mystic | ffe8fa0cf1ed446eeb9dc6eef440d6e2121396f13b66e26a431adcd9f2d605e3

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ad22f7c20ecd9c3f25fef51c4432f8d6609d2a5f951e6a29ab4a3a9b7d2ebda.exe
Size

1006KB
MD5

8c0a63fb01c25edb39a66f28038f7aa0
SHA1

18666baa1de5d7b6f5e4e273cc9946e4d295cd21
SHA256

1ad22f7c20ecd9c3f25fef51c4432f8d6609d2a5f951e6a29ab4a3a9b7d2ebda
SHA512

8e0aebc199e0b97fa264bcba47bd2abaafd94fba5f777350de1260512feb597193e46a31e911740c121318647a1b067c1cd5261440147fe4dbc2b2bcda0c6276
SSDEEP

12288:eMrty90ivMV92xv+Zo90ItoX5rqNgUH16kaLm3OlGTI9trzLzwoBIthXTW1:PyPM6xv+ImprEgU4lLMO+IXgoKXK1

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral3/memory/2672-28-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral3/memory/2672-31-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral3/memory/2672-30-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2XQ131iN.exe	family_redline
behavioral3/memory/3812-35-0x0000000000190000-0x00000000001CE000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

Processes:

NT0Av8Fq.exeyS0sM4Xw.exeMi3kt2Jw.exe1Yi75fb7.exe2XQ131iN.exe

pid process

1288 NT0Av8Fq.exe
2564 yS0sM4Xw.exe
1272 Mi3kt2Jw.exe
1512 1Yi75fb7.exe
3812 2XQ131iN.exe

pid	process
1288	NT0Av8Fq.exe
2564	yS0sM4Xw.exe
1272	Mi3kt2Jw.exe
1512	1Yi75fb7.exe
3812	2XQ131iN.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1ad22f7c20ecd9c3f25fef51c4432f8d6609d2a5f951e6a29ab4a3a9b7d2ebda.exeNT0Av8Fq.exeyS0sM4Xw.exeMi3kt2Jw.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1ad22f7c20ecd9c3f25fef51c4432f8d6609d2a5f951e6a29ab4a3a9b7d2ebda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	NT0Av8Fq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	yS0sM4Xw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Mi3kt2Jw.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1Yi75fb7.exe

description pid process target process

PID 1512 set thread context of 2672 1512 1Yi75fb7.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

64 1512 WerFault.exe 1Yi75fb7.exe

description	pid	process	target process
PID 1512 set thread context of 2672	1512	1Yi75fb7.exe	AppLaunch.exe

pid	pid_target	process	target process
64	1512	WerFault.exe	1Yi75fb7.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

1ad22f7c20ecd9c3f25fef51c4432f8d6609d2a5f951e6a29ab4a3a9b7d2ebda.exeNT0Av8Fq.exeyS0sM4Xw.exeMi3kt2Jw.exe1Yi75fb7.exe

description	pid	process	target process
PID 756 wrote to memory of 1288	756	1ad22f7c20ecd9c3f25fef51c4432f8d6609d2a5f951e6a29ab4a3a9b7d2ebda.exe	NT0Av8Fq.exe
PID 756 wrote to memory of 1288	756	1ad22f7c20ecd9c3f25fef51c4432f8d6609d2a5f951e6a29ab4a3a9b7d2ebda.exe	NT0Av8Fq.exe
PID 756 wrote to memory of 1288	756	1ad22f7c20ecd9c3f25fef51c4432f8d6609d2a5f951e6a29ab4a3a9b7d2ebda.exe	NT0Av8Fq.exe
PID 1288 wrote to memory of 2564	1288	NT0Av8Fq.exe	yS0sM4Xw.exe
PID 1288 wrote to memory of 2564	1288	NT0Av8Fq.exe	yS0sM4Xw.exe
PID 1288 wrote to memory of 2564	1288	NT0Av8Fq.exe	yS0sM4Xw.exe
PID 2564 wrote to memory of 1272	2564	yS0sM4Xw.exe	Mi3kt2Jw.exe
PID 2564 wrote to memory of 1272	2564	yS0sM4Xw.exe	Mi3kt2Jw.exe
PID 2564 wrote to memory of 1272	2564	yS0sM4Xw.exe	Mi3kt2Jw.exe
PID 1272 wrote to memory of 1512	1272	Mi3kt2Jw.exe	1Yi75fb7.exe
PID 1272 wrote to memory of 1512	1272	Mi3kt2Jw.exe	1Yi75fb7.exe
PID 1272 wrote to memory of 1512	1272	Mi3kt2Jw.exe	1Yi75fb7.exe
PID 1512 wrote to memory of 2672	1512	1Yi75fb7.exe	AppLaunch.exe
PID 1512 wrote to memory of 2672	1512	1Yi75fb7.exe	AppLaunch.exe
PID 1512 wrote to memory of 2672	1512	1Yi75fb7.exe	AppLaunch.exe
PID 1512 wrote to memory of 2672	1512	1Yi75fb7.exe	AppLaunch.exe
PID 1512 wrote to memory of 2672	1512	1Yi75fb7.exe	AppLaunch.exe
PID 1512 wrote to memory of 2672	1512	1Yi75fb7.exe	AppLaunch.exe
PID 1512 wrote to memory of 2672	1512	1Yi75fb7.exe	AppLaunch.exe
PID 1512 wrote to memory of 2672	1512	1Yi75fb7.exe	AppLaunch.exe
PID 1512 wrote to memory of 2672	1512	1Yi75fb7.exe	AppLaunch.exe
PID 1512 wrote to memory of 2672	1512	1Yi75fb7.exe	AppLaunch.exe
PID 1272 wrote to memory of 3812	1272	Mi3kt2Jw.exe	2XQ131iN.exe
PID 1272 wrote to memory of 3812	1272	Mi3kt2Jw.exe	2XQ131iN.exe
PID 1272 wrote to memory of 3812	1272	Mi3kt2Jw.exe	2XQ131iN.exe

C:\Users\Admin\AppData\Local\Temp\1ad22f7c20ecd9c3f25fef51c4432f8d6609d2a5f951e6a29ab4a3a9b7d2ebda.exe
"C:\Users\Admin\AppData\Local\Temp\1ad22f7c20ecd9c3f25fef51c4432f8d6609d2a5f951e6a29ab4a3a9b7d2ebda.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:756

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NT0Av8Fq.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NT0Av8Fq.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1288

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yS0sM4Xw.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yS0sM4Xw.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2564

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Mi3kt2Jw.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Mi3kt2Jw.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1272

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Yi75fb7.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Yi75fb7.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:2672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 140
6⤵
- Program crash
PID:64

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2XQ131iN.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2XQ131iN.exe
5⤵
- Executes dropped EXE
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1512 -ip 1512
1⤵
PID:3648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NT0Av8Fq.exe
Filesize
817KB

MD5
7abe579086be1b68fc5f03c464f2314b

SHA1
f86e1827d7d6f537c4a30da15862ff95cd8201c1

SHA256
2d67481553cd124facdb555c416c5b3ac9ee7d1a3ef8b2f91bb614cc4004a55c

SHA512
30c9714e165cf90e90b100e2bef7c64018f2bdce2d7f2e1bce8d4b4703c31583e4f4d732666426b63dc24a94c948bfb97233c17c77e2324b66de1194405b7779

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yS0sM4Xw.exe
Filesize
582KB

MD5
bb98898ab810bb51f72ad8e9a9031fcb

SHA1
788039fc9e85930e54114960819c63d04ff91dd7

SHA256
cae9d9db68b45bbec9eb314b6f985a7abf00f2700e842a19f27ef9b7decee239

SHA512
2c20af03a21a46af6a9c41eeadd87626357d698041a7f9785b659ae9615395eca0a8cdb14c9eae25c85b8289f9aff039e3f49f2df01c8bcf33d6a685fa88b5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Mi3kt2Jw.exe
Filesize
382KB

MD5
60a7d2785dd54bc48a9441a882552d85

SHA1
69ed3a567e998e5698d6f7889ba51feedd021b42

SHA256
d489bd6634db04015a3229ee34657cde2310c3b44cf839387e0af66dda19a1c8

SHA512
2122faf845da803e13fb597cffb6e8d4b96366db7fc6f110835b9345b9c33f930ce73a76c6e21edcb57b35fdd8db8fd75eec20d8af5cede2a07fff41f5d13024

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Yi75fb7.exe
Filesize
295KB

MD5
aace7e6f87d7b85254de727a03634a6f

SHA1
aee2b626ced061f75aa0246f8a76184deab9164f

SHA256
10fc79fcb203a3d8e6b2a7241af770bc84d50976369ffc6ee6c7c608f13722af

SHA512
dc0bdc9c0022a02aa0a683085975d5b98a31a5daac7bf34b03c99690dbcb1939c6c4f75f4337e290fa85d8ad40f5e0e30f755403679107d8c688489c6a8b3dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2XQ131iN.exe
Filesize
222KB

MD5
f3015ac7ff663ea8ab1c55492dd1a6ad

SHA1
c1ee9145b77311b13a11ac3c0a0ebf7469afcb11

SHA256
a8499cd6116beeca1b68c73ccf2edb2f3a6f7d5d982308a85583f645aabf4e6a

SHA512
01b9e1801a4ac3b1da4d42326968d37e73ff33915bdf8cbb9951565920848a9f9fec44bb2981f53337c1bd29498faa218360ffa7fb625d47f7f8015da0fde9a6

Download Submit
memory/2672-28-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2672-31-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2672-30-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3812-35-0x0000000000190000-0x00000000001CE000-memory.dmp

Filesize
248KB

Download
memory/3812-36-0x0000000007520000-0x0000000007AC4000-memory.dmp

Filesize
5.6MB

Download
memory/3812-37-0x0000000007050000-0x00000000070E2000-memory.dmp

Filesize
584KB

Download
memory/3812-38-0x0000000002590000-0x000000000259A000-memory.dmp

Filesize
40KB

Download
memory/3812-39-0x00000000080F0000-0x0000000008708000-memory.dmp

Filesize
6.1MB

Download
memory/3812-40-0x0000000007360000-0x000000000746A000-memory.dmp

Filesize
1.0MB

Download
memory/3812-41-0x0000000007290000-0x00000000072A2000-memory.dmp

Filesize
72KB

Download
memory/3812-42-0x00000000072F0000-0x000000000732C000-memory.dmp

Filesize
240KB

Download
memory/3812-43-0x0000000007470000-0x00000000074BC000-memory.dmp

Filesize
304KB

Download