mystic | ffe8fa0cf1ed446eeb9dc6eef440d6e2121396f13b66e26a431adcd9f2d605e3

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4958361c2a42ff04e4d71bc10a59d5ce9b6fae6d86deb588a01b229caeadf1c0.exe
Size

1.1MB
MD5

0e9408c5a1d43eacf2a83efc8ec28403
SHA1

71c2d85e7c0d50ed22010a15493916d14344c19e
SHA256

4958361c2a42ff04e4d71bc10a59d5ce9b6fae6d86deb588a01b229caeadf1c0
SHA512

bb4db61931c6979ea415139b559fd69b832d9d3ddecf179e58ce44f8ec36c89943512e665eb22e70f4e75c48dc8a924d09d196139c923de08e7a9c8fc68842f6
SSDEEP

24576:byZ0Y6i41PZiAYvfcxG5u9aeOUBZS5UaB8PGFQo5n:OOvi4/iAYvUxOR2pTPGFJ5

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral7/memory/3504-35-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral7/memory/3504-38-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral7/memory/3504-36-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral7/files/0x0007000000023442-40.dat	family_redline
behavioral7/memory/2268-42-0x0000000000B70000-0x0000000000BAE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
2336	Xi4QD2wJ.exe
3612	io5tb0FD.exe
4672	nX6Zt2bf.exe
776	zB7Vl6Ti.exe
1836	1cW36yn2.exe
2268	2fC063gW.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4958361c2a42ff04e4d71bc10a59d5ce9b6fae6d86deb588a01b229caeadf1c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Xi4QD2wJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	io5tb0FD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	nX6Zt2bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	zB7Vl6Ti.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1836 set thread context of 3504	1836	1cW36yn2.exe	92

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4344	1836	WerFault.exe	88

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 2336	5092	4958361c2a42ff04e4d71bc10a59d5ce9b6fae6d86deb588a01b229caeadf1c0.exe	83
PID 5092 wrote to memory of 2336	5092	4958361c2a42ff04e4d71bc10a59d5ce9b6fae6d86deb588a01b229caeadf1c0.exe	83
PID 5092 wrote to memory of 2336	5092	4958361c2a42ff04e4d71bc10a59d5ce9b6fae6d86deb588a01b229caeadf1c0.exe	83
PID 2336 wrote to memory of 3612	2336	Xi4QD2wJ.exe	84
PID 2336 wrote to memory of 3612	2336	Xi4QD2wJ.exe	84
PID 2336 wrote to memory of 3612	2336	Xi4QD2wJ.exe	84
PID 3612 wrote to memory of 4672	3612	io5tb0FD.exe	85
PID 3612 wrote to memory of 4672	3612	io5tb0FD.exe	85
PID 3612 wrote to memory of 4672	3612	io5tb0FD.exe	85
PID 4672 wrote to memory of 776	4672	nX6Zt2bf.exe	87
PID 4672 wrote to memory of 776	4672	nX6Zt2bf.exe	87
PID 4672 wrote to memory of 776	4672	nX6Zt2bf.exe	87
PID 776 wrote to memory of 1836	776	zB7Vl6Ti.exe	88
PID 776 wrote to memory of 1836	776	zB7Vl6Ti.exe	88
PID 776 wrote to memory of 1836	776	zB7Vl6Ti.exe	88
PID 1836 wrote to memory of 2044	1836	1cW36yn2.exe	91
PID 1836 wrote to memory of 2044	1836	1cW36yn2.exe	91
PID 1836 wrote to memory of 2044	1836	1cW36yn2.exe	91
PID 1836 wrote to memory of 3504	1836	1cW36yn2.exe	92
PID 1836 wrote to memory of 3504	1836	1cW36yn2.exe	92
PID 1836 wrote to memory of 3504	1836	1cW36yn2.exe	92
PID 1836 wrote to memory of 3504	1836	1cW36yn2.exe	92
PID 1836 wrote to memory of 3504	1836	1cW36yn2.exe	92
PID 1836 wrote to memory of 3504	1836	1cW36yn2.exe	92
PID 1836 wrote to memory of 3504	1836	1cW36yn2.exe	92
PID 1836 wrote to memory of 3504	1836	1cW36yn2.exe	92
PID 1836 wrote to memory of 3504	1836	1cW36yn2.exe	92
PID 1836 wrote to memory of 3504	1836	1cW36yn2.exe	92
PID 776 wrote to memory of 2268	776	zB7Vl6Ti.exe	97
PID 776 wrote to memory of 2268	776	zB7Vl6Ti.exe	97
PID 776 wrote to memory of 2268	776	zB7Vl6Ti.exe	97

C:\Users\Admin\AppData\Local\Temp\4958361c2a42ff04e4d71bc10a59d5ce9b6fae6d86deb588a01b229caeadf1c0.exe
"C:\Users\Admin\AppData\Local\Temp\4958361c2a42ff04e4d71bc10a59d5ce9b6fae6d86deb588a01b229caeadf1c0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xi4QD2wJ.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xi4QD2wJ.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\io5tb0FD.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\io5tb0FD.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3612
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nX6Zt2bf.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nX6Zt2bf.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4672
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zB7Vl6Ti.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zB7Vl6Ti.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:776
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1cW36yn2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1cW36yn2.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2044
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 600
        7⤵
        Program crash
        
        PID:4344
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2fC063gW.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2fC063gW.exe
        6⤵
        Executes dropped EXE
        
        PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1836 -ip 1836
1⤵
PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xi4QD2wJ.exe

Filesize
1001KB

MD5
b8a8c75be882773e50038945aac7bb43

SHA1
b50af0107edaaf6c0441ff5631072abfd47bad47

SHA256
77ec06df7b750c75f64e81c0b521307b7ba1c68d28343fec6d5fa73ff3ca508f

SHA512
0c50cb89567bacd3dca9dfb3da128d3a52dab29c2c1e3a61537edc5af96dd2e4b8ce67ff842453561a334e70fc10ed2a627cd3b84ed6aacbd30f2154e351c0dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\io5tb0FD.exe

Filesize
811KB

MD5
e395ae5e7f352059eff9bf2cce065e55

SHA1
4293a92e811c5e0b21d53d0cb889b8ded7bc6152

SHA256
3c8be5b508cdc2194b05a105d6ff057c5234da2d724c43c66a9b62321e6e4c27

SHA512
1e3345966f8a8aa221422c9a0d6bd8ac325ceb7be68f51387bbcf7186ace17963c2e4c2873329093c61d60e6067706698d34d16bb0f2fc3658490710d22ae1f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nX6Zt2bf.exe

Filesize
577KB

MD5
9d38cb7f6c83be302136f0da1c1f849f

SHA1
975b3ebd62705a8ceb2e2d94aeb1b8253a02ee30

SHA256
1349723e88b65f67dd77d8839796322a6fe54d0390f2ca8f664c79e041d20583

SHA512
173305678e581804331b74f68cc9c63b6756c105a090f138c14e1db188790b145a072a362d7dd4e589d146b6d8f971e853df7eff25695871067be1b43d1c9cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zB7Vl6Ti.exe

Filesize
382KB

MD5
69503311cf02a9bee256e68bb6900d02

SHA1
71c10ee83fcf5766befcb7396138294b812654c5

SHA256
3789187c5f7c77068c5c8438a5d5ef85bccd8403ab21870e3affc51204ef02bc

SHA512
104319cd9a9060be64135ecc29b8dcf2fc3d214e728361df2ad4b45585cb981866e31afd1a5b01ed8ea936edbe16351a13dd5b80c784d93205c7774d6b77c6a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1cW36yn2.exe

Filesize
295KB

MD5
09245b1b46861d01f3dbea9bc3f6d90d

SHA1
acfaeae86f444b91c5853d7ac80edc93e3e1391f

SHA256
364d7e3a40c314339df5e3e60c4517f74eee767689b2824e85bfbcae091c3ca8

SHA512
83a391e9c086d6bdf8ecf930ac2aa183b5153ef67addf959280749137782e11f84bcf2f5a9976f26fa552f0e870034a34de5c689327769c22ab7b5e52cecb37c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2fC063gW.exe

Filesize
222KB

MD5
55f47b913446fadf8267a530c5128d95

SHA1
28e916362aafe3d35328e22d264842f5897c70e2

SHA256
d6bbe9b191f8037ceb5fd1d1b5266186b8ade1afa485cf9face779aea5f74257

SHA512
01447d8fea35e429a6060a3886b69e1ae5e3bf0e5c1d9620e5846428d50ba72105578a0cb02e574e6c9253c4d1b2ca480d520f6d39839eb9a8d8c2b40193b0d1

Download Submit
memory/2268-42-0x0000000000B70000-0x0000000000BAE000-memory.dmp

Filesize
248KB

Download
memory/2268-43-0x0000000007F80000-0x0000000008524000-memory.dmp

Filesize
5.6MB

Download
memory/2268-44-0x0000000007A70000-0x0000000007B02000-memory.dmp

Filesize
584KB

Download
memory/2268-45-0x0000000005000000-0x000000000500A000-memory.dmp

Filesize
40KB

Download
memory/2268-46-0x0000000008B50000-0x0000000009168000-memory.dmp

Filesize
6.1MB

Download
memory/2268-47-0x0000000008530000-0x000000000863A000-memory.dmp

Filesize
1.0MB

Download
memory/2268-48-0x0000000007B60000-0x0000000007B72000-memory.dmp

Filesize
72KB

Download
memory/2268-49-0x0000000007BF0000-0x0000000007C2C000-memory.dmp

Filesize
240KB

Download
memory/2268-50-0x0000000007B90000-0x0000000007BDC000-memory.dmp

Filesize
304KB

Download
memory/3504-38-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3504-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3504-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads