mystic | c35b2a353f3f737fd5d522bda8150c7fe11a4c4773ad1702d174b480462784c6

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18184ff5db7555b2c7baf1a87aa4d5046c77710bee4b4f39e6a131f30f418f7a.exe
Size

662KB
MD5

efc79a98fc61f6d6dfabe4bf64ccbf8c
SHA1

8137dafbb384db53eff033229998945166ac5fa8
SHA256

18184ff5db7555b2c7baf1a87aa4d5046c77710bee4b4f39e6a131f30f418f7a
SHA512

717247ab59c19296e11c16545bae54067a3a30c46e0c118cc690fd79fd98bcd8401b206ced16417ac09a65090eaf726a61b44612cf8f8a322517591621f5974f
SSDEEP

12288:EMr6y90bevLolfDpBvr6dqaxMGdo/0JMFSLt1T8muh5bgOz+/eCEdJdar:Gy3Lopj6dqKMGm/iMILtyV5bgOzqPari

Score

10^/10

mystic redline virad infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

virad

77.91.124.82:19071

Attributes

auth_value
434dd63619ca8bbf10125913fb40ca28

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral2/files/0x00080000000233ff-18.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023400-22.dat	family_redline
behavioral2/memory/4628-24-0x00000000001D0000-0x0000000000200000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
2056	y1663209.exe
1220	y4896686.exe
3388	m0572887.exe
4628	n3394867.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	18184ff5db7555b2c7baf1a87aa4d5046c77710bee4b4f39e6a131f30f418f7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y1663209.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y4896686.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 2056	3588	18184ff5db7555b2c7baf1a87aa4d5046c77710bee4b4f39e6a131f30f418f7a.exe	83
PID 3588 wrote to memory of 2056	3588	18184ff5db7555b2c7baf1a87aa4d5046c77710bee4b4f39e6a131f30f418f7a.exe	83
PID 3588 wrote to memory of 2056	3588	18184ff5db7555b2c7baf1a87aa4d5046c77710bee4b4f39e6a131f30f418f7a.exe	83
PID 2056 wrote to memory of 1220	2056	y1663209.exe	84
PID 2056 wrote to memory of 1220	2056	y1663209.exe	84
PID 2056 wrote to memory of 1220	2056	y1663209.exe	84
PID 1220 wrote to memory of 3388	1220	y4896686.exe	85
PID 1220 wrote to memory of 3388	1220	y4896686.exe	85
PID 1220 wrote to memory of 3388	1220	y4896686.exe	85
PID 1220 wrote to memory of 4628	1220	y4896686.exe	86
PID 1220 wrote to memory of 4628	1220	y4896686.exe	86
PID 1220 wrote to memory of 4628	1220	y4896686.exe	86

C:\Users\Admin\AppData\Local\Temp\18184ff5db7555b2c7baf1a87aa4d5046c77710bee4b4f39e6a131f30f418f7a.exe
"C:\Users\Admin\AppData\Local\Temp\18184ff5db7555b2c7baf1a87aa4d5046c77710bee4b4f39e6a131f30f418f7a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1663209.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1663209.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4896686.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4896686.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1220
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0572887.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0572887.exe
      4⤵
      Executes dropped EXE
      PID:3388
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3394867.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3394867.exe
      4⤵
      Executes dropped EXE
      PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1663209.exe

Filesize
560KB

MD5
c764a4911d8a8aa7291abde9b49376ac

SHA1
6f118bbb4dd037bc77151578ffe145cfbf4ebf11

SHA256
e86b49e4e6141ec0ce35b16ff0009d2f93f93e3f89a654ae2ea63a17979e05d0

SHA512
90b45bfdf98ca8308b575b35c78f4db3bd68d02d799c84fa8234a22f8e8c87fac7eaabcc08a20ae463e00414ff967e1a7436269d9de810cc01a49a7800a9f2f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4896686.exe

Filesize
271KB

MD5
807898cd2d1f2c16a81cd76f930b90e8

SHA1
0d18d4d82b96b82b3398bb16935223d0286b3ef6

SHA256
0c895fc421b0a6965d5452ef59656c7ae59582691627ca14baf68b8b75a20aed

SHA512
2a2df902cdcb56a8ae9586414a414e73517c1db619da86810752099cf791928df1185be439536e013ac89b362b2fbc2ba842c2d046f20671f96d692fcf177766

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0572887.exe

Filesize
142KB

MD5
0e37dfedb7d7bcdc26417c117e96e12b

SHA1
c0315154d09839d76c310701067697eb7f7edb7f

SHA256
6e3b64d231be0313e8b57f67a6c2de8616a7deb50714afb3cf1df288df91e0f2

SHA512
2fb6f6b24435b672cc6e6445f8c9ebb7a0cdee8d89e7221b6aed69652ecee13ecc50e1f5dda133884fdde476d564b1750b25a435359b911be7a683ed83fbdc21

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3394867.exe

Filesize
175KB

MD5
961a275ca0fbfb2b67a917675b00cbc1

SHA1
e3f8257d25b1c22b78ad71e4370e132fd6d1cb99

SHA256
861a8e09558350ab055332b0ea8756f63f641c8da0d4c22dce066fb1a80fcfd7

SHA512
4ea62c339a58bbe7e3e43b2bbbe5b2dc8d7ec3f91ce8dde0689e6de8ae2d23f0cb722fab8e4b6c2b44c638017478909e7580a5ca1ec68649a769eba9e0c277d4

Download Submit
memory/4628-24-0x00000000001D0000-0x0000000000200000-memory.dmp

Filesize
192KB

Download
memory/4628-25-0x0000000004AF0000-0x0000000004AF6000-memory.dmp

Filesize
24KB

Download
memory/4628-26-0x000000000A530000-0x000000000AB48000-memory.dmp

Filesize
6.1MB

Download
memory/4628-27-0x000000000A040000-0x000000000A14A000-memory.dmp

Filesize
1.0MB

Download
memory/4628-28-0x0000000009F80000-0x0000000009F92000-memory.dmp

Filesize
72KB

Download
memory/4628-29-0x0000000009FE0000-0x000000000A01C000-memory.dmp

Filesize
240KB

Download
memory/4628-30-0x00000000024D0000-0x000000000251C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads