mystic | 75edb521bbb0ae12b7c2c52fa6e3ed769f4e764e26b92ef2dc4d7cb78ed92fd9

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e50cb4889413649fb6e1cca1572c73dae745fb6ad9c37514bfa16650aacbaa49.exe
Size

841KB
MD5

f025917edad34f0971f4b62b76003de9
SHA1

35449daa9b1d2b0ba53897b43dd9f40a0ea782fd
SHA256

e50cb4889413649fb6e1cca1572c73dae745fb6ad9c37514bfa16650aacbaa49
SHA512

31e4b993c86c3e913da3049110ee66570b238b53223dccbf7b64587fd8c19a56490d410640d721dc71f9df7ce5f0ff3ed755783cdd2670148a7b5984d99f8225
SSDEEP

24576:JyRTYigN40cVYvpnc9gqPts8M/afOFONn:8RU3vcVSRcf1s8mafOFU

Score

10^/10

mystic redline kendo infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kendo

77.91.124.82:19071

Attributes

auth_value
5a22a881561d49941415902859b51f14

Signatures

Detect Mystic stealer payload 5 IoCs

resource	yara_rule
behavioral19/memory/1004-21-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral19/memory/1004-23-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral19/memory/1004-25-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral19/memory/1004-22-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral19/memory/1004-26-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral19/files/0x00070000000232a6-28.dat	family_redline
behavioral19/memory/3524-30-0x00000000009E0000-0x0000000000A10000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
2520	x5930167.exe
3640	x6923886.exe
5024	g0519826.exe
3524	h6215817.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e50cb4889413649fb6e1cca1572c73dae745fb6ad9c37514bfa16650aacbaa49.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5930167.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x6923886.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5024 set thread context of 1004	5024	g0519826.exe	94

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1092	5024	WerFault.exe	93

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 2520	1600	e50cb4889413649fb6e1cca1572c73dae745fb6ad9c37514bfa16650aacbaa49.exe	91
PID 1600 wrote to memory of 2520	1600	e50cb4889413649fb6e1cca1572c73dae745fb6ad9c37514bfa16650aacbaa49.exe	91
PID 1600 wrote to memory of 2520	1600	e50cb4889413649fb6e1cca1572c73dae745fb6ad9c37514bfa16650aacbaa49.exe	91
PID 2520 wrote to memory of 3640	2520	x5930167.exe	92
PID 2520 wrote to memory of 3640	2520	x5930167.exe	92
PID 2520 wrote to memory of 3640	2520	x5930167.exe	92
PID 3640 wrote to memory of 5024	3640	x6923886.exe	93
PID 3640 wrote to memory of 5024	3640	x6923886.exe	93
PID 3640 wrote to memory of 5024	3640	x6923886.exe	93
PID 5024 wrote to memory of 1004	5024	g0519826.exe	94
PID 5024 wrote to memory of 1004	5024	g0519826.exe	94
PID 5024 wrote to memory of 1004	5024	g0519826.exe	94
PID 5024 wrote to memory of 1004	5024	g0519826.exe	94
PID 5024 wrote to memory of 1004	5024	g0519826.exe	94
PID 5024 wrote to memory of 1004	5024	g0519826.exe	94
PID 5024 wrote to memory of 1004	5024	g0519826.exe	94
PID 5024 wrote to memory of 1004	5024	g0519826.exe	94
PID 5024 wrote to memory of 1004	5024	g0519826.exe	94
PID 5024 wrote to memory of 1004	5024	g0519826.exe	94
PID 3640 wrote to memory of 3524	3640	x6923886.exe	98
PID 3640 wrote to memory of 3524	3640	x6923886.exe	98
PID 3640 wrote to memory of 3524	3640	x6923886.exe	98

C:\Users\Admin\AppData\Local\Temp\e50cb4889413649fb6e1cca1572c73dae745fb6ad9c37514bfa16650aacbaa49.exe
"C:\Users\Admin\AppData\Local\Temp\e50cb4889413649fb6e1cca1572c73dae745fb6ad9c37514bfa16650aacbaa49.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5930167.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5930167.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6923886.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6923886.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0519826.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0519826.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:5024
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:1004
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 564
        5⤵
        Program crash
        
        PID:1092
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h6215817.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h6215817.exe
      4⤵
      Executes dropped EXE
      PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5024 -ip 5024
1⤵
PID:232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5930167.exe

Filesize
563KB

MD5
5b58c24adf25008434e1b6280ea901ce

SHA1
7ccb0c2af3b268a4661918fbf7f69d3bf60a6452

SHA256
08d11cadcd6987a6400a17b18410efa6f41c70bdaeb72f057775440beec50334

SHA512
317433e23eb6194d459aea0c0d9c2e0b13f0050065dd86d519fdb387d34b410fadf7fe6610b83ecf6ff5a2201443b63713d5b2d4c313f0590436d2b4b167b0f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6923886.exe

Filesize
397KB

MD5
267ae16e6cdf490354b9579e3fc4963f

SHA1
9b08084fb3649648e89b740aa48c30008fcb6626

SHA256
92283294c9b61675ef18c234907bedb084ab9654106c84fa276df51e4bffb4f9

SHA512
54dad305c70393e91da1a41de490d40803cc408978bf6f34087d128f34086ae0eb5f5b1f867eb31151b5a04129eeece3e068bca53a67b84b720dad95e4aedd8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0519826.exe

Filesize
379KB

MD5
1a7bbbd10b2c78bb54a84d9486fe2871

SHA1
9d78ceb7045b9cbcc8f06954da367d9ad2f9bbf6

SHA256
d4e38dc0fe53f0fab2ff767a80696577b833670a8e6a1802c91b42d12dd9126e

SHA512
720744cad7e0ca28dd090d06ecb45342a527a4f92596b5fcd393f243f4d7fc4ed9853b451f8bc739fa10a31edfea93f47af5c4a2d13e4d93cc31c0fad453120c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h6215817.exe

Filesize
174KB

MD5
f25c4927f3890ffc7b6c39e0ab25aacc

SHA1
d6d09231434dbf3808064015f958570a1bb1ba67

SHA256
38608e178fd12217d71b300580cf34726b4f4f0387900537965a309522e7c368

SHA512
1f6513bfc3be265875d863ddcdf24aa7effe0d3da16b9b090a54bdf28f3e62a0a3eb6ebd3733a416e8c1a80eb7890adc584a85e605316a02fa4c0a41847b3444

Download Submit
memory/1004-23-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1004-25-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1004-22-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1004-26-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1004-21-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3524-30-0x00000000009E0000-0x0000000000A10000-memory.dmp

Filesize
192KB

Download
memory/3524-31-0x0000000007690000-0x0000000007696000-memory.dmp

Filesize
24KB

Download
memory/3524-32-0x000000000AE10000-0x000000000B428000-memory.dmp

Filesize
6.1MB

Download
memory/3524-33-0x000000000A990000-0x000000000AA9A000-memory.dmp

Filesize
1.0MB

Download
memory/3524-34-0x000000000A8D0000-0x000000000A8E2000-memory.dmp

Filesize
72KB

Download
memory/3524-35-0x000000000A930000-0x000000000A96C000-memory.dmp

Filesize
240KB

Download
memory/3524-36-0x000000000AAA0000-0x000000000AAEC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads