mystic | ffe8fa0cf1ed446eeb9dc6eef440d6e2121396f13b66e26a431adcd9f2d605e3

Analysis

max time kernel
134s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ee34ec273a7f43b89678eff087bf31e1b510415dcbb3ef6c8fcf0c06f036669.exe
Size

271KB
MD5

083ef6f2294813c0726842c851aa5678
SHA1

4245d5c4be3f5580bf5bb2d0ab5ace4c077786f0
SHA256

4ee34ec273a7f43b89678eff087bf31e1b510415dcbb3ef6c8fcf0c06f036669
SHA512

0a78098a2cdf0b16defde233d9068fac53e8b5cffec0a4336c15585b15683b7fa0cd44d24c767b7182eae80fe4883ca4d04607020ce80af6975184c2b7dc1ab1
SSDEEP

6144:KKy+bnr+Cp0yN90QE1rQPo8mc84Rh5z+IM5iLWUg:2Mriy90AQ8mNOhQIBWUg

Score

10^/10

mystic redline ramon infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

ramon

77.91.124.82:19071

Attributes

auth_value
3197576965d9513f115338c233015b40

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral8/files/0x000900000002343e-6.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral8/files/0x0007000000023456-8.dat	family_redline
behavioral8/memory/4292-11-0x0000000000AF0000-0x0000000000B20000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

pid	Process
4364	m3984254.exe
4292	n2504822.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4ee34ec273a7f43b89678eff087bf31e1b510415dcbb3ef6c8fcf0c06f036669.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3196 wrote to memory of 4364	3196	4ee34ec273a7f43b89678eff087bf31e1b510415dcbb3ef6c8fcf0c06f036669.exe	85
PID 3196 wrote to memory of 4364	3196	4ee34ec273a7f43b89678eff087bf31e1b510415dcbb3ef6c8fcf0c06f036669.exe	85
PID 3196 wrote to memory of 4364	3196	4ee34ec273a7f43b89678eff087bf31e1b510415dcbb3ef6c8fcf0c06f036669.exe	85
PID 3196 wrote to memory of 4292	3196	4ee34ec273a7f43b89678eff087bf31e1b510415dcbb3ef6c8fcf0c06f036669.exe	86
PID 3196 wrote to memory of 4292	3196	4ee34ec273a7f43b89678eff087bf31e1b510415dcbb3ef6c8fcf0c06f036669.exe	86
PID 3196 wrote to memory of 4292	3196	4ee34ec273a7f43b89678eff087bf31e1b510415dcbb3ef6c8fcf0c06f036669.exe	86

C:\Users\Admin\AppData\Local\Temp\4ee34ec273a7f43b89678eff087bf31e1b510415dcbb3ef6c8fcf0c06f036669.exe
"C:\Users\Admin\AppData\Local\Temp\4ee34ec273a7f43b89678eff087bf31e1b510415dcbb3ef6c8fcf0c06f036669.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m3984254.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m3984254.exe
  2⤵
  - Executes dropped EXE
  PID:4364
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n2504822.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n2504822.exe
  2⤵
  - Executes dropped EXE
  PID:4292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m3984254.exe

Filesize
140KB

MD5
b831a3e527544bc0832709093f0685b1

SHA1
4d96ceeed016b4b3f5d90555dcc0a22800ed266e

SHA256
26d026738ed3938513d490fed7132f4a7c31987c985b689f70c1ed0d56a84b4d

SHA512
33a43029fcdb98106d22face02d51bc7e8c6652457ca96e7b53f967475bcbaa74c5dc3e7b24c8a363cbe47e76f4f2ecf5975ae2959eb81ff8765fa4531e677e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n2504822.exe

Filesize
174KB

MD5
3fa88d315e2dba06e6afee51b8e0c22e

SHA1
01c3efb520ee3cce847354719f210d1a67cb310d

SHA256
0cbdd76283ab5e057d9252be4ef7685198210036fff3933687a06de05b23805f

SHA512
90c35f3c387579e601f1bb5ddf42b0368d127cf9946dd462b1ceb290e3865395a395dbc2a6f2900b92f59e65eb667de95bcf74c0ef7ae3f5c8a0f2e2e4fc635e

Download Submit
memory/4292-16-0x0000000005620000-0x000000000565C000-memory.dmp

Filesize
240KB

Download
memory/4292-11-0x0000000000AF0000-0x0000000000B20000-memory.dmp

Filesize
192KB

Download
memory/4292-12-0x0000000005410000-0x0000000005416000-memory.dmp

Filesize
24KB

Download
memory/4292-13-0x0000000005B80000-0x0000000006198000-memory.dmp

Filesize
6.1MB

Download
memory/4292-10-0x000000007464E000-0x000000007464F000-memory.dmp

Filesize
4KB

Download
memory/4292-15-0x00000000055C0000-0x00000000055D2000-memory.dmp

Filesize
72KB

Download
memory/4292-18-0x0000000005790000-0x00000000057DC000-memory.dmp

Filesize
304KB

Download
memory/4292-17-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/4292-14-0x0000000005680000-0x000000000578A000-memory.dmp

Filesize
1.0MB

Download
memory/4292-19-0x000000007464E000-0x000000007464F000-memory.dmp

Filesize
4KB

Download
memory/4292-20-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads