mystic | 8ee265740e734e664a806025412118c1398e5fd5de8de7844c913c144f497faa

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e61b06119f566b9fb98b46bbce9cb6e128f7a58de8e4266a2867a96d521f2c5.exe
Size

417KB
MD5

7a7af164895d79447e8d7884dae6aa33
SHA1

14307fa0f232f9827f661e1ea9c225564f57a55b
SHA256

9e61b06119f566b9fb98b46bbce9cb6e128f7a58de8e4266a2867a96d521f2c5
SHA512

0741de51985426d842008c009f22f4ccebbf6484ef5a84d414ddf533ae322bdd9ff9791476815591976cd893313aca7f28930c349af1610f50fd76352ad24cd6
SSDEEP

6144:KCy+bnr+ep0yN90QEl6uFCuzf8i/mEPtm+aiGEaC9c2fLsUf:eMrOy907jCuLl/mEVm1iVrTA8

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral12/memory/2932-7-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral12/memory/2932-9-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral12/memory/2932-11-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral12/memory/2932-8-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral12/files/0x000700000002344d-13.dat	family_redline
behavioral12/memory/3076-16-0x0000000000170000-0x00000000001AE000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

pid	Process
8	1PK15gD7.exe
3076	2zz484uF.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9e61b06119f566b9fb98b46bbce9cb6e128f7a58de8e4266a2867a96d521f2c5.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 8 set thread context of 2932	8	1PK15gD7.exe	85

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1500	2932	WerFault.exe	85
5036	8	WerFault.exe	82

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 8	3428	9e61b06119f566b9fb98b46bbce9cb6e128f7a58de8e4266a2867a96d521f2c5.exe	82
PID 3428 wrote to memory of 8	3428	9e61b06119f566b9fb98b46bbce9cb6e128f7a58de8e4266a2867a96d521f2c5.exe	82
PID 3428 wrote to memory of 8	3428	9e61b06119f566b9fb98b46bbce9cb6e128f7a58de8e4266a2867a96d521f2c5.exe	82
PID 8 wrote to memory of 3332	8	1PK15gD7.exe	84
PID 8 wrote to memory of 3332	8	1PK15gD7.exe	84
PID 8 wrote to memory of 3332	8	1PK15gD7.exe	84
PID 8 wrote to memory of 2932	8	1PK15gD7.exe	85
PID 8 wrote to memory of 2932	8	1PK15gD7.exe	85
PID 8 wrote to memory of 2932	8	1PK15gD7.exe	85
PID 8 wrote to memory of 2932	8	1PK15gD7.exe	85
PID 8 wrote to memory of 2932	8	1PK15gD7.exe	85
PID 8 wrote to memory of 2932	8	1PK15gD7.exe	85
PID 8 wrote to memory of 2932	8	1PK15gD7.exe	85
PID 8 wrote to memory of 2932	8	1PK15gD7.exe	85
PID 8 wrote to memory of 2932	8	1PK15gD7.exe	85
PID 8 wrote to memory of 2932	8	1PK15gD7.exe	85
PID 3428 wrote to memory of 3076	3428	9e61b06119f566b9fb98b46bbce9cb6e128f7a58de8e4266a2867a96d521f2c5.exe	92
PID 3428 wrote to memory of 3076	3428	9e61b06119f566b9fb98b46bbce9cb6e128f7a58de8e4266a2867a96d521f2c5.exe	92
PID 3428 wrote to memory of 3076	3428	9e61b06119f566b9fb98b46bbce9cb6e128f7a58de8e4266a2867a96d521f2c5.exe	92

C:\Users\Admin\AppData\Local\Temp\9e61b06119f566b9fb98b46bbce9cb6e128f7a58de8e4266a2867a96d521f2c5.exe
"C:\Users\Admin\AppData\Local\Temp\9e61b06119f566b9fb98b46bbce9cb6e128f7a58de8e4266a2867a96d521f2c5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1PK15gD7.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1PK15gD7.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:8
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:3332
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:2932
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 540
      4⤵
      Program crash
      PID:1500
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 608
    3⤵
    - Program crash
    PID:5036
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2zz484uF.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2zz484uF.exe
  2⤵
  - Executes dropped EXE
  PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2932 -ip 2932
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 8 -ip 8
1⤵
PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1PK15gD7.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2zz484uF.exe

Filesize
231KB

MD5
fd7fabaab8392ae08666dd932221bedc

SHA1
38d53cd815b5a9d8f114b34daa86ee6e57b53531

SHA256
05362cc1148a916dd3ee5d1500d41704ea20ad7303caafc13c478d712e3c57bd

SHA512
50979a4d06fd16f19d024c542a1f9de466a21ce1cb409e5ab905e0eee64fe81da14fdc3d8a4dbf31612e9ca8c95cd3b33aba58faa103f87907b3277c1d54fa82

Download Submit
memory/2932-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2932-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2932-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2932-8-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3076-17-0x0000000007480000-0x0000000007A24000-memory.dmp

Filesize
5.6MB

Download
memory/3076-16-0x0000000000170000-0x00000000001AE000-memory.dmp

Filesize
248KB

Download
memory/3076-15-0x0000000073E5E000-0x0000000073E5F000-memory.dmp

Filesize
4KB

Download
memory/3076-18-0x0000000006F70000-0x0000000007002000-memory.dmp

Filesize
584KB

Download
memory/3076-19-0x0000000002470000-0x000000000247A000-memory.dmp

Filesize
40KB

Download
memory/3076-20-0x0000000073E50000-0x0000000074600000-memory.dmp

Filesize
7.7MB

Download
memory/3076-21-0x0000000008050000-0x0000000008668000-memory.dmp

Filesize
6.1MB

Download
memory/3076-22-0x0000000007290000-0x000000000739A000-memory.dmp

Filesize
1.0MB

Download
memory/3076-23-0x0000000007130000-0x0000000007142000-memory.dmp

Filesize
72KB

Download
memory/3076-24-0x00000000071C0000-0x00000000071FC000-memory.dmp

Filesize
240KB

Download
memory/3076-25-0x0000000007200000-0x000000000724C000-memory.dmp

Filesize
304KB

Download
memory/3076-26-0x0000000073E5E000-0x0000000073E5F000-memory.dmp

Filesize
4KB

Download
memory/3076-27-0x0000000073E50000-0x0000000074600000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads