mystic | ffe8fa0cf1ed446eeb9dc6eef440d6e2121396f13b66e26a431adcd9f2d605e3

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5eee268a879c07625d7394a82b7c1c9212c1bd08e2f22fd5b294cc02b2f31cc9.exe
Size

382KB
MD5

0cdd1d630baea001d0bad7a95db25072
SHA1

f4360bae0c4b6609c534eba13aafeaab3a492e54
SHA256

5eee268a879c07625d7394a82b7c1c9212c1bd08e2f22fd5b294cc02b2f31cc9
SHA512

2a6d327e07511fa00ed5c440afb2730a61384064ecb974c4ac895062bed87e1fe4388fbc0b9ddb633154827289c599949722aa4517f5fd6fc90854b4071d2cf1
SSDEEP

6144:KFy+bnr+hp0yN90QE5krZ8aQlp2GTvQFg1qo/qV0pB5BcWJoJnTY67h3TXhN:DMrFy90jkra2i4i1T/qV0DSBr7h3Tj

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral13/memory/2260-7-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral13/memory/2260-11-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral13/memory/2260-9-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral13/memory/2260-8-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral13/files/0x0007000000023562-13.dat	family_redline
behavioral13/memory/1896-16-0x00000000008C0000-0x00000000008FE000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

pid	Process
4384	1CM30ma5.exe
1896	2BF796Js.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5eee268a879c07625d7394a82b7c1c9212c1bd08e2f22fd5b294cc02b2f31cc9.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4384 set thread context of 2260	4384	1CM30ma5.exe	93

Program crash 2 IoCs

pid	pid_target	Process	procid_target
840	4384	WerFault.exe	90
4028	2260	WerFault.exe	93

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 4384	220	5eee268a879c07625d7394a82b7c1c9212c1bd08e2f22fd5b294cc02b2f31cc9.exe	90
PID 220 wrote to memory of 4384	220	5eee268a879c07625d7394a82b7c1c9212c1bd08e2f22fd5b294cc02b2f31cc9.exe	90
PID 220 wrote to memory of 4384	220	5eee268a879c07625d7394a82b7c1c9212c1bd08e2f22fd5b294cc02b2f31cc9.exe	90
PID 4384 wrote to memory of 4620	4384	1CM30ma5.exe	92
PID 4384 wrote to memory of 4620	4384	1CM30ma5.exe	92
PID 4384 wrote to memory of 4620	4384	1CM30ma5.exe	92
PID 4384 wrote to memory of 2260	4384	1CM30ma5.exe	93
PID 4384 wrote to memory of 2260	4384	1CM30ma5.exe	93
PID 4384 wrote to memory of 2260	4384	1CM30ma5.exe	93
PID 4384 wrote to memory of 2260	4384	1CM30ma5.exe	93
PID 4384 wrote to memory of 2260	4384	1CM30ma5.exe	93
PID 4384 wrote to memory of 2260	4384	1CM30ma5.exe	93
PID 4384 wrote to memory of 2260	4384	1CM30ma5.exe	93
PID 4384 wrote to memory of 2260	4384	1CM30ma5.exe	93
PID 4384 wrote to memory of 2260	4384	1CM30ma5.exe	93
PID 4384 wrote to memory of 2260	4384	1CM30ma5.exe	93
PID 220 wrote to memory of 1896	220	5eee268a879c07625d7394a82b7c1c9212c1bd08e2f22fd5b294cc02b2f31cc9.exe	102
PID 220 wrote to memory of 1896	220	5eee268a879c07625d7394a82b7c1c9212c1bd08e2f22fd5b294cc02b2f31cc9.exe	102
PID 220 wrote to memory of 1896	220	5eee268a879c07625d7394a82b7c1c9212c1bd08e2f22fd5b294cc02b2f31cc9.exe	102

C:\Users\Admin\AppData\Local\Temp\5eee268a879c07625d7394a82b7c1c9212c1bd08e2f22fd5b294cc02b2f31cc9.exe
"C:\Users\Admin\AppData\Local\Temp\5eee268a879c07625d7394a82b7c1c9212c1bd08e2f22fd5b294cc02b2f31cc9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:220
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1CM30ma5.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1CM30ma5.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:4620
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:2260
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 548
      4⤵
      Program crash
      PID:4028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 584
    3⤵
    - Program crash
    PID:840
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2BF796Js.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2BF796Js.exe
  2⤵
  - Executes dropped EXE
  PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2260 -ip 2260
1⤵
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4384 -ip 4384
1⤵
PID:3300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3812,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4244 /prefetch:8
1⤵
PID:4024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1CM30ma5.exe

Filesize
295KB

MD5
66bdfee4ef9b26ed8d161e91fa32f4df

SHA1
65eea13abd7ec89f194c9703a4926de748324c38

SHA256
a40eddbeaf64736815cc75ee9b3a6cb785c5474dd31309cb48d485a23e2ca32c

SHA512
fe6b94a2cedb51a1cfaca580a3313cbe360cffa62da7d9607eda2279c1c3ec3af73b4caa7acf6723721babca5beb6948f329f76921776a2abeaa589fab3ebce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2BF796Js.exe

Filesize
222KB

MD5
8c5c774f027edfb3ca14b6ebfadbd343

SHA1
bd62bad4fc670b766d2f3c8800f56234db36d41b

SHA256
d57a78b2ceaf813b65e4e8ea532639345061fce101347d9317c001d659f9e133

SHA512
cf6d57edf8fa395b82a9561baae44d981d46f751986608912cf8acba152679c76f53f1ec107c82df05dbdeccec4264dc2d3b56c5226b0117ac044ac62d9a0ef2

Download Submit
memory/1896-21-0x0000000008730000-0x0000000008D48000-memory.dmp

Filesize
6.1MB

Download
memory/1896-20-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/1896-27-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/1896-26-0x0000000073E9E000-0x0000000073E9F000-memory.dmp

Filesize
4KB

Download
memory/1896-15-0x0000000073E9E000-0x0000000073E9F000-memory.dmp

Filesize
4KB

Download
memory/1896-16-0x00000000008C0000-0x00000000008FE000-memory.dmp

Filesize
248KB

Download
memory/1896-17-0x0000000007B60000-0x0000000008104000-memory.dmp

Filesize
5.6MB

Download
memory/1896-18-0x0000000007690000-0x0000000007722000-memory.dmp

Filesize
584KB

Download
memory/1896-19-0x0000000004C20000-0x0000000004C2A000-memory.dmp

Filesize
40KB

Download
memory/1896-25-0x0000000007890000-0x00000000078DC000-memory.dmp

Filesize
304KB

Download
memory/1896-24-0x0000000007910000-0x000000000794C000-memory.dmp

Filesize
240KB

Download
memory/1896-22-0x0000000007A20000-0x0000000007B2A000-memory.dmp

Filesize
1.0MB

Download
memory/1896-23-0x0000000007860000-0x0000000007872000-memory.dmp

Filesize
72KB

Download
memory/2260-7-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2260-9-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2260-11-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2260-8-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads