mystic | 3c91163ea40ad7e35bac48ded16235cfe9003c914f570e27b4e2d7b3c9c46c05

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17bfe16ecf74ce58c323a518937f2920942fbcfac377f13e045e81269c09dba7.exe
Size

858KB
MD5

870ff345d2551de9b31e3fbae0380510
SHA1

34b84a48a097243a24b31dfc0db5f75517f06230
SHA256

17bfe16ecf74ce58c323a518937f2920942fbcfac377f13e045e81269c09dba7
SHA512

ee845c6271464a2728895682d2d30a7d24a20fd47f6f2c7cc55e50cf7438bd860d290f6cbec5f42c56de072feacb7bfb6b61f3a88b447d8fe7d4a4364d44a318
SSDEEP

12288:VMrWy90CmpizQ+cKZdEtVdzVfkUe9QGF13NyzmMoP7ruUli9maGb+irj6:nyyiOKZ2ndzVTYF4c7ruUllaEy

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5044-26-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral2/memory/5044-24-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral2/memory/5044-22-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral2/memory/5044-21-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2mU040Eh.exe	family_redline
behavioral2/memory/2060-29-0x0000000000CC0000-0x0000000000CFE000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

Kn4SH4by.exeDS4ch6Fi.exe1Dt64ni8.exe2mU040Eh.exe

pid process

1964 Kn4SH4by.exe
1496 DS4ch6Fi.exe
668 1Dt64ni8.exe
2060 2mU040Eh.exe

pid	process
1964	Kn4SH4by.exe
1496	DS4ch6Fi.exe
668	1Dt64ni8.exe
2060	2mU040Eh.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

17bfe16ecf74ce58c323a518937f2920942fbcfac377f13e045e81269c09dba7.exeKn4SH4by.exeDS4ch6Fi.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	17bfe16ecf74ce58c323a518937f2920942fbcfac377f13e045e81269c09dba7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Kn4SH4by.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	DS4ch6Fi.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1Dt64ni8.exe

description pid process target process

PID 668 set thread context of 5044 668 1Dt64ni8.exe AppLaunch.exe

description	pid	process	target process
PID 668 set thread context of 5044	668	1Dt64ni8.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

17bfe16ecf74ce58c323a518937f2920942fbcfac377f13e045e81269c09dba7.exeKn4SH4by.exeDS4ch6Fi.exe1Dt64ni8.exe

description	pid	process	target process
PID 4064 wrote to memory of 1964	4064	17bfe16ecf74ce58c323a518937f2920942fbcfac377f13e045e81269c09dba7.exe	Kn4SH4by.exe
PID 4064 wrote to memory of 1964	4064	17bfe16ecf74ce58c323a518937f2920942fbcfac377f13e045e81269c09dba7.exe	Kn4SH4by.exe
PID 4064 wrote to memory of 1964	4064	17bfe16ecf74ce58c323a518937f2920942fbcfac377f13e045e81269c09dba7.exe	Kn4SH4by.exe
PID 1964 wrote to memory of 1496	1964	Kn4SH4by.exe	DS4ch6Fi.exe
PID 1964 wrote to memory of 1496	1964	Kn4SH4by.exe	DS4ch6Fi.exe
PID 1964 wrote to memory of 1496	1964	Kn4SH4by.exe	DS4ch6Fi.exe
PID 1496 wrote to memory of 668	1496	DS4ch6Fi.exe	1Dt64ni8.exe
PID 1496 wrote to memory of 668	1496	DS4ch6Fi.exe	1Dt64ni8.exe
PID 1496 wrote to memory of 668	1496	DS4ch6Fi.exe	1Dt64ni8.exe
PID 668 wrote to memory of 5044	668	1Dt64ni8.exe	AppLaunch.exe
PID 668 wrote to memory of 5044	668	1Dt64ni8.exe	AppLaunch.exe
PID 668 wrote to memory of 5044	668	1Dt64ni8.exe	AppLaunch.exe
PID 668 wrote to memory of 5044	668	1Dt64ni8.exe	AppLaunch.exe
PID 668 wrote to memory of 5044	668	1Dt64ni8.exe	AppLaunch.exe
PID 668 wrote to memory of 5044	668	1Dt64ni8.exe	AppLaunch.exe
PID 668 wrote to memory of 5044	668	1Dt64ni8.exe	AppLaunch.exe
PID 668 wrote to memory of 5044	668	1Dt64ni8.exe	AppLaunch.exe
PID 668 wrote to memory of 5044	668	1Dt64ni8.exe	AppLaunch.exe
PID 668 wrote to memory of 5044	668	1Dt64ni8.exe	AppLaunch.exe
PID 1496 wrote to memory of 2060	1496	DS4ch6Fi.exe	2mU040Eh.exe
PID 1496 wrote to memory of 2060	1496	DS4ch6Fi.exe	2mU040Eh.exe
PID 1496 wrote to memory of 2060	1496	DS4ch6Fi.exe	2mU040Eh.exe

C:\Users\Admin\AppData\Local\Temp\17bfe16ecf74ce58c323a518937f2920942fbcfac377f13e045e81269c09dba7.exe
"C:\Users\Admin\AppData\Local\Temp\17bfe16ecf74ce58c323a518937f2920942fbcfac377f13e045e81269c09dba7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kn4SH4by.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kn4SH4by.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\DS4ch6Fi.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\DS4ch6Fi.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Dt64ni8.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Dt64ni8.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:668
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:5044
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2mU040Eh.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2mU040Eh.exe
      4⤵
      Executes dropped EXE
      PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kn4SH4by.exe

Filesize
605KB

MD5
140c7f9c4482878ae86e32581a1bf162

SHA1
221a5934b6b841a6c0ffd7af64af47616f65e13f

SHA256
c7ce79754b8f43073c8120a05093e2a709d1f2d05955c88b46821ba09a9dce5a

SHA512
cd4f0a5f7b2a2eb408e015a862ff9252cd78a7b78a28922f127f602e059fe17643b207bd576756e5392c3a75fcdbea5cb433e95924923f86a0cae1653c9d32fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\DS4ch6Fi.exe

Filesize
409KB

MD5
52abe736fa506d7bbb46f06ee0dd663d

SHA1
a6114aed657c436f81543f5ac428ccf14bbd353d

SHA256
e0aa355012750dc8ec89595d6b1770a0f49da1ecb4a3b84048bf3b54f704fbba

SHA512
fb73a9361b0917bb0e74de59d6cd8109b96007e651f5f385bc9b48e858d30db09bef063a73483b5e70f003467386872c8c94ffe7ee0171df9e9dc8b6bb7510b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Dt64ni8.exe

Filesize
340KB

MD5
ec3819defcb1def0479459a07cf02070

SHA1
0d46c5bab631e6a66bf617d8f92cfb4fe36ea2ed

SHA256
c91e019691a909fc6499991d551db9fbdbb7880e596a2d078a0b9e1bc6e58092

SHA512
60f4cb6ec74df86d3ffde51e09968297d5a9277f58d4829b53e07e4d49b5500a7a08ba2ef35326388daad158b2608bdd3591ad98e793934a3c8be6a8dea839d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2mU040Eh.exe

Filesize
222KB

MD5
fa31db7a3426c71e20cba7f53c1f820b

SHA1
88d18eb491765000c7768b0e062d5824cea4d771

SHA256
d5bdf4fc0a91b73643ed7a72280cf9e51c22422d17305fb590c053028c2319f2

SHA512
b55b3adc0e39ab66acad28084418913a8d2675933d931cf540573665e5e790e280d2ad87577fe093e8fc646c56a16a629e62135cee6ef330b3749f61ff82ac92

Download Submit
memory/2060-34-0x0000000007DB0000-0x0000000007EBA000-memory.dmp

Filesize
1.0MB

Download
memory/2060-29-0x0000000000CC0000-0x0000000000CFE000-memory.dmp

Filesize
248KB

Download
memory/2060-30-0x0000000007FA0000-0x0000000008544000-memory.dmp

Filesize
5.6MB

Download
memory/2060-31-0x0000000007A90000-0x0000000007B22000-memory.dmp

Filesize
584KB

Download
memory/2060-32-0x0000000002EE0000-0x0000000002EEA000-memory.dmp

Filesize
40KB

Download
memory/2060-36-0x0000000007CE0000-0x0000000007D1C000-memory.dmp

Filesize
240KB

Download
memory/2060-37-0x0000000007D20000-0x0000000007D6C000-memory.dmp

Filesize
304KB

Download
memory/2060-35-0x0000000007C70000-0x0000000007C82000-memory.dmp

Filesize
72KB

Download
memory/2060-33-0x0000000008B70000-0x0000000009188000-memory.dmp

Filesize
6.1MB

Download
memory/5044-24-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5044-22-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5044-21-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5044-26-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download