mystic | 60fcc3045e1b1073753937ff8c184c464a45ea76225a406024335c07f898cf7b

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76530ae1ec02b17edec61d3cc10e4d427d09d91fe530ef27c17cd6c848152823.exe
Size

1.2MB
MD5

64296d253afe98d3345aa143eb8c34fd
SHA1

9e2cfb181c01a8a1b1764ca0e61510c4e841e951
SHA256

76530ae1ec02b17edec61d3cc10e4d427d09d91fe530ef27c17cd6c848152823
SHA512

04ba1538fc69df40e6c6621dacfb3968f2fcfbb4abc2f99dbc4dd9b567aaad939aa94a2075167a001aa267dfbebb8069c4779ea20102d367554f64bae7769282
SSDEEP

24576:Fyv/GCWfXiX/tb5qMYzV5R79Xr+REto4sDRy8CgSj5Thhh82ACEOz:gvuCWyX/tFuVftaRF4scgSjBHARO

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral7/memory/3336-35-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral7/memory/3336-38-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral7/memory/3336-36-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral7/files/0x0007000000023438-40.dat	family_redline
behavioral7/memory/1892-42-0x0000000000EF0000-0x0000000000F2E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
4264	Ng7aD2bR.exe
4680	dE9Eo9iJ.exe
4436	nf1dd2lb.exe
1160	gY5Ah4dP.exe
2528	1Iq36bO1.exe
1892	2EL819wi.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	76530ae1ec02b17edec61d3cc10e4d427d09d91fe530ef27c17cd6c848152823.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Ng7aD2bR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	dE9Eo9iJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	nf1dd2lb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	gY5Ah4dP.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2528 set thread context of 3336	2528	1Iq36bO1.exe	90

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4744	2528	WerFault.exe	87

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 4264	5108	76530ae1ec02b17edec61d3cc10e4d427d09d91fe530ef27c17cd6c848152823.exe	83
PID 5108 wrote to memory of 4264	5108	76530ae1ec02b17edec61d3cc10e4d427d09d91fe530ef27c17cd6c848152823.exe	83
PID 5108 wrote to memory of 4264	5108	76530ae1ec02b17edec61d3cc10e4d427d09d91fe530ef27c17cd6c848152823.exe	83
PID 4264 wrote to memory of 4680	4264	Ng7aD2bR.exe	84
PID 4264 wrote to memory of 4680	4264	Ng7aD2bR.exe	84
PID 4264 wrote to memory of 4680	4264	Ng7aD2bR.exe	84
PID 4680 wrote to memory of 4436	4680	dE9Eo9iJ.exe	85
PID 4680 wrote to memory of 4436	4680	dE9Eo9iJ.exe	85
PID 4680 wrote to memory of 4436	4680	dE9Eo9iJ.exe	85
PID 4436 wrote to memory of 1160	4436	nf1dd2lb.exe	86
PID 4436 wrote to memory of 1160	4436	nf1dd2lb.exe	86
PID 4436 wrote to memory of 1160	4436	nf1dd2lb.exe	86
PID 1160 wrote to memory of 2528	1160	gY5Ah4dP.exe	87
PID 1160 wrote to memory of 2528	1160	gY5Ah4dP.exe	87
PID 1160 wrote to memory of 2528	1160	gY5Ah4dP.exe	87
PID 2528 wrote to memory of 3336	2528	1Iq36bO1.exe	90
PID 2528 wrote to memory of 3336	2528	1Iq36bO1.exe	90
PID 2528 wrote to memory of 3336	2528	1Iq36bO1.exe	90
PID 2528 wrote to memory of 3336	2528	1Iq36bO1.exe	90
PID 2528 wrote to memory of 3336	2528	1Iq36bO1.exe	90
PID 2528 wrote to memory of 3336	2528	1Iq36bO1.exe	90
PID 2528 wrote to memory of 3336	2528	1Iq36bO1.exe	90
PID 2528 wrote to memory of 3336	2528	1Iq36bO1.exe	90
PID 2528 wrote to memory of 3336	2528	1Iq36bO1.exe	90
PID 2528 wrote to memory of 3336	2528	1Iq36bO1.exe	90
PID 1160 wrote to memory of 1892	1160	gY5Ah4dP.exe	96
PID 1160 wrote to memory of 1892	1160	gY5Ah4dP.exe	96
PID 1160 wrote to memory of 1892	1160	gY5Ah4dP.exe	96

C:\Users\Admin\AppData\Local\Temp\76530ae1ec02b17edec61d3cc10e4d427d09d91fe530ef27c17cd6c848152823.exe
"C:\Users\Admin\AppData\Local\Temp\76530ae1ec02b17edec61d3cc10e4d427d09d91fe530ef27c17cd6c848152823.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ng7aD2bR.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ng7aD2bR.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dE9Eo9iJ.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dE9Eo9iJ.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4680
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nf1dd2lb.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nf1dd2lb.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4436
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gY5Ah4dP.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gY5Ah4dP.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1160
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Iq36bO1.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Iq36bO1.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 152
        7⤵
        Program crash
        
        PID:4744
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2EL819wi.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2EL819wi.exe
        6⤵
        Executes dropped EXE
        
        PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2528 -ip 2528
1⤵
PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ng7aD2bR.exe

Filesize
1.0MB

MD5
f79798f34fc4005a19200e86bd3e9cb4

SHA1
74ecaa83afb9b381a13bdcd98824f17dd415647a

SHA256
8c3c63e998f363f21f3868e00c752e33b283fdd5eff95b1242281314cd5872ab

SHA512
5f45c3984785292f050e12f42542b6f1ed39dacad3fa5680f0269ce4726e302bd564259ba7f6eb2fe9d33913ff6e2b373ebab39034571ba11296e1ba9f21c20b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dE9Eo9iJ.exe

Filesize
883KB

MD5
0e5b46d5412d23e44b4f171140379971

SHA1
c02f47904f3a8e7c93512eef718fe8806c79710b

SHA256
a6d28d183ae445d952f7450cfe097d8f206aabda7f6c8d559d4989d2f6e66b31

SHA512
fd27f09329241fbdeeb4f626db788673311463a93d2c569ffe5e8c68fe7811e54c0ac55941df1dfc41f08f768bf0890053202c3525289bc22cd61d66da156da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nf1dd2lb.exe

Filesize
590KB

MD5
ce0e47b4d4d441988b9a05b5beaf61fe

SHA1
fa77c062d38206cc3a2c683342300bef76bb9731

SHA256
faff47b4643dcd0b6be7d8a9db82152975f2516eded2d6471f9ec4bc53d02103

SHA512
9145e1bbc63111c9bd7b0d8bb3cb4e0b87493d000ac34dbfc8f1513fd1b06260ea8723118d4829154fa357ee4e607f0163673d329db248158afd3d2129c8f17f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gY5Ah4dP.exe

Filesize
417KB

MD5
780f1c07c8011bb04f38bb27a7b287d6

SHA1
e6723c4ac53f779a4e08b1947f4cf34301ec8b7a

SHA256
f337d2980dc40e46cc11f996afae881dc7883f883762edc9039e22fb0b457f7d

SHA512
75589c82d0ee4d05d202bf9efe59c5800bc27cd3d943411f578116638a29fa8c5132975ff4a9e4bbb8220baf852b49dbe47cfd1f5de9eb55a99aebab23387870

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Iq36bO1.exe

Filesize
378KB

MD5
ad92cb9e663b66e6a185f29daf9a29ba

SHA1
94b0fe6a9248b6ea257fb6f06dd8ffd16e86bb88

SHA256
07d2211b12435653a8d496df65f9513837c9e77f4d446d2c1a408d48d9841fa4

SHA512
730ec03e674b1d3c613fe6b88f9e66001a8f96f54a735c0b3473065cb338c1f9977318eb6e67468443f197b67586d3b143fe65f6b365b1c74a394828f96fa641

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2EL819wi.exe

Filesize
231KB

MD5
94df4a155727d948b773c270dc581a3f

SHA1
2ae3f4802f67ffb5d1c7b0cba62eabe12b3886a6

SHA256
8f5361a68e4dd88d18a14bff772f069c8cf849b98e92706fbfd6d8fc4ef205e4

SHA512
ef34519b7a5681e8b76201bf0aa1c19b0646f1922d915e9e0706bb723c1b60ae8893d818fb7072951f70d63b5596f3d58327fb5eb1e278c7899812af873b25cf

Download Submit
memory/1892-42-0x0000000000EF0000-0x0000000000F2E000-memory.dmp

Filesize
248KB

Download
memory/1892-43-0x0000000008380000-0x0000000008924000-memory.dmp

Filesize
5.6MB

Download
memory/1892-44-0x0000000007E70000-0x0000000007F02000-memory.dmp

Filesize
584KB

Download
memory/1892-45-0x0000000005390000-0x000000000539A000-memory.dmp

Filesize
40KB

Download
memory/1892-46-0x0000000008F50000-0x0000000009568000-memory.dmp

Filesize
6.1MB

Download
memory/1892-47-0x00000000081C0000-0x00000000082CA000-memory.dmp

Filesize
1.0MB

Download
memory/1892-48-0x0000000007E40000-0x0000000007E52000-memory.dmp

Filesize
72KB

Download
memory/1892-49-0x0000000008040000-0x000000000807C000-memory.dmp

Filesize
240KB

Download
memory/1892-50-0x00000000080B0000-0x00000000080FC000-memory.dmp

Filesize
304KB

Download
memory/3336-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3336-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3336-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads