mystic | 75edb521bbb0ae12b7c2c52fa6e3ed769f4e764e26b92ef2dc4d7cb78ed92fd9

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6ac7e6221ae1940e4e6faa06a2e255b4e9e7a811c7b3e3859feeaccca699844.exe
Size

824KB
MD5

f8896aa09cbf341133389cb3879cda71
SHA1

76046da72c2c2e920522051abb913a34e6bc3247
SHA256

a6ac7e6221ae1940e4e6faa06a2e255b4e9e7a811c7b3e3859feeaccca699844
SHA512

348b33b83cf63f3bc543a00f58be4311e08aec4fb743ff49275e86bea02471538fc99f88663fd3907076ef3f874b20928af47eefd30a679e842c7794b0c7ce44
SSDEEP

12288:PMrny90Y58rHbQA4c/v7AaEzqIf9bOufRtL5V2dxWHH3jvzIOS7i4lpvuNxmrRFI:8y2rHM4ALEufjixKTvzXS7ispXFFXY

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral13/memory/3956-14-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral13/memory/3956-18-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral13/memory/3956-16-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral13/memory/3956-15-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral13/files/0x000700000002346a-21.dat	family_redline
behavioral13/memory/4888-22-0x0000000000650000-0x000000000068E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
3676	Gu5rF5Ta.exe
4304	1JA97An7.exe
4888	2JS801rY.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a6ac7e6221ae1940e4e6faa06a2e255b4e9e7a811c7b3e3859feeaccca699844.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Gu5rF5Ta.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4304 set thread context of 3956	4304	1JA97An7.exe	85

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2520	3956	WerFault.exe	85
4596	4304	WerFault.exe	84

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4552 wrote to memory of 3676	4552	a6ac7e6221ae1940e4e6faa06a2e255b4e9e7a811c7b3e3859feeaccca699844.exe	83
PID 4552 wrote to memory of 3676	4552	a6ac7e6221ae1940e4e6faa06a2e255b4e9e7a811c7b3e3859feeaccca699844.exe	83
PID 4552 wrote to memory of 3676	4552	a6ac7e6221ae1940e4e6faa06a2e255b4e9e7a811c7b3e3859feeaccca699844.exe	83
PID 3676 wrote to memory of 4304	3676	Gu5rF5Ta.exe	84
PID 3676 wrote to memory of 4304	3676	Gu5rF5Ta.exe	84
PID 3676 wrote to memory of 4304	3676	Gu5rF5Ta.exe	84
PID 4304 wrote to memory of 3956	4304	1JA97An7.exe	85
PID 4304 wrote to memory of 3956	4304	1JA97An7.exe	85
PID 4304 wrote to memory of 3956	4304	1JA97An7.exe	85
PID 4304 wrote to memory of 3956	4304	1JA97An7.exe	85
PID 4304 wrote to memory of 3956	4304	1JA97An7.exe	85
PID 4304 wrote to memory of 3956	4304	1JA97An7.exe	85
PID 4304 wrote to memory of 3956	4304	1JA97An7.exe	85
PID 4304 wrote to memory of 3956	4304	1JA97An7.exe	85
PID 4304 wrote to memory of 3956	4304	1JA97An7.exe	85
PID 4304 wrote to memory of 3956	4304	1JA97An7.exe	85
PID 3676 wrote to memory of 4888	3676	Gu5rF5Ta.exe	94
PID 3676 wrote to memory of 4888	3676	Gu5rF5Ta.exe	94
PID 3676 wrote to memory of 4888	3676	Gu5rF5Ta.exe	94

C:\Users\Admin\AppData\Local\Temp\a6ac7e6221ae1940e4e6faa06a2e255b4e9e7a811c7b3e3859feeaccca699844.exe
"C:\Users\Admin\AppData\Local\Temp\a6ac7e6221ae1940e4e6faa06a2e255b4e9e7a811c7b3e3859feeaccca699844.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gu5rF5Ta.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gu5rF5Ta.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1JA97An7.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1JA97An7.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4304
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3956
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 540
        5⤵
        Program crash
        
        PID:2520
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 572
      4⤵
      Program crash
      PID:4596
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2JS801rY.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2JS801rY.exe
    3⤵
    - Executes dropped EXE
    PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4304 -ip 4304
1⤵
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3956 -ip 3956
1⤵
PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gu5rF5Ta.exe

Filesize
652KB

MD5
982cbd4daeb9916fa5a2bf3d43b39ba6

SHA1
0502e923878903098935277682f94a8172296c49

SHA256
bce9bbfac59cdf4915a15d06d2dc079a6d81b13cfa73f9d1428daa819cc43c5d

SHA512
a9c8396ae41ac74e93961cd894f9f98fbcaf643d00fc4abc7aa2420a409fdb6e5fdff6bcfc8e849991e489b4fd216f18b7adaa25232ec74a09aef2a84b37d527

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1JA97An7.exe

Filesize
1.8MB

MD5
f3f2f8b5752ef75807bb50f7cdca9813

SHA1
0b4c8a7da527a45432922e8f6eaddc5959165ae1

SHA256
0fef3487fff91a01030ad443e6e548c323825a6c9d354d406c5d224b25dc880d

SHA512
6bd7f737e4490756f520f21d3f3c5c08b36f70c001f861c6cea9b75ae59254a1fa42d265f121c2ba54d0f12bdfd6b03580cf5a4a8e037fd0331732bddd95d09e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2JS801rY.exe

Filesize
230KB

MD5
4e906749b63851f753e374f71620a91b

SHA1
cda532abc97526a284e82ba55b50f848dea20169

SHA256
a9206d3931eb33f83f6f9e78339ac945e56e572766d9f50b2f04e649f220365f

SHA512
b3834c0dcdd22b9b98a9bc5548c48f52cbe7b6c9bf2145db5644542323fc564c3d9a7885f685713e65f07c8871ff49754102e4869ff785b0d263a5920ccff4f0

Download Submit
memory/3956-14-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3956-18-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3956-16-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3956-15-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4888-23-0x00000000079E0000-0x0000000007F84000-memory.dmp

Filesize
5.6MB

Download
memory/4888-22-0x0000000000650000-0x000000000068E000-memory.dmp

Filesize
248KB

Download
memory/4888-24-0x0000000007510000-0x00000000075A2000-memory.dmp

Filesize
584KB

Download
memory/4888-25-0x0000000004AD0000-0x0000000004ADA000-memory.dmp

Filesize
40KB

Download
memory/4888-26-0x00000000085B0000-0x0000000008BC8000-memory.dmp

Filesize
6.1MB

Download
memory/4888-27-0x0000000007890000-0x000000000799A000-memory.dmp

Filesize
1.0MB

Download
memory/4888-28-0x0000000007740000-0x0000000007752000-memory.dmp

Filesize
72KB

Download
memory/4888-29-0x00000000077C0000-0x00000000077FC000-memory.dmp

Filesize
240KB

Download
memory/4888-30-0x0000000007800000-0x000000000784C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads