mystic | 3c91163ea40ad7e35bac48ded16235cfe9003c914f570e27b4e2d7b3c9c46c05

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a67b0f00c87205b2917cabeb880266cf00239c7b65d393223cafb9c141ff9314.exe
Size

1.6MB
MD5

0f72a83a2d7b043a87baea811b6049db
SHA1

49b8a176baedfa245d73c2a5368fb064d4dd09ab
SHA256

a67b0f00c87205b2917cabeb880266cf00239c7b65d393223cafb9c141ff9314
SHA512

3b971430d58ee125a035c969ee51e8274e4bd3c75a84da4e1ee2b208fe2372612db17878f18f73159cb6e412944008f00775485fa9a3535d510cbf74f9a070e3
SSDEEP

24576:lyRDNs9NfmhHyRI63Tw61eXZSAYPlXFN6aSStK22nOAAKDPq1PZvZ7mFT5q4WjI:AAOlmIc/1wVG94AKJOArPUFc5Sj

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral14/memory/2708-35-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral14/memory/2708-38-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral14/memory/2708-36-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ez461hM.exe	family_redline
behavioral14/memory/464-42-0x0000000000A20000-0x0000000000A5E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

jg2Jw1Il.exeWA8dS1qT.exeuZ5wN5rd.exeEB9OH1GN.exe1Yh76Tc6.exe2Ez461hM.exe

pid process

3492 jg2Jw1Il.exe
660 WA8dS1qT.exe
4488 uZ5wN5rd.exe
1816 EB9OH1GN.exe
3356 1Yh76Tc6.exe
464 2Ez461hM.exe

pid	process
3492	jg2Jw1Il.exe
660	WA8dS1qT.exe
4488	uZ5wN5rd.exe
1816	EB9OH1GN.exe
3356	1Yh76Tc6.exe
464	2Ez461hM.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WA8dS1qT.exeuZ5wN5rd.exeEB9OH1GN.exea67b0f00c87205b2917cabeb880266cf00239c7b65d393223cafb9c141ff9314.exejg2Jw1Il.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	WA8dS1qT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	uZ5wN5rd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	EB9OH1GN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a67b0f00c87205b2917cabeb880266cf00239c7b65d393223cafb9c141ff9314.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	jg2Jw1Il.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1Yh76Tc6.exe

description pid process target process

PID 3356 set thread context of 2708 3356 1Yh76Tc6.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3944 3356 WerFault.exe 1Yh76Tc6.exe

description	pid	process	target process
PID 3356 set thread context of 2708	3356	1Yh76Tc6.exe	AppLaunch.exe

pid	pid_target	process	target process
3944	3356	WerFault.exe	1Yh76Tc6.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

a67b0f00c87205b2917cabeb880266cf00239c7b65d393223cafb9c141ff9314.exejg2Jw1Il.exeWA8dS1qT.exeuZ5wN5rd.exeEB9OH1GN.exe1Yh76Tc6.exe

description	pid	process	target process
PID 2904 wrote to memory of 3492	2904	a67b0f00c87205b2917cabeb880266cf00239c7b65d393223cafb9c141ff9314.exe	jg2Jw1Il.exe
PID 2904 wrote to memory of 3492	2904	a67b0f00c87205b2917cabeb880266cf00239c7b65d393223cafb9c141ff9314.exe	jg2Jw1Il.exe
PID 2904 wrote to memory of 3492	2904	a67b0f00c87205b2917cabeb880266cf00239c7b65d393223cafb9c141ff9314.exe	jg2Jw1Il.exe
PID 3492 wrote to memory of 660	3492	jg2Jw1Il.exe	WA8dS1qT.exe
PID 3492 wrote to memory of 660	3492	jg2Jw1Il.exe	WA8dS1qT.exe
PID 3492 wrote to memory of 660	3492	jg2Jw1Il.exe	WA8dS1qT.exe
PID 660 wrote to memory of 4488	660	WA8dS1qT.exe	uZ5wN5rd.exe
PID 660 wrote to memory of 4488	660	WA8dS1qT.exe	uZ5wN5rd.exe
PID 660 wrote to memory of 4488	660	WA8dS1qT.exe	uZ5wN5rd.exe
PID 4488 wrote to memory of 1816	4488	uZ5wN5rd.exe	EB9OH1GN.exe
PID 4488 wrote to memory of 1816	4488	uZ5wN5rd.exe	EB9OH1GN.exe
PID 4488 wrote to memory of 1816	4488	uZ5wN5rd.exe	EB9OH1GN.exe
PID 1816 wrote to memory of 3356	1816	EB9OH1GN.exe	1Yh76Tc6.exe
PID 1816 wrote to memory of 3356	1816	EB9OH1GN.exe	1Yh76Tc6.exe
PID 1816 wrote to memory of 3356	1816	EB9OH1GN.exe	1Yh76Tc6.exe
PID 3356 wrote to memory of 2708	3356	1Yh76Tc6.exe	AppLaunch.exe
PID 3356 wrote to memory of 2708	3356	1Yh76Tc6.exe	AppLaunch.exe
PID 3356 wrote to memory of 2708	3356	1Yh76Tc6.exe	AppLaunch.exe
PID 3356 wrote to memory of 2708	3356	1Yh76Tc6.exe	AppLaunch.exe
PID 3356 wrote to memory of 2708	3356	1Yh76Tc6.exe	AppLaunch.exe
PID 3356 wrote to memory of 2708	3356	1Yh76Tc6.exe	AppLaunch.exe
PID 3356 wrote to memory of 2708	3356	1Yh76Tc6.exe	AppLaunch.exe
PID 3356 wrote to memory of 2708	3356	1Yh76Tc6.exe	AppLaunch.exe
PID 3356 wrote to memory of 2708	3356	1Yh76Tc6.exe	AppLaunch.exe
PID 3356 wrote to memory of 2708	3356	1Yh76Tc6.exe	AppLaunch.exe
PID 1816 wrote to memory of 464	1816	EB9OH1GN.exe	2Ez461hM.exe
PID 1816 wrote to memory of 464	1816	EB9OH1GN.exe	2Ez461hM.exe
PID 1816 wrote to memory of 464	1816	EB9OH1GN.exe	2Ez461hM.exe

C:\Users\Admin\AppData\Local\Temp\a67b0f00c87205b2917cabeb880266cf00239c7b65d393223cafb9c141ff9314.exe
"C:\Users\Admin\AppData\Local\Temp\a67b0f00c87205b2917cabeb880266cf00239c7b65d393223cafb9c141ff9314.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jg2Jw1Il.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jg2Jw1Il.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3492
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WA8dS1qT.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WA8dS1qT.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:660
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uZ5wN5rd.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uZ5wN5rd.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4488
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EB9OH1GN.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EB9OH1GN.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1816
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Yh76Tc6.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Yh76Tc6.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 572
        7⤵
        Program crash
        
        PID:3944
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ez461hM.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ez461hM.exe
        6⤵
        Executes dropped EXE
        
        PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3356 -ip 3356
1⤵
PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jg2Jw1Il.exe

Filesize
1.5MB

MD5
18edbed640fdb4b23f8b5d6295340d84

SHA1
b78db2141aebbdc2cef398af2a04a0c61a31a9ac

SHA256
32382231b48b626198e3bd7ad57f86daae9d237bbfb08d1a6238e6af6cacacf0

SHA512
84e09024ef213291dd87b1a948f6d397aefa40c31c11996605cb2c7c0c7b70257e0f3949d367bad0f37281022089f2159982ec976b2b1d4dae1e3da00eea33a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WA8dS1qT.exe

Filesize
1.3MB

MD5
aa3fac99fe10b1913607e8642620e5e0

SHA1
e807e8de797197cb1a108db0a27e6f5b076fe826

SHA256
02ffbd0660d93ebad3c9373817783cb5b27f2c54995219e3c8ef699386fb454c

SHA512
6fe759e878bf0dd8b3a6fc92cc7020b2ffece699a917a199ecaf9969426d6722b6742a3dd2135c499400df7644950958d7a676ec028d9bb593248ce59d28b555

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uZ5wN5rd.exe

Filesize
821KB

MD5
63da7aef270377f0bbcf1df9ab46ce7f

SHA1
77be71e53577278d85fa9372901976396ce45af4

SHA256
527f79a183950464a38f56fc0b64e02a8adb0c62d720d55f4526e9cef993b21d

SHA512
64f6a6a46b3b5123698a3a36af0232df929125bba6101dbbf022879bda2625cbd51647ef9cdd691ceae8b334926ddc218ea89cbc9e657f7bd850fa28ac45bd12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EB9OH1GN.exe

Filesize
649KB

MD5
994f4d02b89a901b914132c7a495a752

SHA1
7b28b6bf88d3581c56ca61554b2ba2c0576735a9

SHA256
4d201d0845980d1ca8faf591f0045f2f08782ba67539fdd1cfca3f6a5df86af5

SHA512
61f85b39c7625e97d532625f3025d731129647e0b69cc7921597c2653781affbea28d957b176f6431e5e986bf38bbe6ff0fe34d1e61293ea1a6cc43deda3c56e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Yh76Tc6.exe

Filesize
1.7MB

MD5
144dc3c0a5275a93ff86f00b5c61b9ec

SHA1
784168ab3c4711737656ca13dc4cb59ca267fa45

SHA256
179649325e561f83a53c5cba99cd8f1f589064c8d0f2029fb8e06f61ae986787

SHA512
9af6a9870077621eb046d6fed0fac88eba35edd4cd5e60f49c46018ab633d5cc77ddb9a93886178544198099a4e3b20726a32729ec9d1cf89524b4a579afb783

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ez461hM.exe

Filesize
230KB

MD5
b4fcf4a35a3b751216060844fa10979e

SHA1
819e03996383b1150b31ed8570b789f4402faa94

SHA256
6a67aefd1dbe396b3b443899fcc3511b59ecfb4b8adfea72eed23f15d0426876

SHA512
1f204d032cd68930f8d5fc0de9d9af43097b4aabb97fc604e77790b2d264eca34a26cd3a02922e1092bb4ff69ea7b52deb05be9dfe211c32e0cfb8a0690f5fdb

Download Submit
memory/464-42-0x0000000000A20000-0x0000000000A5E000-memory.dmp

Filesize
248KB

Download
memory/464-43-0x0000000007E80000-0x0000000008424000-memory.dmp

Filesize
5.6MB

Download
memory/464-44-0x0000000007970000-0x0000000007A02000-memory.dmp

Filesize
584KB

Download
memory/464-45-0x0000000004EB0000-0x0000000004EBA000-memory.dmp

Filesize
40KB

Download
memory/464-46-0x0000000008A50000-0x0000000009068000-memory.dmp

Filesize
6.1MB

Download
memory/464-47-0x0000000007C10000-0x0000000007D1A000-memory.dmp

Filesize
1.0MB

Download
memory/464-48-0x0000000007B20000-0x0000000007B32000-memory.dmp

Filesize
72KB

Download
memory/464-49-0x0000000007B80000-0x0000000007BBC000-memory.dmp

Filesize
240KB

Download
memory/464-50-0x0000000007BC0000-0x0000000007C0C000-memory.dmp

Filesize
304KB

Download
memory/2708-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2708-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2708-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download