mystic | 8ee265740e734e664a806025412118c1398e5fd5de8de7844c913c144f497faa

Analysis

max time kernel
132s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6f3ae7c8039baa6291649906002be6daa14265e311c369866980f296919acfd.exe
Size

650KB
MD5

018a19df0d0740ed6ffb1e10b0e721fa
SHA1

74914be9ad7d256ed0acfd5f85012e47b38a17a8
SHA256

b6f3ae7c8039baa6291649906002be6daa14265e311c369866980f296919acfd
SHA512

3863e8e6d6c1acaa68d20fa21fc6730fdf3a591641b7ab256b00aedbf86159f54bd8df611fb93d72241253b624460c4f214f715ce6c33abb29f5cbd5311e485d
SSDEEP

12288:KMr9y90fh84/H+q4teQYErUVY4Y5Er3st79pQG7g0yCK:Pyih8xtuEeY4YmW7DQ+g0yCK

Score

10^/10

mystic redline virad infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

virad

77.91.124.82:19071

Attributes

auth_value
434dd63619ca8bbf10125913fb40ca28

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral15/files/0x000800000002346f-19.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral15/files/0x0007000000023470-22.dat	family_redline
behavioral15/memory/2012-24-0x00000000009C0000-0x00000000009F0000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
1904	y0107779.exe
3640	y9900834.exe
1108	m1480637.exe
2012	n1753992.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b6f3ae7c8039baa6291649906002be6daa14265e311c369866980f296919acfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y0107779.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y9900834.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 1904	1724	b6f3ae7c8039baa6291649906002be6daa14265e311c369866980f296919acfd.exe	86
PID 1724 wrote to memory of 1904	1724	b6f3ae7c8039baa6291649906002be6daa14265e311c369866980f296919acfd.exe	86
PID 1724 wrote to memory of 1904	1724	b6f3ae7c8039baa6291649906002be6daa14265e311c369866980f296919acfd.exe	86
PID 1904 wrote to memory of 3640	1904	y0107779.exe	88
PID 1904 wrote to memory of 3640	1904	y0107779.exe	88
PID 1904 wrote to memory of 3640	1904	y0107779.exe	88
PID 3640 wrote to memory of 1108	3640	y9900834.exe	89
PID 3640 wrote to memory of 1108	3640	y9900834.exe	89
PID 3640 wrote to memory of 1108	3640	y9900834.exe	89
PID 3640 wrote to memory of 2012	3640	y9900834.exe	90
PID 3640 wrote to memory of 2012	3640	y9900834.exe	90
PID 3640 wrote to memory of 2012	3640	y9900834.exe	90

C:\Users\Admin\AppData\Local\Temp\b6f3ae7c8039baa6291649906002be6daa14265e311c369866980f296919acfd.exe
"C:\Users\Admin\AppData\Local\Temp\b6f3ae7c8039baa6291649906002be6daa14265e311c369866980f296919acfd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0107779.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0107779.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9900834.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9900834.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1480637.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1480637.exe
      4⤵
      Executes dropped EXE
      PID:1108
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1753992.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1753992.exe
      4⤵
      Executes dropped EXE
      PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0107779.exe

Filesize
548KB

MD5
2601083964205236b0ef697aa891777e

SHA1
93dc9d5bae7a8797744291b11ba83b82a3535e50

SHA256
a96fe2ff0bb2069dee47d385605f3a37810877598959a4371ca29010017ebd47

SHA512
a18e689fa3f93687dc6ab2c2c7a03f565316672c3960372672fc64efb152d98af9ad279e2e11f2e13cfa8bdd29ed5008e7745a9670624368346165126336f82c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9900834.exe

Filesize
271KB

MD5
4ab2e472938ce514903998e5cbd18ef5

SHA1
d88f95052be49621bd7989d60e44c9e59d414a44

SHA256
2124ab04ba0b810a04c2a355bdddc83546c0b73434a641650279060b4cea5545

SHA512
5af50e4ad19018ed04f6133fb203d7003ae7c6c67ba463328dea2c319caca0d50b91d8053f4552fa0633315d6ad576436d6a05cf17b092b6b413bf50a33ebc6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1480637.exe

Filesize
140KB

MD5
8da10eacd220e03161341162a871b676

SHA1
e06f5d26cd3f4cedaf89136689ed3133a8880707

SHA256
1969866de51bcd8b7676995a6966b783d73c0fe9b910f3b81365a9782826ba22

SHA512
b64da17ad44cd156df646719aa4116c7af2f1b1c7021bb8303f2e376a86929f1c3336d612979b3a042d5b2db99bde3767ce50da091438548019fc97b492a3477

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1753992.exe

Filesize
174KB

MD5
9dec7155d011eb967a56faf99b462fb3

SHA1
6bc7383a85a9ddfdb432ce072fd23c0f76a0a68f

SHA256
e885779357817e05c253dbc916fbd6f1e888e8f023dbe46d0995dcbd8fd13b46

SHA512
dcc7c65f68d72e01d062159585321cb21a74cd372f273f5954463783a8ffcd4674e243d2ec45a09689b5d2bb93cad2bd0f7336f5b2721363535885daef821d8c

Download Submit
memory/2012-24-0x00000000009C0000-0x00000000009F0000-memory.dmp

Filesize
192KB

Download
memory/2012-25-0x0000000001220000-0x0000000001226000-memory.dmp

Filesize
24KB

Download
memory/2012-26-0x0000000005950000-0x0000000005F68000-memory.dmp

Filesize
6.1MB

Download
memory/2012-27-0x0000000005440000-0x000000000554A000-memory.dmp

Filesize
1.0MB

Download
memory/2012-28-0x0000000005350000-0x0000000005362000-memory.dmp

Filesize
72KB

Download
memory/2012-29-0x00000000053B0000-0x00000000053EC000-memory.dmp

Filesize
240KB

Download
memory/2012-30-0x00000000053F0000-0x000000000543C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads