mystic | 47889c48da4c5e390f10c04d8390b2c5d9f68bec127bf0e18bbe686b9079b922

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a370f0b1b44ffdfd5105d8de5cdb127afee410219b503b0620c23343a163ad2.exe
Size

1.6MB
MD5

e0e4c2b865f5df2405be278fe91af7a6
SHA1

20066b59c4fd65f7a3f91dcb7c1dd045fe455a93
SHA256

2a370f0b1b44ffdfd5105d8de5cdb127afee410219b503b0620c23343a163ad2
SHA512

294bfeef8bc4ab4c297a737a784d60bc430d98354daa8360e406db10d611f70b963f51e2773f2737885d2a820df1b98680d3931f3b0c2373a767987cf27cc1ad
SSDEEP

24576:tys9DSloF9Otjdj+PN0ydouRVcHMc876hfoVbrWO946HkD9FaWQ9sXlNQFlLCQ:IsdSiPMm6ydyMcg6g354yavad9GWl

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral7/memory/4140-35-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral7/memory/4140-38-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral7/memory/4140-36-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral7/files/0x0007000000023448-40.dat	family_redline
behavioral7/memory/5068-42-0x0000000000C30000-0x0000000000C6E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
2380	WU4Ol7yL.exe
3556	Dc0Pu4XU.exe
1960	mZ0JZ3HA.exe
2972	XB1mZ9WH.exe
3716	1CW32bW8.exe
5068	2dp836cB.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2a370f0b1b44ffdfd5105d8de5cdb127afee410219b503b0620c23343a163ad2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	WU4Ol7yL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Dc0Pu4XU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	mZ0JZ3HA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	XB1mZ9WH.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3716 set thread context of 4140	3716	1CW32bW8.exe	90

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3644	3716	WerFault.exe	89

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 2380	116	2a370f0b1b44ffdfd5105d8de5cdb127afee410219b503b0620c23343a163ad2.exe	83
PID 116 wrote to memory of 2380	116	2a370f0b1b44ffdfd5105d8de5cdb127afee410219b503b0620c23343a163ad2.exe	83
PID 116 wrote to memory of 2380	116	2a370f0b1b44ffdfd5105d8de5cdb127afee410219b503b0620c23343a163ad2.exe	83
PID 2380 wrote to memory of 3556	2380	WU4Ol7yL.exe	84
PID 2380 wrote to memory of 3556	2380	WU4Ol7yL.exe	84
PID 2380 wrote to memory of 3556	2380	WU4Ol7yL.exe	84
PID 3556 wrote to memory of 1960	3556	Dc0Pu4XU.exe	86
PID 3556 wrote to memory of 1960	3556	Dc0Pu4XU.exe	86
PID 3556 wrote to memory of 1960	3556	Dc0Pu4XU.exe	86
PID 1960 wrote to memory of 2972	1960	mZ0JZ3HA.exe	87
PID 1960 wrote to memory of 2972	1960	mZ0JZ3HA.exe	87
PID 1960 wrote to memory of 2972	1960	mZ0JZ3HA.exe	87
PID 2972 wrote to memory of 3716	2972	XB1mZ9WH.exe	89
PID 2972 wrote to memory of 3716	2972	XB1mZ9WH.exe	89
PID 2972 wrote to memory of 3716	2972	XB1mZ9WH.exe	89
PID 3716 wrote to memory of 4140	3716	1CW32bW8.exe	90
PID 3716 wrote to memory of 4140	3716	1CW32bW8.exe	90
PID 3716 wrote to memory of 4140	3716	1CW32bW8.exe	90
PID 3716 wrote to memory of 4140	3716	1CW32bW8.exe	90
PID 3716 wrote to memory of 4140	3716	1CW32bW8.exe	90
PID 3716 wrote to memory of 4140	3716	1CW32bW8.exe	90
PID 3716 wrote to memory of 4140	3716	1CW32bW8.exe	90
PID 3716 wrote to memory of 4140	3716	1CW32bW8.exe	90
PID 3716 wrote to memory of 4140	3716	1CW32bW8.exe	90
PID 3716 wrote to memory of 4140	3716	1CW32bW8.exe	90
PID 2972 wrote to memory of 5068	2972	XB1mZ9WH.exe	95
PID 2972 wrote to memory of 5068	2972	XB1mZ9WH.exe	95
PID 2972 wrote to memory of 5068	2972	XB1mZ9WH.exe	95

C:\Users\Admin\AppData\Local\Temp\2a370f0b1b44ffdfd5105d8de5cdb127afee410219b503b0620c23343a163ad2.exe
"C:\Users\Admin\AppData\Local\Temp\2a370f0b1b44ffdfd5105d8de5cdb127afee410219b503b0620c23343a163ad2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:116
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WU4Ol7yL.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WU4Ol7yL.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Dc0Pu4XU.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Dc0Pu4XU.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mZ0JZ3HA.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mZ0JZ3HA.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1960
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\XB1mZ9WH.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\XB1mZ9WH.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2972
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1CW32bW8.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1CW32bW8.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 576
        7⤵
        Program crash
        
        PID:3644
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2dp836cB.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2dp836cB.exe
        6⤵
        Executes dropped EXE
        
        PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3716 -ip 3716
1⤵
PID:1296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WU4Ol7yL.exe

Filesize
1.5MB

MD5
f27f7760bec49ab9e8308d111d2266a5

SHA1
0e7f55c075d0a32643ec84b3aeca9a9b2e759838

SHA256
bc5f5371c95a57a838ba392f2a3f7667bcae5b625224bee3a7ffe0783009ba9f

SHA512
107d3d91fc89911818f8912ecdfc9020d464fb7c7d499d6e4f5edf167c3521477f884aa3a5c6d7bd8493c3e7ec2930fcbf7663fa4bb46400a4d9b72eb43f7029

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Dc0Pu4XU.exe

Filesize
1.3MB

MD5
29612f4c97ade345d6d80fbbf65f12a7

SHA1
6dd8eabffe20748437e2f9f01840e89523a84ead

SHA256
33d7a4b396f9dbf28ce1737f0b5a9a4387d248077da3886046c34035cde08447

SHA512
3c301a7620321137743af12839fefaabd99f10219f357ea86b6fcf3ee20d0f22b9e20639389ca7f7e7adc96b686a5489e60b30afa76c5f7ed822e527173672be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mZ0JZ3HA.exe

Filesize
821KB

MD5
6e7b4ffe12c7af99ecff8a8d0032d0e9

SHA1
72defc4e72746444942f33bc1952c2f835a08397

SHA256
982a64efb33b1452fbc47bfb5ed18763f915640a670d42e1aad7e3934ef64841

SHA512
08c96d851de5f71e701d0fb45d238e1c0a09369d13128412d73ea7d85b936787153a0253a3a10414297efa6f02b86a63978e941e4e6fa6c8824f518bbc85480b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\XB1mZ9WH.exe

Filesize
649KB

MD5
20cd032aac41f7d8bd21436cbb45730b

SHA1
93d77335f8a5f248a79c12d913e3ac9b2c1ccd0a

SHA256
d5a2cebfce33f5be852be91299f039615a7b898668ca86582cad3ad9120e18a9

SHA512
5cd2323b97db9bf2bf56c7933678c43e6898aec5467f0a8b285be316f2aa0dd0db6d60416b833ceb330e1ab32b6407f8218641f3f78f2418d6119edc148c5213

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1CW32bW8.exe

Filesize
1.7MB

MD5
144dc3c0a5275a93ff86f00b5c61b9ec

SHA1
784168ab3c4711737656ca13dc4cb59ca267fa45

SHA256
179649325e561f83a53c5cba99cd8f1f589064c8d0f2029fb8e06f61ae986787

SHA512
9af6a9870077621eb046d6fed0fac88eba35edd4cd5e60f49c46018ab633d5cc77ddb9a93886178544198099a4e3b20726a32729ec9d1cf89524b4a579afb783

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2dp836cB.exe

Filesize
231KB

MD5
7dc94dc800a6607860f365ae4db21e8e

SHA1
20710d26a7da859f802f0a2280cc1c5eabed3c6e

SHA256
59e0be0b2bf90e975c374417706984689e24d7ca18c246b9c3332e6888977a36

SHA512
8a30fb08c5ca40846b6d9c71e4fa059aa353bff7292d1117898ab122697875ac42b4d2dbbf6e2933b6427c71dc9167259c9d17c89add051f645996f3834eab53

Download Submit
memory/4140-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4140-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4140-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5068-42-0x0000000000C30000-0x0000000000C6E000-memory.dmp

Filesize
248KB

Download
memory/5068-43-0x0000000007F10000-0x00000000084B4000-memory.dmp

Filesize
5.6MB

Download
memory/5068-44-0x0000000007A00000-0x0000000007A92000-memory.dmp

Filesize
584KB

Download
memory/5068-45-0x0000000002EA0000-0x0000000002EAA000-memory.dmp

Filesize
40KB

Download
memory/5068-46-0x0000000008AE0000-0x00000000090F8000-memory.dmp

Filesize
6.1MB

Download
memory/5068-47-0x0000000007D40000-0x0000000007E4A000-memory.dmp

Filesize
1.0MB

Download
memory/5068-48-0x0000000007AF0000-0x0000000007B02000-memory.dmp

Filesize
72KB

Download
memory/5068-49-0x0000000007C70000-0x0000000007CAC000-memory.dmp

Filesize
240KB

Download
memory/5068-50-0x0000000007CB0000-0x0000000007CFC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads