mystic | ffe8fa0cf1ed446eeb9dc6eef440d6e2121396f13b66e26a431adcd9f2d605e3

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8efb2f072c814649d82dcf129f78158d28b7ec827dd8deeccf8e21e23771ae7a.exe
Size

383KB
MD5

10157d8d3d357ae7b51b1c1da1349a41
SHA1

84b30b0505c3b15fc3771117975fdfcd7faf3382
SHA256

8efb2f072c814649d82dcf129f78158d28b7ec827dd8deeccf8e21e23771ae7a
SHA512

de6fc008a1b6503996778702b0940a3de5fe6ee8b91e8d3b9eff36254d53383d3926bb97d846ba69053ebcf0349be4236ce7dead55c9c0bc1cfa2cd89286d4c3
SSDEEP

6144:Ksy+bnr+qp0yN90QEP6/c+6cQ7PxWiyywTeqtPGbVw3ZvcYoFgf3yCHa:AMrGy901Uc+6EiH+7tPGW3ZvNvy9

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral19/memory/3936-11-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral19/memory/3936-9-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral19/memory/3936-8-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral19/memory/3936-7-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral19/files/0x0007000000023445-13.dat	family_redline
behavioral19/memory/2144-16-0x0000000000A90000-0x0000000000ACE000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

pid	Process
1880	1TV79iB0.exe
2144	2xR206xf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8efb2f072c814649d82dcf129f78158d28b7ec827dd8deeccf8e21e23771ae7a.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1880 set thread context of 3936	1880	1TV79iB0.exe	84

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3940	1880	WerFault.exe	82
2856	3936	WerFault.exe	84

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 1880	804	8efb2f072c814649d82dcf129f78158d28b7ec827dd8deeccf8e21e23771ae7a.exe	82
PID 804 wrote to memory of 1880	804	8efb2f072c814649d82dcf129f78158d28b7ec827dd8deeccf8e21e23771ae7a.exe	82
PID 804 wrote to memory of 1880	804	8efb2f072c814649d82dcf129f78158d28b7ec827dd8deeccf8e21e23771ae7a.exe	82
PID 1880 wrote to memory of 3936	1880	1TV79iB0.exe	84
PID 1880 wrote to memory of 3936	1880	1TV79iB0.exe	84
PID 1880 wrote to memory of 3936	1880	1TV79iB0.exe	84
PID 1880 wrote to memory of 3936	1880	1TV79iB0.exe	84
PID 1880 wrote to memory of 3936	1880	1TV79iB0.exe	84
PID 1880 wrote to memory of 3936	1880	1TV79iB0.exe	84
PID 1880 wrote to memory of 3936	1880	1TV79iB0.exe	84
PID 1880 wrote to memory of 3936	1880	1TV79iB0.exe	84
PID 1880 wrote to memory of 3936	1880	1TV79iB0.exe	84
PID 1880 wrote to memory of 3936	1880	1TV79iB0.exe	84
PID 804 wrote to memory of 2144	804	8efb2f072c814649d82dcf129f78158d28b7ec827dd8deeccf8e21e23771ae7a.exe	93
PID 804 wrote to memory of 2144	804	8efb2f072c814649d82dcf129f78158d28b7ec827dd8deeccf8e21e23771ae7a.exe	93
PID 804 wrote to memory of 2144	804	8efb2f072c814649d82dcf129f78158d28b7ec827dd8deeccf8e21e23771ae7a.exe	93

C:\Users\Admin\AppData\Local\Temp\8efb2f072c814649d82dcf129f78158d28b7ec827dd8deeccf8e21e23771ae7a.exe
"C:\Users\Admin\AppData\Local\Temp\8efb2f072c814649d82dcf129f78158d28b7ec827dd8deeccf8e21e23771ae7a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:804
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1TV79iB0.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1TV79iB0.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:3936
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 196
      4⤵
      Program crash
      PID:2856
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 156
    3⤵
    - Program crash
    PID:3940
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2xR206xf.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2xR206xf.exe
  2⤵
  - Executes dropped EXE
  PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1880 -ip 1880
1⤵
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3936 -ip 3936
1⤵
PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1TV79iB0.exe

Filesize
295KB

MD5
56a52f85cb6555bc27e20d3d8ef5ce41

SHA1
05e6dcd5ab90e27b1848310cd7e7565acb2a1e89

SHA256
f1b410f2d7a266e1afb17e1ea24e4ee63ddb821a60a6e37d8b2181425f22131a

SHA512
486914f641b3d3ffa534eebcabb4b598636e4eecf4716452c6ea361655919fb77af2e2c12ce2ca62d5e653b35a82e441c09b2eec00a667c2b74e181cf248238c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2xR206xf.exe

Filesize
222KB

MD5
71054ded995d2aa2711b978ee400a0f2

SHA1
293dd5111eb573aa7d3da2507a89ba2be16aca3d

SHA256
c4cc5a67423972e17cdab1afd621407d8f6af42564a5e8dfa1a622f201cdda19

SHA512
a3ad00ca096ca8d598fde2316bb14f23a17d35087d11e0668fadc1e49ba20604c19f7f4277a15fddc17cd5e4f59d5ad3eeb4448ac841b9990b6bf4b2013ea425

Download Submit
memory/2144-21-0x0000000008920000-0x0000000008F38000-memory.dmp

Filesize
6.1MB

Download
memory/2144-20-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/2144-27-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/2144-26-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

Filesize
4KB

Download
memory/2144-15-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

Filesize
4KB

Download
memory/2144-16-0x0000000000A90000-0x0000000000ACE000-memory.dmp

Filesize
248KB

Download
memory/2144-17-0x0000000007D50000-0x00000000082F4000-memory.dmp

Filesize
5.6MB

Download
memory/2144-18-0x0000000007840000-0x00000000078D2000-memory.dmp

Filesize
584KB

Download
memory/2144-19-0x0000000004E20000-0x0000000004E2A000-memory.dmp

Filesize
40KB

Download
memory/2144-25-0x0000000007AF0000-0x0000000007B3C000-memory.dmp

Filesize
304KB

Download
memory/2144-24-0x0000000007AB0000-0x0000000007AEC000-memory.dmp

Filesize
240KB

Download
memory/2144-22-0x0000000007B40000-0x0000000007C4A000-memory.dmp

Filesize
1.0MB

Download
memory/2144-23-0x0000000007A50000-0x0000000007A62000-memory.dmp

Filesize
72KB

Download
memory/3936-11-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3936-8-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3936-9-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3936-7-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads