mystic | 2dae798f2fcb49ad5f375700dcbe54c08e9cc5c25fe542ebd7939aa5f5f023aa

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

695cd347d1d92d0b9066594b4970367e5d1c92c1b9b4885e6615432f165fc26a.exe
Size

1.2MB
MD5

c67e62ad4b7137f920527c3694dbfc00
SHA1

8603e8d58c50d129ae643d421cb0281c2e855200
SHA256

695cd347d1d92d0b9066594b4970367e5d1c92c1b9b4885e6615432f165fc26a
SHA512

b6bbe524bd04578cb83db4ca5947876a7d80e6eb2951eb336416a7dde6a251bcc8d4897fed4778ef19b218ffed7e0ee47c84549ffcce943394ddcfd1e3dc4f40
SSDEEP

24576:6yO0OwQUN5eeYDLKt+6roiPIc/lv6q/qxU8L:BCU+eYDLEZoktyoqxU

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral10/memory/5040-35-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral10/memory/5040-38-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral10/memory/5040-36-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2We324bD.exe	family_redline
behavioral10/memory/3688-42-0x00000000003A0000-0x00000000003DE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

NQ9Pj0sQ.exeCG8jS0GS.exefC5wd4GW.exeBa2Ex2Th.exe1DL05bk5.exe2We324bD.exe

pid process

1420 NQ9Pj0sQ.exe
404 CG8jS0GS.exe
4392 fC5wd4GW.exe
4972 Ba2Ex2Th.exe
5016 1DL05bk5.exe
3688 2We324bD.exe

pid	process
1420	NQ9Pj0sQ.exe
404	CG8jS0GS.exe
4392	fC5wd4GW.exe
4972	Ba2Ex2Th.exe
5016	1DL05bk5.exe
3688	2We324bD.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

CG8jS0GS.exefC5wd4GW.exeBa2Ex2Th.exe695cd347d1d92d0b9066594b4970367e5d1c92c1b9b4885e6615432f165fc26a.exeNQ9Pj0sQ.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	CG8jS0GS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	fC5wd4GW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Ba2Ex2Th.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	695cd347d1d92d0b9066594b4970367e5d1c92c1b9b4885e6615432f165fc26a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	NQ9Pj0sQ.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1DL05bk5.exe

description pid process target process

PID 5016 set thread context of 5040 5016 1DL05bk5.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1660 5016 WerFault.exe 1DL05bk5.exe

description	pid	process	target process
PID 5016 set thread context of 5040	5016	1DL05bk5.exe	AppLaunch.exe

pid	pid_target	process	target process
1660	5016	WerFault.exe	1DL05bk5.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

695cd347d1d92d0b9066594b4970367e5d1c92c1b9b4885e6615432f165fc26a.exeNQ9Pj0sQ.exeCG8jS0GS.exefC5wd4GW.exeBa2Ex2Th.exe1DL05bk5.exe

description	pid	process	target process
PID 2964 wrote to memory of 1420	2964	695cd347d1d92d0b9066594b4970367e5d1c92c1b9b4885e6615432f165fc26a.exe	NQ9Pj0sQ.exe
PID 2964 wrote to memory of 1420	2964	695cd347d1d92d0b9066594b4970367e5d1c92c1b9b4885e6615432f165fc26a.exe	NQ9Pj0sQ.exe
PID 2964 wrote to memory of 1420	2964	695cd347d1d92d0b9066594b4970367e5d1c92c1b9b4885e6615432f165fc26a.exe	NQ9Pj0sQ.exe
PID 1420 wrote to memory of 404	1420	NQ9Pj0sQ.exe	CG8jS0GS.exe
PID 1420 wrote to memory of 404	1420	NQ9Pj0sQ.exe	CG8jS0GS.exe
PID 1420 wrote to memory of 404	1420	NQ9Pj0sQ.exe	CG8jS0GS.exe
PID 404 wrote to memory of 4392	404	CG8jS0GS.exe	fC5wd4GW.exe
PID 404 wrote to memory of 4392	404	CG8jS0GS.exe	fC5wd4GW.exe
PID 404 wrote to memory of 4392	404	CG8jS0GS.exe	fC5wd4GW.exe
PID 4392 wrote to memory of 4972	4392	fC5wd4GW.exe	Ba2Ex2Th.exe
PID 4392 wrote to memory of 4972	4392	fC5wd4GW.exe	Ba2Ex2Th.exe
PID 4392 wrote to memory of 4972	4392	fC5wd4GW.exe	Ba2Ex2Th.exe
PID 4972 wrote to memory of 5016	4972	Ba2Ex2Th.exe	1DL05bk5.exe
PID 4972 wrote to memory of 5016	4972	Ba2Ex2Th.exe	1DL05bk5.exe
PID 4972 wrote to memory of 5016	4972	Ba2Ex2Th.exe	1DL05bk5.exe
PID 5016 wrote to memory of 5040	5016	1DL05bk5.exe	AppLaunch.exe
PID 5016 wrote to memory of 5040	5016	1DL05bk5.exe	AppLaunch.exe
PID 5016 wrote to memory of 5040	5016	1DL05bk5.exe	AppLaunch.exe
PID 5016 wrote to memory of 5040	5016	1DL05bk5.exe	AppLaunch.exe
PID 5016 wrote to memory of 5040	5016	1DL05bk5.exe	AppLaunch.exe
PID 5016 wrote to memory of 5040	5016	1DL05bk5.exe	AppLaunch.exe
PID 5016 wrote to memory of 5040	5016	1DL05bk5.exe	AppLaunch.exe
PID 5016 wrote to memory of 5040	5016	1DL05bk5.exe	AppLaunch.exe
PID 5016 wrote to memory of 5040	5016	1DL05bk5.exe	AppLaunch.exe
PID 5016 wrote to memory of 5040	5016	1DL05bk5.exe	AppLaunch.exe
PID 4972 wrote to memory of 3688	4972	Ba2Ex2Th.exe	2We324bD.exe
PID 4972 wrote to memory of 3688	4972	Ba2Ex2Th.exe	2We324bD.exe
PID 4972 wrote to memory of 3688	4972	Ba2Ex2Th.exe	2We324bD.exe

C:\Users\Admin\AppData\Local\Temp\695cd347d1d92d0b9066594b4970367e5d1c92c1b9b4885e6615432f165fc26a.exe
"C:\Users\Admin\AppData\Local\Temp\695cd347d1d92d0b9066594b4970367e5d1c92c1b9b4885e6615432f165fc26a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NQ9Pj0sQ.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NQ9Pj0sQ.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1420

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CG8jS0GS.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CG8jS0GS.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:404

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fC5wd4GW.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fC5wd4GW.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4392

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ba2Ex2Th.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ba2Ex2Th.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4972

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DL05bk5.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DL05bk5.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 144
7⤵
- Program crash
PID:1660

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2We324bD.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2We324bD.exe
6⤵
- Executes dropped EXE
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5016 -ip 5016
1⤵
PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NQ9Pj0sQ.exe

Filesize
1.0MB

MD5
5a9188079aa6c4ebe3c211c22cc07f6e

SHA1
b249b1ce69f68a745ca76a242e43bbd8223e11f1

SHA256
b5a6d48a42371eaab20369030145e4dccda2fb184bbea169f1c2786fe8ef6151

SHA512
4b6961d1a82407070d1349bd0269c3f3d27915bdd9b42b8d720756e78e9cb793e8863a47b618ccc8c934f316beabf4035e298b8448edc286cbcab4b7ce30755f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CG8jS0GS.exe

Filesize
884KB

MD5
8f47aa012048e35c784b6d21475c4879

SHA1
bc3ef97e877369b2a8586b2f6c5459482f47d066

SHA256
78c15ac8532de646f2b027cda267e52dd20a225d165eabb3e0a6e00e48af1666

SHA512
e093ca5cd71b487fd8bd4f0db8456b512e3446ec50e235c80d979c2b6ed431cc0bdf22bc8d54985659e18e1a0e772fbcdff8e4b8cd824f3abad33d1cc478b21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fC5wd4GW.exe

Filesize
590KB

MD5
1cca5a9ef4e56fc9bf4b77278cbc04b4

SHA1
d06a5021b34bb1a002b57031c382dc71ac9f7d56

SHA256
8487cb7bfbf4bf75fab3efb5de4c185a79e1ce9b6988e97d7cca0750b14cb99b

SHA512
2a834649b262be0313c1915879fc0d3cb5d1d9fadd41ca8c2e8d84e056ca4bd53972555635a6877b30c19b45fdcbdbb64924aa1aa4d7ed47b3757cbcb3df9b61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ba2Ex2Th.exe

Filesize
417KB

MD5
bdc141b587b7960189ae40c9f6725253

SHA1
61ccac4335edd0114fa81e337a8666c98bd831c6

SHA256
6a16245fbcb3bc0f47c88dcf58252441e96de9e35d0da7bc8256db5d2607d765

SHA512
d7cbf43b28678a69798f8cfe12ee9ef56a57f049723f3b3666716802a5e7f4e5eba21fa8f887df9c4a0b37855a4c46c9b4697e56ebcd6ed8113ae713c3f36ffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DL05bk5.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2We324bD.exe

Filesize
231KB

MD5
88bf1ff382e88ace9f0868a4ea708412

SHA1
1e8f76a990ebfe56c7a8a09d3c6dda34b5bf2be7

SHA256
8fd22b368466c773de10df37811e380fbf177f9c3d208b6f30a78a09b0d599be

SHA512
ab9fd16877ebddbc777c31e7c00d98dfd96818b5b526ad491b40aa08a9fb9c3db9194bdec38ca23ece1b45f5a3b4d72b601a4ac96a4a1bd8251ed55f4409b9e9

Download Submit
memory/3688-42-0x00000000003A0000-0x00000000003DE000-memory.dmp

Filesize
248KB

Download
memory/3688-43-0x0000000007690000-0x0000000007C34000-memory.dmp

Filesize
5.6MB

Download
memory/3688-44-0x0000000007180000-0x0000000007212000-memory.dmp

Filesize
584KB

Download
memory/3688-45-0x0000000002580000-0x000000000258A000-memory.dmp

Filesize
40KB

Download
memory/3688-46-0x0000000008260000-0x0000000008878000-memory.dmp

Filesize
6.1MB

Download
memory/3688-47-0x0000000007510000-0x000000000761A000-memory.dmp

Filesize
1.0MB

Download
memory/3688-48-0x0000000007260000-0x0000000007272000-memory.dmp

Filesize
72KB

Download
memory/3688-49-0x00000000072C0000-0x00000000072FC000-memory.dmp

Filesize
240KB

Download
memory/3688-50-0x0000000007400000-0x000000000744C000-memory.dmp

Filesize
304KB

Download
memory/5040-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5040-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5040-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download