mystic | 8ee265740e734e664a806025412118c1398e5fd5de8de7844c913c144f497faa

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b55e0e5824f9aed804ccff228c21b9dc48e15fc3f7da5286a514ea94193f15a8.exe
Size

1.6MB
MD5

910d8cb1b127b0f7bea2eb47a939c260
SHA1

1143362d66c21434412eea597e464e4f154dd205
SHA256

b55e0e5824f9aed804ccff228c21b9dc48e15fc3f7da5286a514ea94193f15a8
SHA512

77719c68bc8889bbc029a37278de643b531dfb207cee720a8d3f926fd209f5397a09f477c7f9e4995ce4b54315b321530adcd227bfc729b41222ce7e483f5d2e
SSDEEP

24576:ZyFiu4btkJLleIxFYm5MYiGw6u+nFP+D1uLiUOht2MIlD0gNtLct1FqEa9MfR3nj:Mk7Qv5MYNn5mULiUqJ2DMtRR/VP

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral14/memory/3572-35-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral14/memory/3572-38-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral14/memory/3572-36-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral14/files/0x0007000000023431-40.dat	family_redline
behavioral14/memory/3688-42-0x0000000000A20000-0x0000000000A5E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3376	Nk8Wz5bs.exe
3260	Pr5Vj2Vi.exe
4788	Vf9Ik3Xb.exe
2300	Jf7Db6CK.exe
2388	1Nf14qm3.exe
3688	2xs091la.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Pr5Vj2Vi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Vf9Ik3Xb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Jf7Db6CK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b55e0e5824f9aed804ccff228c21b9dc48e15fc3f7da5286a514ea94193f15a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Nk8Wz5bs.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2388 set thread context of 3572	2388	1Nf14qm3.exe	89

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5028	2388	WerFault.exe	86

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 3376	3516	b55e0e5824f9aed804ccff228c21b9dc48e15fc3f7da5286a514ea94193f15a8.exe	82
PID 3516 wrote to memory of 3376	3516	b55e0e5824f9aed804ccff228c21b9dc48e15fc3f7da5286a514ea94193f15a8.exe	82
PID 3516 wrote to memory of 3376	3516	b55e0e5824f9aed804ccff228c21b9dc48e15fc3f7da5286a514ea94193f15a8.exe	82
PID 3376 wrote to memory of 3260	3376	Nk8Wz5bs.exe	83
PID 3376 wrote to memory of 3260	3376	Nk8Wz5bs.exe	83
PID 3376 wrote to memory of 3260	3376	Nk8Wz5bs.exe	83
PID 3260 wrote to memory of 4788	3260	Pr5Vj2Vi.exe	84
PID 3260 wrote to memory of 4788	3260	Pr5Vj2Vi.exe	84
PID 3260 wrote to memory of 4788	3260	Pr5Vj2Vi.exe	84
PID 4788 wrote to memory of 2300	4788	Vf9Ik3Xb.exe	85
PID 4788 wrote to memory of 2300	4788	Vf9Ik3Xb.exe	85
PID 4788 wrote to memory of 2300	4788	Vf9Ik3Xb.exe	85
PID 2300 wrote to memory of 2388	2300	Jf7Db6CK.exe	86
PID 2300 wrote to memory of 2388	2300	Jf7Db6CK.exe	86
PID 2300 wrote to memory of 2388	2300	Jf7Db6CK.exe	86
PID 2388 wrote to memory of 3572	2388	1Nf14qm3.exe	89
PID 2388 wrote to memory of 3572	2388	1Nf14qm3.exe	89
PID 2388 wrote to memory of 3572	2388	1Nf14qm3.exe	89
PID 2388 wrote to memory of 3572	2388	1Nf14qm3.exe	89
PID 2388 wrote to memory of 3572	2388	1Nf14qm3.exe	89
PID 2388 wrote to memory of 3572	2388	1Nf14qm3.exe	89
PID 2388 wrote to memory of 3572	2388	1Nf14qm3.exe	89
PID 2388 wrote to memory of 3572	2388	1Nf14qm3.exe	89
PID 2388 wrote to memory of 3572	2388	1Nf14qm3.exe	89
PID 2388 wrote to memory of 3572	2388	1Nf14qm3.exe	89
PID 2300 wrote to memory of 3688	2300	Jf7Db6CK.exe	94
PID 2300 wrote to memory of 3688	2300	Jf7Db6CK.exe	94
PID 2300 wrote to memory of 3688	2300	Jf7Db6CK.exe	94

C:\Users\Admin\AppData\Local\Temp\b55e0e5824f9aed804ccff228c21b9dc48e15fc3f7da5286a514ea94193f15a8.exe
"C:\Users\Admin\AppData\Local\Temp\b55e0e5824f9aed804ccff228c21b9dc48e15fc3f7da5286a514ea94193f15a8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nk8Wz5bs.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nk8Wz5bs.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Pr5Vj2Vi.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Pr5Vj2Vi.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3260
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Vf9Ik3Xb.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Vf9Ik3Xb.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4788
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Jf7Db6CK.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Jf7Db6CK.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2300
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nf14qm3.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nf14qm3.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 576
        7⤵
        Program crash
        
        PID:5028
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xs091la.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xs091la.exe
        6⤵
        Executes dropped EXE
        
        PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2388 -ip 2388
1⤵
PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nk8Wz5bs.exe

Filesize
1.5MB

MD5
86f912ca3d23cb0a783616e35b25750d

SHA1
f1b2298c2f621870001c5ad4424ac6dec3e0bf34

SHA256
6d5a1b05c5e809e423b89f3d44938e2ed28df8e1921c504afae37af9caf79316

SHA512
ff26648b1e4fa0718a6f5d1f9fe10e826975553303c442df25acd5465080dbf56be1f391e2c467adcef77157780af1ae480b2d76ee145cc56187fa23000848c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Pr5Vj2Vi.exe

Filesize
1.3MB

MD5
2a9e76160e2a6d7f3f671d10590344a0

SHA1
bd2a26ee6c35e5b2bcf1887e3b39d7e54cd53018

SHA256
b6af805c21fbac36ac8290d0b39d413d2c63ff6967309c40d6b5ffbf3f01bf84

SHA512
8f15a39b0a54a9caa076a401be756fae1f097e1f9b69b6942148353ec26aabf99296da033febd43401cb003d4c63c3f67842d18d34d50a92507c2ab4d80a7cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Vf9Ik3Xb.exe

Filesize
822KB

MD5
501fa5ab8377753a53b5a0bf98bfee90

SHA1
083acf68071e1d9729ca4fcce7cfa09626c93d6d

SHA256
fd087bd2caa1cb2da82bdc49ad7427bbc8788f1f65e6486617e8b4b6616c71c5

SHA512
bb526a4aba86464a4c28f03c75d75ecc07acda51ff58617cac3a589523737b3d6649c682243a06e733aef733a089175f15d8b4451375945d0e1e5402767c4449

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Jf7Db6CK.exe

Filesize
649KB

MD5
7cde77224cc459741908419cf6f98263

SHA1
441924a8959647b99040fc71319a963fb21b1aa7

SHA256
38215027a5246194bf65451f6ec6ed223342852faed225012ddace1e74d43bc9

SHA512
bbc46792b05472475771b3cae9169912d673164fec38ec325e01029772adc37281aefacafcc69a1553771b86c1877949566a7e66704e6df97a805010c0609b3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Nf14qm3.exe

Filesize
1.7MB

MD5
f1d8d26a9c6cd846f6265eb4d63d5212

SHA1
b599780b649cdc0cb2954b6d368767cd1747ab37

SHA256
ee18e70e03d08a5c5b70f5950c8f903712ced0a1d516edea7ff3c2885f0150b9

SHA512
6d94c2de4142df2d45931a7e29d9ee28f529cfebceda0d7f4ffecedd24a4c93488e30c03e5305823578207485cbbbd8f7fecfc6e7106cb1651d4217f4cf02716

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xs091la.exe

Filesize
230KB

MD5
ebaf50cbfdf25d7eb28b06a84883d7d6

SHA1
5940c6a6e60a020dfad184900a0b726b3f897dc2

SHA256
2f425af02a1ea4c6caadd633388869c53f10ba0aaa67f6e39f23640dfcc901b2

SHA512
796ac84bdd410754c8364ff674cc7f278697024cdb4c906673153afe035424859c295973d20918589d7b47a1d50bdcc6b5430167cb97e1bb2d9b6c86d038a700

Download Submit
memory/3572-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3572-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3572-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3688-42-0x0000000000A20000-0x0000000000A5E000-memory.dmp

Filesize
248KB

Download
memory/3688-43-0x0000000007EF0000-0x0000000008494000-memory.dmp

Filesize
5.6MB

Download
memory/3688-44-0x0000000007940000-0x00000000079D2000-memory.dmp

Filesize
584KB

Download
memory/3688-45-0x0000000002DC0000-0x0000000002DCA000-memory.dmp

Filesize
40KB

Download
memory/3688-46-0x0000000008AC0000-0x00000000090D8000-memory.dmp

Filesize
6.1MB

Download
memory/3688-47-0x0000000007CF0000-0x0000000007DFA000-memory.dmp

Filesize
1.0MB

Download
memory/3688-48-0x0000000007B00000-0x0000000007B12000-memory.dmp

Filesize
72KB

Download
memory/3688-49-0x0000000007B60000-0x0000000007B9C000-memory.dmp

Filesize
240KB

Download
memory/3688-50-0x0000000007BE0000-0x0000000007C2C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads