mystic | 60fcc3045e1b1073753937ff8c184c464a45ea76225a406024335c07f898cf7b

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c1c5a94c544c2a364bd35ce85960c65491d88d7fb81760c2fdfa3e60a24f169.exe
Size

271KB
MD5

dc1fc4f950e5fd66dbfee85aeeb7ded1
SHA1

08b4ae89d28de9e61f25392d2972623172f4e9d7
SHA256

3c1c5a94c544c2a364bd35ce85960c65491d88d7fb81760c2fdfa3e60a24f169
SHA512

9a715e619be4f29bc07fa088d2ee5f5ccbcc49ceccb5b92f0e174e41a551f246c231cbe8c98a491d44129ed2dbb0abdde7b68339ece5fe121e10b118fb4b068e
SSDEEP

6144:Kgy+bnr+cp0yN90QEtrQPo8m1NNUuTjcj1rO6Tg:wMrAy90cQ8mdNTjcjNzg

Score

10^/10

mystic redline ramon infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

ramon

77.91.124.82:19071

Attributes

auth_value
3197576965d9513f115338c233015b40

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral6/files/0x000a00000002341e-5.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral6/files/0x000700000002343e-8.dat	family_redline
behavioral6/memory/2436-11-0x00000000001E0000-0x0000000000210000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

pid	Process
640	m5746863.exe
2436	n7832483.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3c1c5a94c544c2a364bd35ce85960c65491d88d7fb81760c2fdfa3e60a24f169.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 640	2732	3c1c5a94c544c2a364bd35ce85960c65491d88d7fb81760c2fdfa3e60a24f169.exe	83
PID 2732 wrote to memory of 640	2732	3c1c5a94c544c2a364bd35ce85960c65491d88d7fb81760c2fdfa3e60a24f169.exe	83
PID 2732 wrote to memory of 640	2732	3c1c5a94c544c2a364bd35ce85960c65491d88d7fb81760c2fdfa3e60a24f169.exe	83
PID 2732 wrote to memory of 2436	2732	3c1c5a94c544c2a364bd35ce85960c65491d88d7fb81760c2fdfa3e60a24f169.exe	84
PID 2732 wrote to memory of 2436	2732	3c1c5a94c544c2a364bd35ce85960c65491d88d7fb81760c2fdfa3e60a24f169.exe	84
PID 2732 wrote to memory of 2436	2732	3c1c5a94c544c2a364bd35ce85960c65491d88d7fb81760c2fdfa3e60a24f169.exe	84

C:\Users\Admin\AppData\Local\Temp\3c1c5a94c544c2a364bd35ce85960c65491d88d7fb81760c2fdfa3e60a24f169.exe
"C:\Users\Admin\AppData\Local\Temp\3c1c5a94c544c2a364bd35ce85960c65491d88d7fb81760c2fdfa3e60a24f169.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m5746863.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m5746863.exe
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n7832483.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n7832483.exe
  2⤵
  - Executes dropped EXE
  PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m5746863.exe

Filesize
140KB

MD5
8a09e1dbc8978ee955946a599161d6e4

SHA1
8d07e10f38776dcb06017f1c1eca443d149bd356

SHA256
1924a5dcf2866945d14fb719ebaf1f3faefc56ec600237ca0170b155b88062c6

SHA512
2a444e9504e37420b8893ce0780cc1bde9057772daabdfadda79beb7d0d4b24dd27d3ac6a787d638cb047eafd8f48d554d225e5123a0bafd1b1b31795e5384fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n7832483.exe

Filesize
174KB

MD5
d94aac6d72c51acde749a455df3addbc

SHA1
b6b2773903cb03c4c56ea859b27ae06a2aa28e82

SHA256
7c9e7fa7d01ae570e9eedf732cadc1f69caff65d6c59c521347e39216cfaf91a

SHA512
bf2faf2c48b4ba31c830627ca2fa2983c200d427e15a59b0a3d2b262db6a937e1436da13f18e3c3a3bf9ee89761c1571b6190f56684264961163bf7b78da49d1

Download Submit
memory/2436-10-0x000000007483E000-0x000000007483F000-memory.dmp

Filesize
4KB

Download
memory/2436-11-0x00000000001E0000-0x0000000000210000-memory.dmp

Filesize
192KB

Download
memory/2436-12-0x0000000002380000-0x0000000002386000-memory.dmp

Filesize
24KB

Download
memory/2436-13-0x000000000A500000-0x000000000AB18000-memory.dmp

Filesize
6.1MB

Download
memory/2436-14-0x000000000A050000-0x000000000A15A000-memory.dmp

Filesize
1.0MB

Download
memory/2436-15-0x0000000009F90000-0x0000000009FA2000-memory.dmp

Filesize
72KB

Download
memory/2436-16-0x0000000009FF0000-0x000000000A02C000-memory.dmp

Filesize
240KB

Download
memory/2436-17-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/2436-18-0x00000000044F0000-0x000000000453C000-memory.dmp

Filesize
304KB

Download
memory/2436-19-0x000000007483E000-0x000000007483F000-memory.dmp

Filesize
4KB

Download
memory/2436-20-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads