mystic | 2dae798f2fcb49ad5f375700dcbe54c08e9cc5c25fe542ebd7939aa5f5f023aa

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

feb3084f5c25ee7a6f595b0324d2f1b160f286a327d520b89a60520c6b5c9099.exe
Size

939KB
MD5

65622bef79ddda9ce698926571ce25b1
SHA1

0b3e1903f85a04dc99e682a838f967878963e52e
SHA256

feb3084f5c25ee7a6f595b0324d2f1b160f286a327d520b89a60520c6b5c9099
SHA512

a80b1a00117b003b3cf936e74f6b3502f5de4427761fd77576462388f9bb1173aeefe5344930284986b281c8d0ebced52da77108bfc41eeb7952aa79da17629f
SSDEEP

24576:jyIFsdExiJhBjUW6BsYe5HwA3O6Nf8sZ9X4u8:2geEEUjSYqHw8PNf8s1

Score

10^/10

mystic redline kendo infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kendo

77.91.124.82:19071

Attributes

auth_value
5a22a881561d49941415902859b51f14

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral19/memory/2420-28-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral19/memory/2420-31-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral19/memory/2420-29-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral19/files/0x0007000000023426-33.dat	family_redline
behavioral19/memory/4048-35-0x0000000000170000-0x00000000001A0000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
3620	x5242005.exe
1052	x6470292.exe
1480	x5285369.exe
948	g1443623.exe
4048	h8621055.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	feb3084f5c25ee7a6f595b0324d2f1b160f286a327d520b89a60520c6b5c9099.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5242005.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x6470292.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x5285369.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 948 set thread context of 2420	948	g1443623.exe	86

Program crash 1 IoCs

pid	pid_target	Process	procid_target
928	948	WerFault.exe	85

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 3620	3016	feb3084f5c25ee7a6f595b0324d2f1b160f286a327d520b89a60520c6b5c9099.exe	82
PID 3016 wrote to memory of 3620	3016	feb3084f5c25ee7a6f595b0324d2f1b160f286a327d520b89a60520c6b5c9099.exe	82
PID 3016 wrote to memory of 3620	3016	feb3084f5c25ee7a6f595b0324d2f1b160f286a327d520b89a60520c6b5c9099.exe	82
PID 3620 wrote to memory of 1052	3620	x5242005.exe	83
PID 3620 wrote to memory of 1052	3620	x5242005.exe	83
PID 3620 wrote to memory of 1052	3620	x5242005.exe	83
PID 1052 wrote to memory of 1480	1052	x6470292.exe	84
PID 1052 wrote to memory of 1480	1052	x6470292.exe	84
PID 1052 wrote to memory of 1480	1052	x6470292.exe	84
PID 1480 wrote to memory of 948	1480	x5285369.exe	85
PID 1480 wrote to memory of 948	1480	x5285369.exe	85
PID 1480 wrote to memory of 948	1480	x5285369.exe	85
PID 948 wrote to memory of 2420	948	g1443623.exe	86
PID 948 wrote to memory of 2420	948	g1443623.exe	86
PID 948 wrote to memory of 2420	948	g1443623.exe	86
PID 948 wrote to memory of 2420	948	g1443623.exe	86
PID 948 wrote to memory of 2420	948	g1443623.exe	86
PID 948 wrote to memory of 2420	948	g1443623.exe	86
PID 948 wrote to memory of 2420	948	g1443623.exe	86
PID 948 wrote to memory of 2420	948	g1443623.exe	86
PID 948 wrote to memory of 2420	948	g1443623.exe	86
PID 948 wrote to memory of 2420	948	g1443623.exe	86
PID 1480 wrote to memory of 4048	1480	x5285369.exe	93
PID 1480 wrote to memory of 4048	1480	x5285369.exe	93
PID 1480 wrote to memory of 4048	1480	x5285369.exe	93

C:\Users\Admin\AppData\Local\Temp\feb3084f5c25ee7a6f595b0324d2f1b160f286a327d520b89a60520c6b5c9099.exe
"C:\Users\Admin\AppData\Local\Temp\feb3084f5c25ee7a6f595b0324d2f1b160f286a327d520b89a60520c6b5c9099.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5242005.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5242005.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6470292.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6470292.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1052
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5285369.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5285369.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1480
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1443623.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1443623.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:948
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2420
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 564
        6⤵
        Program crash
        
        PID:928
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8621055.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8621055.exe
        5⤵
        Executes dropped EXE
        
        PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 948 -ip 948
1⤵
PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5242005.exe

Filesize
841KB

MD5
ba730229223e0dc401d8793c3960a66e

SHA1
a31fa10033a53413be6824d7907923ac85a9b748

SHA256
88e94d8302b6a6daccef9c8ef1b66d9ea6eca47debf2e10078c81c464f33bd70

SHA512
0ae5e91005d7927ba0c708871ce0d265ca08e7e65b8d37d40ad51a09c048e7b32b20cdc32c2035da451e1ddc57adc0e2c49b851a31f92f7353a82ce1aaa5a843

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6470292.exe

Filesize
563KB

MD5
68962378c4a1faae0b10f7895999caa1

SHA1
a7f0159809355b1574455ba0bbf3c2515f4060e3

SHA256
9f48a5bcea4f97b64fba26140aeea6f4183ada71d893eb29431b9c81852244fb

SHA512
e1253afc5f3b0e60202e5446c0c5d76fb55b5796db2def1224b8a3dca74e8a615478a1ae3d951f730b44f580f46a69003150d7a3cf573f04c702653b5ef90ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5285369.exe

Filesize
397KB

MD5
c7c1c6e2dc0ab74c7d32611a58422518

SHA1
1d7609d51dca944592b8acbfb0ef3c1169e95464

SHA256
912db92b8120a3438ff63e7fd3599960b886d1731fa00d106cb4e68f99434f67

SHA512
b199be1cd9ccf164f4faedd600fe798d062058c39cf2931f616a6ea520fd3ff734d3b22a3aafd360584be14a2c50f2d1a49dc26e1dbca640f2efaf2b49925a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1443623.exe

Filesize
379KB

MD5
1d683ea5d43b913511532876dc0a295f

SHA1
bbe929fb5c2b6baba85ae2c969963ade9139d970

SHA256
95595031709fd4e81e46f58930e16120e76926a3d1325ff81a175986f3fa9c9d

SHA512
8d066cfbbd4cef61fdf2f86f90a37fc88effea833d3e095edea2e2f377a75e48f5da9128564226db7f6f786ae7c8acc60d245fc0d1fc285ebcb7bee8b6babba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8621055.exe

Filesize
174KB

MD5
b020d3c9a96bdd9a0161e2ed84883d7c

SHA1
2883c864f672952768f87aae0fb0eb6911aa79cb

SHA256
9cba59684c5f6a1c5f3702d7cbcd6b11629c9c9944d1bdc941f55d02de322b57

SHA512
22758f12334730cd12a0809d220ebc88f42555c29c1c8fa7e140e2caf4bf95cc9633b56a18e1b2c31e9905d0b1fe7615aacca2dd156c9668f32e5badd102f78a

Download Submit
memory/2420-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2420-31-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2420-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4048-35-0x0000000000170000-0x00000000001A0000-memory.dmp

Filesize
192KB

Download
memory/4048-36-0x0000000004950000-0x0000000004956000-memory.dmp

Filesize
24KB

Download
memory/4048-37-0x0000000005160000-0x0000000005778000-memory.dmp

Filesize
6.1MB

Download
memory/4048-38-0x0000000004C50000-0x0000000004D5A000-memory.dmp

Filesize
1.0MB

Download
memory/4048-39-0x00000000049F0000-0x0000000004A02000-memory.dmp

Filesize
72KB

Download
memory/4048-40-0x0000000004B80000-0x0000000004BBC000-memory.dmp

Filesize
240KB

Download
memory/4048-41-0x0000000004BC0000-0x0000000004C0C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads