mystic | 75edb521bbb0ae12b7c2c52fa6e3ed769f4e764e26b92ef2dc4d7cb78ed92fd9

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

526be697bff16798a7b0db1272f29ee6e6e4a0d2f8779f857ebe162729e247a7.exe
Size

1.2MB
MD5

bdf7fc6e400c2bc8dafca00732a7b259
SHA1

75ba29a05598998dca24bb52c7d311a6fe219c48
SHA256

526be697bff16798a7b0db1272f29ee6e6e4a0d2f8779f857ebe162729e247a7
SHA512

e13ce7b519e6da87493183e2699f38e5171359e8a824074e6d6e92ba1ad9d29b87db2ece73a79156168741e681728122bef2f666fc274deaf5c5306c41b476d0
SSDEEP

24576:7yWodOfzIjZJXcoF7shLxvqA1UcHD7qHINivyoma19je:uWvIZdrF7s1xvqKHD7qHIIvyDa19

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral5/memory/452-38-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral5/memory/452-36-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral5/memory/452-35-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Mm690BL.exe	family_redline
behavioral5/memory/1364-42-0x00000000002F0000-0x000000000032E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

np0kT0LJ.exePt8iu6Yp.exeXE8tc0Nc.exeGw0Ca5xM.exe1WV96ea9.exe2Mm690BL.exe

pid process

2300 np0kT0LJ.exe
1864 Pt8iu6Yp.exe
4584 XE8tc0Nc.exe
2424 Gw0Ca5xM.exe
3692 1WV96ea9.exe
1364 2Mm690BL.exe

pid	process
2300	np0kT0LJ.exe
1864	Pt8iu6Yp.exe
4584	XE8tc0Nc.exe
2424	Gw0Ca5xM.exe
3692	1WV96ea9.exe
1364	2Mm690BL.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

526be697bff16798a7b0db1272f29ee6e6e4a0d2f8779f857ebe162729e247a7.exenp0kT0LJ.exePt8iu6Yp.exeXE8tc0Nc.exeGw0Ca5xM.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	526be697bff16798a7b0db1272f29ee6e6e4a0d2f8779f857ebe162729e247a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	np0kT0LJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Pt8iu6Yp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	XE8tc0Nc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Gw0Ca5xM.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1WV96ea9.exe

description pid process target process

PID 3692 set thread context of 452 3692 1WV96ea9.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4080 3692 WerFault.exe 1WV96ea9.exe

description	pid	process	target process
PID 3692 set thread context of 452	3692	1WV96ea9.exe	AppLaunch.exe

pid	pid_target	process	target process
4080	3692	WerFault.exe	1WV96ea9.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

526be697bff16798a7b0db1272f29ee6e6e4a0d2f8779f857ebe162729e247a7.exenp0kT0LJ.exePt8iu6Yp.exeXE8tc0Nc.exeGw0Ca5xM.exe1WV96ea9.exe

description	pid	process	target process
PID 1896 wrote to memory of 2300	1896	526be697bff16798a7b0db1272f29ee6e6e4a0d2f8779f857ebe162729e247a7.exe	np0kT0LJ.exe
PID 1896 wrote to memory of 2300	1896	526be697bff16798a7b0db1272f29ee6e6e4a0d2f8779f857ebe162729e247a7.exe	np0kT0LJ.exe
PID 1896 wrote to memory of 2300	1896	526be697bff16798a7b0db1272f29ee6e6e4a0d2f8779f857ebe162729e247a7.exe	np0kT0LJ.exe
PID 2300 wrote to memory of 1864	2300	np0kT0LJ.exe	Pt8iu6Yp.exe
PID 2300 wrote to memory of 1864	2300	np0kT0LJ.exe	Pt8iu6Yp.exe
PID 2300 wrote to memory of 1864	2300	np0kT0LJ.exe	Pt8iu6Yp.exe
PID 1864 wrote to memory of 4584	1864	Pt8iu6Yp.exe	XE8tc0Nc.exe
PID 1864 wrote to memory of 4584	1864	Pt8iu6Yp.exe	XE8tc0Nc.exe
PID 1864 wrote to memory of 4584	1864	Pt8iu6Yp.exe	XE8tc0Nc.exe
PID 4584 wrote to memory of 2424	4584	XE8tc0Nc.exe	Gw0Ca5xM.exe
PID 4584 wrote to memory of 2424	4584	XE8tc0Nc.exe	Gw0Ca5xM.exe
PID 4584 wrote to memory of 2424	4584	XE8tc0Nc.exe	Gw0Ca5xM.exe
PID 2424 wrote to memory of 3692	2424	Gw0Ca5xM.exe	1WV96ea9.exe
PID 2424 wrote to memory of 3692	2424	Gw0Ca5xM.exe	1WV96ea9.exe
PID 2424 wrote to memory of 3692	2424	Gw0Ca5xM.exe	1WV96ea9.exe
PID 3692 wrote to memory of 452	3692	1WV96ea9.exe	AppLaunch.exe
PID 3692 wrote to memory of 452	3692	1WV96ea9.exe	AppLaunch.exe
PID 3692 wrote to memory of 452	3692	1WV96ea9.exe	AppLaunch.exe
PID 3692 wrote to memory of 452	3692	1WV96ea9.exe	AppLaunch.exe
PID 3692 wrote to memory of 452	3692	1WV96ea9.exe	AppLaunch.exe
PID 3692 wrote to memory of 452	3692	1WV96ea9.exe	AppLaunch.exe
PID 3692 wrote to memory of 452	3692	1WV96ea9.exe	AppLaunch.exe
PID 3692 wrote to memory of 452	3692	1WV96ea9.exe	AppLaunch.exe
PID 3692 wrote to memory of 452	3692	1WV96ea9.exe	AppLaunch.exe
PID 3692 wrote to memory of 452	3692	1WV96ea9.exe	AppLaunch.exe
PID 2424 wrote to memory of 1364	2424	Gw0Ca5xM.exe	2Mm690BL.exe
PID 2424 wrote to memory of 1364	2424	Gw0Ca5xM.exe	2Mm690BL.exe
PID 2424 wrote to memory of 1364	2424	Gw0Ca5xM.exe	2Mm690BL.exe

C:\Users\Admin\AppData\Local\Temp\526be697bff16798a7b0db1272f29ee6e6e4a0d2f8779f857ebe162729e247a7.exe
"C:\Users\Admin\AppData\Local\Temp\526be697bff16798a7b0db1272f29ee6e6e4a0d2f8779f857ebe162729e247a7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1896

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np0kT0LJ.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np0kT0LJ.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2300

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Pt8iu6Yp.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Pt8iu6Yp.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1864

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\XE8tc0Nc.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\XE8tc0Nc.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4584

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Gw0Ca5xM.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Gw0Ca5xM.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2424

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1WV96ea9.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1WV96ea9.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 592
7⤵
- Program crash
PID:4080

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Mm690BL.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Mm690BL.exe
6⤵
- Executes dropped EXE
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3692 -ip 3692
1⤵
PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\np0kT0LJ.exe
Filesize
1.0MB

MD5
38d4617642d991ba91c8022248965256

SHA1
be9a7449109bb0e49868e000b58582b9d12cf694

SHA256
9be23839da2d01429bafced3c98a522008198bc52811b5e3876ad0d5def4b899

SHA512
171cda5184c0350f522f3c5a509df5ca545bbe2619831fdbe29c7658e9ab03a25773e5efdd7a690edcb47277e85c385cdd89ebfce9d7a5c0d831c897d30bac59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Pt8iu6Yp.exe
Filesize
883KB

MD5
b1b28885f23879361301c0be47a9eb92

SHA1
3dec5992819a7e3f21ed1e40176acff72e1681c6

SHA256
539969d819fb8e1b7ac3dfabc3a5a1de81d6dcfb64a458986fb33c300f17bbba

SHA512
29bbb12bcc25feb8f7c08252711a909bf61db9af43dd269226163dcd51428ed2c5abe7b78d6d32652895469c1972fe1c2cdec6cb6fdbb433f9785f188d0c8dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\XE8tc0Nc.exe
Filesize
590KB

MD5
4731613dbaf4d2a2f6714f902936f034

SHA1
9a6d29ffd939e978af62e2e06033b2f4f280017e

SHA256
5dab0bf3bb1da6ff8f153d076bb74e62deae5b8ff5290f417f14528c3f4205eb

SHA512
e88d8f6b43f34f96e5e3be66be09a8fbe23efbf4107ad3123cf7c860fa6766482b451e90f631ce7cfa417bd8ae4fda306d737562a44c068d3cdecbdbd3c71c70

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Gw0Ca5xM.exe
Filesize
417KB

MD5
a9e032e8b840ba9be29467b2cec7d064

SHA1
2e75b73ee8159cbd272d4d07bb9cc42a518dd9fe

SHA256
bc1821a8177193e2638ad6fa7a7844079d80a8d61688d6799bc0e19c973151a7

SHA512
2cfbd1b76da96b8756b2e28b4616765e370cf07b7f503f525f3b35624701c6c1ceeca1a8c7ed498926b10d21236311f6c49c6887e7ed90a4d0e619a581cd6c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1WV96ea9.exe
Filesize
378KB

MD5
6b0426968d436077c45be812c9236a06

SHA1
9d7566f494a88d09e7b31f0765aba2c54dd96eef

SHA256
d4046bab99dd1b244fe36b24db2a13cc9db5bc35a25c530a5b84a14839d9f169

SHA512
9856e1bc3407e074a26163fec15ea54d49ec91e49b8df265133ecf527109bdb1a06f55656ff6e8a4b5fd48e402ed73ec1a0f3ef66cebd626f6f06d1e91c39fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Mm690BL.exe
Filesize
231KB

MD5
932d7df73b1dfbcfec4858f5af30329a

SHA1
64381a37d9909d026d80ef7092994693d3a6e593

SHA256
df254302a4798401b269840c1157238c3b5acd34fe70741d480b0227a317a6f0

SHA512
c7dedf391760386acec3f4c8dbeec28c5cdf4a4b1468f4bec045c7f0b781c786cd6c80ea410abf62dbd1ad488532d0c598e6b0c470b555d70a50ca407a85ffd8

Download Submit
memory/452-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/452-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/452-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1364-42-0x00000000002F0000-0x000000000032E000-memory.dmp

Filesize
248KB

Download
memory/1364-43-0x0000000007670000-0x0000000007C14000-memory.dmp

Filesize
5.6MB

Download
memory/1364-44-0x00000000071B0000-0x0000000007242000-memory.dmp

Filesize
584KB

Download
memory/1364-45-0x0000000004730000-0x000000000473A000-memory.dmp

Filesize
40KB

Download
memory/1364-46-0x0000000008240000-0x0000000008858000-memory.dmp

Filesize
6.1MB

Download
memory/1364-48-0x00000000073F0000-0x0000000007402000-memory.dmp

Filesize
72KB

Download
memory/1364-49-0x0000000007450000-0x000000000748C000-memory.dmp

Filesize
240KB

Download
memory/1364-47-0x00000000074C0000-0x00000000075CA000-memory.dmp

Filesize
1.0MB

Download
memory/1364-50-0x00000000075D0000-0x000000000761C000-memory.dmp

Filesize
304KB

Download