mystic | c35b2a353f3f737fd5d522bda8150c7fe11a4c4773ad1702d174b480462784c6

Analysis

max time kernel
144s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfebef463cdc3659ceb74203574f47da9a4378aab8633dc93e49ef6b8641bcdc.exe
Size

884KB
MD5

e00423dabbb359e5616c2bffbd3ed241
SHA1

75c0818bc02e99a46d4024010cdba5c25b96170f
SHA256

cfebef463cdc3659ceb74203574f47da9a4378aab8633dc93e49ef6b8641bcdc
SHA512

a18483c1910f9e8137468ab7427eb424445071296c1a313ea646f96bca4c091b1365f08d61fed65f82b1459b1d90e2006f6250773b946e3369e6df5174067256
SSDEEP

24576:YyxczE3pCXXFoqw49z/s+YAhSTqUa+W2apq:fxcopCHFI49zkiUW2A

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral19/memory/3292-21-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral19/memory/3292-24-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral19/memory/3292-22-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pP134hx.exe	family_redline
behavioral19/memory/1064-28-0x0000000000A90000-0x0000000000ACE000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

rG8wi1VV.exeNg9hJ9he.exe1cN04vB8.exe2pP134hx.exe

pid process

4656 rG8wi1VV.exe
5116 Ng9hJ9he.exe
2432 1cN04vB8.exe
1064 2pP134hx.exe

pid	process
4656	rG8wi1VV.exe
5116	Ng9hJ9he.exe
2432	1cN04vB8.exe
1064	2pP134hx.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

cfebef463cdc3659ceb74203574f47da9a4378aab8633dc93e49ef6b8641bcdc.exerG8wi1VV.exeNg9hJ9he.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cfebef463cdc3659ceb74203574f47da9a4378aab8633dc93e49ef6b8641bcdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	rG8wi1VV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Ng9hJ9he.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1cN04vB8.exe

description pid process target process

PID 2432 set thread context of 3292 2432 1cN04vB8.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2340 2432 WerFault.exe 1cN04vB8.exe

description	pid	process	target process
PID 2432 set thread context of 3292	2432	1cN04vB8.exe	AppLaunch.exe

pid	pid_target	process	target process
2340	2432	WerFault.exe	1cN04vB8.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

cfebef463cdc3659ceb74203574f47da9a4378aab8633dc93e49ef6b8641bcdc.exerG8wi1VV.exeNg9hJ9he.exe1cN04vB8.exe

description	pid	process	target process
PID 2892 wrote to memory of 4656	2892	cfebef463cdc3659ceb74203574f47da9a4378aab8633dc93e49ef6b8641bcdc.exe	rG8wi1VV.exe
PID 2892 wrote to memory of 4656	2892	cfebef463cdc3659ceb74203574f47da9a4378aab8633dc93e49ef6b8641bcdc.exe	rG8wi1VV.exe
PID 2892 wrote to memory of 4656	2892	cfebef463cdc3659ceb74203574f47da9a4378aab8633dc93e49ef6b8641bcdc.exe	rG8wi1VV.exe
PID 4656 wrote to memory of 5116	4656	rG8wi1VV.exe	Ng9hJ9he.exe
PID 4656 wrote to memory of 5116	4656	rG8wi1VV.exe	Ng9hJ9he.exe
PID 4656 wrote to memory of 5116	4656	rG8wi1VV.exe	Ng9hJ9he.exe
PID 5116 wrote to memory of 2432	5116	Ng9hJ9he.exe	1cN04vB8.exe
PID 5116 wrote to memory of 2432	5116	Ng9hJ9he.exe	1cN04vB8.exe
PID 5116 wrote to memory of 2432	5116	Ng9hJ9he.exe	1cN04vB8.exe
PID 2432 wrote to memory of 3292	2432	1cN04vB8.exe	AppLaunch.exe
PID 2432 wrote to memory of 3292	2432	1cN04vB8.exe	AppLaunch.exe
PID 2432 wrote to memory of 3292	2432	1cN04vB8.exe	AppLaunch.exe
PID 2432 wrote to memory of 3292	2432	1cN04vB8.exe	AppLaunch.exe
PID 2432 wrote to memory of 3292	2432	1cN04vB8.exe	AppLaunch.exe
PID 2432 wrote to memory of 3292	2432	1cN04vB8.exe	AppLaunch.exe
PID 2432 wrote to memory of 3292	2432	1cN04vB8.exe	AppLaunch.exe
PID 2432 wrote to memory of 3292	2432	1cN04vB8.exe	AppLaunch.exe
PID 2432 wrote to memory of 3292	2432	1cN04vB8.exe	AppLaunch.exe
PID 2432 wrote to memory of 3292	2432	1cN04vB8.exe	AppLaunch.exe
PID 5116 wrote to memory of 1064	5116	Ng9hJ9he.exe	2pP134hx.exe
PID 5116 wrote to memory of 1064	5116	Ng9hJ9he.exe	2pP134hx.exe
PID 5116 wrote to memory of 1064	5116	Ng9hJ9he.exe	2pP134hx.exe

C:\Users\Admin\AppData\Local\Temp\cfebef463cdc3659ceb74203574f47da9a4378aab8633dc93e49ef6b8641bcdc.exe
"C:\Users\Admin\AppData\Local\Temp\cfebef463cdc3659ceb74203574f47da9a4378aab8633dc93e49ef6b8641bcdc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2892

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rG8wi1VV.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rG8wi1VV.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4656

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ng9hJ9he.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ng9hJ9he.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5116

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1cN04vB8.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1cN04vB8.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 596
5⤵
- Program crash
PID:2340

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pP134hx.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pP134hx.exe
4⤵
- Executes dropped EXE
PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2432 -ip 2432
1⤵
PID:2076

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rG8wi1VV.exe
Filesize
590KB

MD5
9ba6f36f2de82c7698134fb83956c14d

SHA1
c107971c42191285abf8bec4982f80cdf97cece3

SHA256
c9c68d8b7dd332b997b5b714afb8869774400159a8ef4ca27a74c62971c6e2a3

SHA512
ac38fdc199b77b8e21d2f160a1f2ce921e125636dd8af63dcb42a0599535025795785144bf90af3cf565910184b052ee3927920ce19a6f639a83a45783b47cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ng9hJ9he.exe
Filesize
417KB

MD5
c25666c7c2893ce84211e3ba8319e32a

SHA1
d2de26f3843ea6000a82344ef0c2889cf17127d2

SHA256
ccec52e40e5ece36fb182ebf92c29c07f92071b820d3ed71ed3aa30fc434d4ba

SHA512
7c8186e281261164b844118f16b0d03111cede9fc950eb68c9de5a1ff3fcb858f24797b50273003c02361cdaebfc49e1d2c086502fcd8027c362d88964fb7617

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1cN04vB8.exe
Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pP134hx.exe
Filesize
231KB

MD5
85027b68f7f23775d018452665f459a6

SHA1
c5973720884214d8bdace72d7f5973817664d1e0

SHA256
45fa8210121156270740a0484cd9e6ff6a5f31ce9645b34e9306569bfdeb8cfc

SHA512
7ad70093b7941bc5f164a07fabb5a96d4533f992fdfc16efb66f30cd43ac11feb4496caa54f94397c16112940c5d3905fa14ada339e0ae4441220a79380438f4

Download Submit
memory/1064-33-0x0000000007B30000-0x0000000007C3A000-memory.dmp

Filesize
1.0MB

Download
memory/1064-28-0x0000000000A90000-0x0000000000ACE000-memory.dmp

Filesize
248KB

Download
memory/1064-29-0x0000000007E10000-0x00000000083B4000-memory.dmp

Filesize
5.6MB

Download
memory/1064-30-0x0000000007860000-0x00000000078F2000-memory.dmp

Filesize
584KB

Download
memory/1064-31-0x0000000002D40000-0x0000000002D4A000-memory.dmp

Filesize
40KB

Download
memory/1064-32-0x00000000089E0000-0x0000000008FF8000-memory.dmp

Filesize
6.1MB

Download
memory/1064-34-0x0000000007A50000-0x0000000007A62000-memory.dmp

Filesize
72KB

Download
memory/1064-35-0x0000000007AB0000-0x0000000007AEC000-memory.dmp

Filesize
240KB

Download
memory/1064-36-0x0000000007C40000-0x0000000007C8C000-memory.dmp

Filesize
304KB

Download
memory/3292-22-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3292-24-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3292-21-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download