mystic | 60fcc3045e1b1073753937ff8c184c464a45ea76225a406024335c07f898cf7b

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ab0d6f60e85d2715c3d7d4bba0696acfdc80b3976f4f9ae742a64515fae6c46.exe
Size

590KB
MD5

6713c091354f340e91c365beab49c32f
SHA1

b252a29c9d17f0ed8fdfed01a696b8e56502746e
SHA256

3ab0d6f60e85d2715c3d7d4bba0696acfdc80b3976f4f9ae742a64515fae6c46
SHA512

d941f621ed9cef82418af2b867155c9fe3224138ebb10c2b8f95d13b7ec5ba9898833253b13a0d108b3cb60980a12b4c6a604ee68335d883b3cab7a99d187bab
SSDEEP

12288:0MrRy90ha4BFRZfAkDaFgG+qbeEarieMjhcs5Egfq0pOu54:1ykSkDNWeajCslfq44

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral5/memory/2836-14-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral5/memory/2836-16-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral5/memory/2836-18-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral5/memory/2836-15-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral5/files/0x0007000000023566-21.dat	family_redline
behavioral5/memory/1352-22-0x0000000000440000-0x000000000047E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
2448	KH2sI3QE.exe
3668	1EO10Mv8.exe
1352	2FR597TD.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3ab0d6f60e85d2715c3d7d4bba0696acfdc80b3976f4f9ae742a64515fae6c46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	KH2sI3QE.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3668 set thread context of 2836	3668	1EO10Mv8.exe	93

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1012	3668	WerFault.exe	91
868	2836	WerFault.exe	93

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3320 wrote to memory of 2448	3320	3ab0d6f60e85d2715c3d7d4bba0696acfdc80b3976f4f9ae742a64515fae6c46.exe	90
PID 3320 wrote to memory of 2448	3320	3ab0d6f60e85d2715c3d7d4bba0696acfdc80b3976f4f9ae742a64515fae6c46.exe	90
PID 3320 wrote to memory of 2448	3320	3ab0d6f60e85d2715c3d7d4bba0696acfdc80b3976f4f9ae742a64515fae6c46.exe	90
PID 2448 wrote to memory of 3668	2448	KH2sI3QE.exe	91
PID 2448 wrote to memory of 3668	2448	KH2sI3QE.exe	91
PID 2448 wrote to memory of 3668	2448	KH2sI3QE.exe	91
PID 3668 wrote to memory of 2836	3668	1EO10Mv8.exe	93
PID 3668 wrote to memory of 2836	3668	1EO10Mv8.exe	93
PID 3668 wrote to memory of 2836	3668	1EO10Mv8.exe	93
PID 3668 wrote to memory of 2836	3668	1EO10Mv8.exe	93
PID 3668 wrote to memory of 2836	3668	1EO10Mv8.exe	93
PID 3668 wrote to memory of 2836	3668	1EO10Mv8.exe	93
PID 3668 wrote to memory of 2836	3668	1EO10Mv8.exe	93
PID 3668 wrote to memory of 2836	3668	1EO10Mv8.exe	93
PID 3668 wrote to memory of 2836	3668	1EO10Mv8.exe	93
PID 3668 wrote to memory of 2836	3668	1EO10Mv8.exe	93
PID 2448 wrote to memory of 1352	2448	KH2sI3QE.exe	102
PID 2448 wrote to memory of 1352	2448	KH2sI3QE.exe	102
PID 2448 wrote to memory of 1352	2448	KH2sI3QE.exe	102

C:\Users\Admin\AppData\Local\Temp\3ab0d6f60e85d2715c3d7d4bba0696acfdc80b3976f4f9ae742a64515fae6c46.exe
"C:\Users\Admin\AppData\Local\Temp\3ab0d6f60e85d2715c3d7d4bba0696acfdc80b3976f4f9ae742a64515fae6c46.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KH2sI3QE.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KH2sI3QE.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EO10Mv8.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EO10Mv8.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3668
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2836
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 200
        5⤵
        Program crash
        
        PID:868
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 156
      4⤵
      Program crash
      PID:1012
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2FR597TD.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2FR597TD.exe
    3⤵
    - Executes dropped EXE
    PID:1352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3668 -ip 3668
1⤵
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2836 -ip 2836
1⤵
PID:3048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4612,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4132 /prefetch:8
1⤵
PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KH2sI3QE.exe

Filesize
417KB

MD5
37087c44a4ab90bef49486707ea9658c

SHA1
826782c3ce4d0058fcfe6acd73a7c54ef0007b2c

SHA256
8b8c79ca98eefb9f35586c733bdb903e1f0727e7f36a7c7806de2547e4e2de10

SHA512
858725aac0ffb62a2ccd01cdf97ad0df004c4ead933c5f7c632d66ad84e8f43510cb48dd30820062b0758e43a5fae2bb5ab16955f6249b3a49fb6e9c2570c8c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1EO10Mv8.exe

Filesize
378KB

MD5
7ec39f6968947d87a4ac10c4ba42329d

SHA1
e9831a129df3e392d5ad0293a663e39997324586

SHA256
7baa875614f8c6d2016e4a41ab538208031a23223a12dce9592ea50d4331dd91

SHA512
e03edebd3d54b63ba9e685a4f8806f9416c636dc791725f77854cee0120ae54b9012001df431e42dbb69fa11e59101af9213a1cc31404bf17a4743ac53c18d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2FR597TD.exe

Filesize
231KB

MD5
418a87b0ed802e0ec84cc5afe48c82fe

SHA1
5842f2f60755ad02a1b2976957787d2468cf91dd

SHA256
b52d9b03ee5602e56140c1bd43bad5261ead52d6fec5582b481132e2f6555890

SHA512
c7629bf6bc4e506fbe80cdac0702a6e6c6c58cd6750b8ca16f9613cd6b8ec85b6a217b88a479b6482da20f137d29c18c8b8d778adecadc42c3f0ac58518dc5ef

Download Submit
memory/1352-27-0x0000000007610000-0x000000000771A000-memory.dmp

Filesize
1.0MB

Download
memory/1352-22-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/1352-23-0x0000000007790000-0x0000000007D34000-memory.dmp

Filesize
5.6MB

Download
memory/1352-24-0x0000000007280000-0x0000000007312000-memory.dmp

Filesize
584KB

Download
memory/1352-25-0x00000000026E0000-0x00000000026EA000-memory.dmp

Filesize
40KB

Download
memory/1352-26-0x0000000008360000-0x0000000008978000-memory.dmp

Filesize
6.1MB

Download
memory/1352-28-0x0000000007250000-0x0000000007262000-memory.dmp

Filesize
72KB

Download
memory/1352-29-0x0000000007360000-0x000000000739C000-memory.dmp

Filesize
240KB

Download
memory/1352-30-0x00000000073A0000-0x00000000073EC000-memory.dmp

Filesize
304KB

Download
memory/2836-18-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2836-15-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2836-16-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2836-14-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads