mystic | 2dae798f2fcb49ad5f375700dcbe54c08e9cc5c25fe542ebd7939aa5f5f023aa

Analysis

max time kernel
134s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87139651e5e0bbbfe1bfa2f0a0607e9be351dbd75ab76f7846f919648224e922.exe
Size

272KB
MD5

ce888d3e95fd72b44ba9755a7b5f3070
SHA1

acfac50f32c643900534a35b95e5324a79a6f24c
SHA256

87139651e5e0bbbfe1bfa2f0a0607e9be351dbd75ab76f7846f919648224e922
SHA512

4d7b3b5acb8d2de6ddfc8ab6e2e0ffbac86fd2cbdf55ca001390a073d4fa878d4886c636021b8c4276377137113f31b609fa8afcbbf9cc55bb3d7f5856e37487
SSDEEP

6144:KRy+bnr+ep0yN90QEsdTwoe7P0PF+BR4OFYECMUyYhv+OJAa:nMr6y90mw9L0iR4xnTvFV

Score

10^/10

mystic redline moner infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

moner

77.91.124.82:19071

Attributes

auth_value
a94cd9e01643e1945b296c28a2f28707

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral11/files/0x00090000000233c9-5.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral11/files/0x00070000000233e2-8.dat	family_redline
behavioral11/memory/4460-11-0x0000000000D90000-0x0000000000DC0000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

pid	Process
996	m1024926.exe
4460	n6759556.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	87139651e5e0bbbfe1bfa2f0a0607e9be351dbd75ab76f7846f919648224e922.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4520 wrote to memory of 996	4520	87139651e5e0bbbfe1bfa2f0a0607e9be351dbd75ab76f7846f919648224e922.exe	82
PID 4520 wrote to memory of 996	4520	87139651e5e0bbbfe1bfa2f0a0607e9be351dbd75ab76f7846f919648224e922.exe	82
PID 4520 wrote to memory of 996	4520	87139651e5e0bbbfe1bfa2f0a0607e9be351dbd75ab76f7846f919648224e922.exe	82
PID 4520 wrote to memory of 4460	4520	87139651e5e0bbbfe1bfa2f0a0607e9be351dbd75ab76f7846f919648224e922.exe	83
PID 4520 wrote to memory of 4460	4520	87139651e5e0bbbfe1bfa2f0a0607e9be351dbd75ab76f7846f919648224e922.exe	83
PID 4520 wrote to memory of 4460	4520	87139651e5e0bbbfe1bfa2f0a0607e9be351dbd75ab76f7846f919648224e922.exe	83

C:\Users\Admin\AppData\Local\Temp\87139651e5e0bbbfe1bfa2f0a0607e9be351dbd75ab76f7846f919648224e922.exe
"C:\Users\Admin\AppData\Local\Temp\87139651e5e0bbbfe1bfa2f0a0607e9be351dbd75ab76f7846f919648224e922.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m1024926.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m1024926.exe
  2⤵
  - Executes dropped EXE
  PID:996
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n6759556.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n6759556.exe
  2⤵
  - Executes dropped EXE
  PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m1024926.exe

Filesize
140KB

MD5
f1c72f6f33dc90b962d2bc4fa57d854b

SHA1
f108fd8e69fe0dc5948e9a87802b9525f6c3bb0e

SHA256
3907c3d28a994e4ff2e5566a9f80155018f234f488ff49ae8e46b4d818541200

SHA512
4e3e875d7c4b111b2ed1c7dca9c1c84caa10debadf4bdba705a71b531fc280cf9a21eacdb98b44d7e3d244bdf0765e9404be054e4ff8c766f3ef72a265da8293

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n6759556.exe

Filesize
174KB

MD5
21829fc034799adf43ad6aa59792e3af

SHA1
0e39c92ef8cb7a3cffd6bb1ce22038f33f0a4c58

SHA256
15401a746683c0055e6dc209d7e1130f64b5c260231498aa8d30378d3703be6c

SHA512
2af8b78fd63f24a3168bf701ef088f8ee0c002d1a5c8ab171a6a4af8d57363325718682210551f4bdaaa6aaa1f49f5d7160a50b810092a25a3e42c25a94ae4cc

Download Submit
memory/4460-10-0x00000000743AE000-0x00000000743AF000-memory.dmp

Filesize
4KB

Download
memory/4460-11-0x0000000000D90000-0x0000000000DC0000-memory.dmp

Filesize
192KB

Download
memory/4460-12-0x0000000002F70000-0x0000000002F76000-memory.dmp

Filesize
24KB

Download
memory/4460-13-0x000000000B090000-0x000000000B6A8000-memory.dmp

Filesize
6.1MB

Download
memory/4460-14-0x000000000AC00000-0x000000000AD0A000-memory.dmp

Filesize
1.0MB

Download
memory/4460-15-0x000000000AB40000-0x000000000AB52000-memory.dmp

Filesize
72KB

Download
memory/4460-16-0x000000000ABA0000-0x000000000ABDC000-memory.dmp

Filesize
240KB

Download
memory/4460-18-0x00000000743A0000-0x0000000074B50000-memory.dmp

Filesize
7.7MB

Download
memory/4460-17-0x00000000050E0000-0x000000000512C000-memory.dmp

Filesize
304KB

Download
memory/4460-19-0x00000000743AE000-0x00000000743AF000-memory.dmp

Filesize
4KB

Download
memory/4460-20-0x00000000743A0000-0x0000000074B50000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads