD4wX5Wm.exe

Filesize
590KB

MD5
e47d779f3875aa1228433e0ab7e6d008

SHA1
12cdc646bd3ba8122c33e61eb3e97d759762aee1

SHA256
0680a66f102e6f21dedcf3a81b0af07997f61ee585ce37ccb33c6c46efc16c32

SHA512
ba95b2a029e4c1810d407e1db5d5e07741635c36e97160ec423207f96202cb0ef94c6a73e091a5d32af2308c486a44e3ad37fafe7db1fbeed381061c8079c63e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LF7fp4Su.exe

Filesize
417KB

MD5
447e366d0cdeaab1ad5afc57c3a06c69

SHA1
556d272df6453409534d4f3c89096ce23ec53591

SHA256
dfb5d5af14b715ed54b72337903ff14c8e278bf00de9532a8fdefd8fed464202

SHA512
33c59d423a3c56f48d4edb6082f4f9fad5563b2efbcf961c7bb1dad2924347341bc4254fc1d6eedb197ce7212d0758962392ea84fb64886b027fd82c901a96ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Tn96LC5.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2QH382FH.exe

Filesize
231KB

MD5
f9c57dc5adc0902da8e630913c7cf450

SHA1
c24c9ba3fe4ca14c851f5217f7bdcfd32b4320d3

SHA256
4d9d9bd6f7998f876c1b3605f5b0b89ebbb21c1557c5295f318105f847bb9caa

SHA512
19fb70e5c71d8c738c5b85aa90c3a27cf4e85ad168da0f9ec8aefd2ce24a37c52e69cdf5eeabb4c1f84a116752ee9d39196fcecc49de078e4fa6aeb2f7f800b1

Download Submit
memory/1812-33-0x0000000007430000-0x000000000753A000-memory.dmp

Filesize
1.0MB

Download
memory/1812-28-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/1812-29-0x0000000007600000-0x0000000007BA4000-memory.dmp

Filesize
5.6MB

Download
memory/1812-30-0x0000000007050000-0x00000000070E2000-memory.dmp

Filesize
584KB

Download
memory/1812-31-0x00000000025B0000-0x00000000025BA000-memory.dmp

Filesize
40KB

Download
memory/1812-32-0x00000000081D0000-0x00000000087E8000-memory.dmp

Filesize
6.1MB

Download
memory/1812-34-0x0000000007180000-0x0000000007192000-memory.dmp

Filesize
72KB

Download
memory/1812-35-0x0000000007320000-0x000000000735C000-memory.dmp

Filesize
240KB

Download
memory/1812-36-0x00000000071D0000-0x000000000721C000-memory.dmp

Filesize
304KB

Download
memory/4884-22-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4884-24-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4884-21-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads