mystic | cc5e37d73955fc0316a074c4b20f0296dee40952f8d275b2c6c6eb4eb0947059

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21e19370941ed45f65950d345652c8fe76f4f409b0bbb8261c579fb219042338.exe
Size

1.1MB
MD5

990e933e09496f5e13846fe69ceb707a
SHA1

6a8977a1da928de9ec6b61bfd60f5bae10a209e7
SHA256

21e19370941ed45f65950d345652c8fe76f4f409b0bbb8261c579fb219042338
SHA512

531ccdd9bd9393ea4d48174eca858f4de62776ed51a142ba3b677425593e0adecd557c3c1c125173c793e46e74889c9ec15557368b173e3297a51dd1532843e5
SSDEEP

24576:5yIw4LjVhBurow429PCp1zm3jxNyNNUKbhB91NCV/Io7STznuZVBU:sIwwjnBQ42Mp1KHUXNBDNCd7SG

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral3/memory/4120-35-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral3/memory/4120-38-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral3/memory/4120-36-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2XH680YB.exe	family_redline
behavioral3/memory/4356-42-0x0000000000AF0000-0x0000000000B2E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

lq9zQ9Pt.exeaf3zj6XV.exepp6RN2qg.exeHY4of7oK.exe1zP54RO3.exe2XH680YB.exe

pid process

4664 lq9zQ9Pt.exe
4064 af3zj6XV.exe
668 pp6RN2qg.exe
3092 HY4of7oK.exe
1480 1zP54RO3.exe
4356 2XH680YB.exe

pid	process
4664	lq9zQ9Pt.exe
4064	af3zj6XV.exe
668	pp6RN2qg.exe
3092	HY4of7oK.exe
1480	1zP54RO3.exe
4356	2XH680YB.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

pp6RN2qg.exeHY4of7oK.exe21e19370941ed45f65950d345652c8fe76f4f409b0bbb8261c579fb219042338.exelq9zQ9Pt.exeaf3zj6XV.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	pp6RN2qg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	HY4of7oK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	21e19370941ed45f65950d345652c8fe76f4f409b0bbb8261c579fb219042338.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	lq9zQ9Pt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	af3zj6XV.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1zP54RO3.exe

description pid process target process

PID 1480 set thread context of 4120 1480 1zP54RO3.exe AppLaunch.exe

description	pid	process	target process
PID 1480 set thread context of 4120	1480	1zP54RO3.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

21e19370941ed45f65950d345652c8fe76f4f409b0bbb8261c579fb219042338.exelq9zQ9Pt.exeaf3zj6XV.exepp6RN2qg.exeHY4of7oK.exe1zP54RO3.exe

description	pid	process	target process
PID 3700 wrote to memory of 4664	3700	21e19370941ed45f65950d345652c8fe76f4f409b0bbb8261c579fb219042338.exe	lq9zQ9Pt.exe
PID 3700 wrote to memory of 4664	3700	21e19370941ed45f65950d345652c8fe76f4f409b0bbb8261c579fb219042338.exe	lq9zQ9Pt.exe
PID 3700 wrote to memory of 4664	3700	21e19370941ed45f65950d345652c8fe76f4f409b0bbb8261c579fb219042338.exe	lq9zQ9Pt.exe
PID 4664 wrote to memory of 4064	4664	lq9zQ9Pt.exe	af3zj6XV.exe
PID 4664 wrote to memory of 4064	4664	lq9zQ9Pt.exe	af3zj6XV.exe
PID 4664 wrote to memory of 4064	4664	lq9zQ9Pt.exe	af3zj6XV.exe
PID 4064 wrote to memory of 668	4064	af3zj6XV.exe	pp6RN2qg.exe
PID 4064 wrote to memory of 668	4064	af3zj6XV.exe	pp6RN2qg.exe
PID 4064 wrote to memory of 668	4064	af3zj6XV.exe	pp6RN2qg.exe
PID 668 wrote to memory of 3092	668	pp6RN2qg.exe	HY4of7oK.exe
PID 668 wrote to memory of 3092	668	pp6RN2qg.exe	HY4of7oK.exe
PID 668 wrote to memory of 3092	668	pp6RN2qg.exe	HY4of7oK.exe
PID 3092 wrote to memory of 1480	3092	HY4of7oK.exe	1zP54RO3.exe
PID 3092 wrote to memory of 1480	3092	HY4of7oK.exe	1zP54RO3.exe
PID 3092 wrote to memory of 1480	3092	HY4of7oK.exe	1zP54RO3.exe
PID 1480 wrote to memory of 4120	1480	1zP54RO3.exe	AppLaunch.exe
PID 1480 wrote to memory of 4120	1480	1zP54RO3.exe	AppLaunch.exe
PID 1480 wrote to memory of 4120	1480	1zP54RO3.exe	AppLaunch.exe
PID 1480 wrote to memory of 4120	1480	1zP54RO3.exe	AppLaunch.exe
PID 1480 wrote to memory of 4120	1480	1zP54RO3.exe	AppLaunch.exe
PID 1480 wrote to memory of 4120	1480	1zP54RO3.exe	AppLaunch.exe
PID 1480 wrote to memory of 4120	1480	1zP54RO3.exe	AppLaunch.exe
PID 1480 wrote to memory of 4120	1480	1zP54RO3.exe	AppLaunch.exe
PID 1480 wrote to memory of 4120	1480	1zP54RO3.exe	AppLaunch.exe
PID 1480 wrote to memory of 4120	1480	1zP54RO3.exe	AppLaunch.exe
PID 3092 wrote to memory of 4356	3092	HY4of7oK.exe	2XH680YB.exe
PID 3092 wrote to memory of 4356	3092	HY4of7oK.exe	2XH680YB.exe
PID 3092 wrote to memory of 4356	3092	HY4of7oK.exe	2XH680YB.exe

C:\Users\Admin\AppData\Local\Temp\21e19370941ed45f65950d345652c8fe76f4f409b0bbb8261c579fb219042338.exe
"C:\Users\Admin\AppData\Local\Temp\21e19370941ed45f65950d345652c8fe76f4f409b0bbb8261c579fb219042338.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3700

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lq9zQ9Pt.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lq9zQ9Pt.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4664

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\af3zj6XV.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\af3zj6XV.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4064

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pp6RN2qg.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pp6RN2qg.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:668

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HY4of7oK.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HY4of7oK.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3092

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1zP54RO3.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1zP54RO3.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:4120

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2XH680YB.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2XH680YB.exe
6⤵
- Executes dropped EXE
PID:4356

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lq9zQ9Pt.exe
Filesize
1.0MB

MD5
1f16f0eb2e04d14e3147eb6e54788ab4

SHA1
36a153028d44d5d2299d93222c327c48409f1832

SHA256
b873deccb66ebb9e57c11e0088cf0a236014dcb4f90abebe1b4a5354935e4d18

SHA512
a3e88edfe9063f88488c7564bb621b1526f1aacee2ebb73be4895984ccf3dd2263cdac5fe334f00caeab553d4f09be445354946163b6b92f6981506ec749fc2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\af3zj6XV.exe
Filesize
839KB

MD5
184dd395b1fd2b0c8d032778ee033659

SHA1
645e5aed561bdcb1fc7e50039c169d044a9acd06

SHA256
86da67ed41775a46fcdc8e53e5a39690eaf3aee313e766cc3a813c6619c562e5

SHA512
2cc8329dccc618d926691d0c21a50974e2588dc6ddadcc64302173da3de55f6e181452ed21a9128a71d5a5797322c0fb3b87f3f4a3ebbdbb16ffdd792c263cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pp6RN2qg.exe
Filesize
590KB

MD5
cf673828d02c0814d2be6c5f49b7eb36

SHA1
9b519b2aa23eb55c0cd5615cdbfc6871e58f0260

SHA256
e88715761f7a00ebd5a508321c183f41b0f5dbcc7ca483b94ce217abcda2cd37

SHA512
a624e44ab68246088460b32938382b1691797dc3c274703ace15ce1e5b7ed084a5c896df5d385bc43748cecab94720b07fd67d3bc1b3560386d5b99ef1bdc1ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HY4of7oK.exe
Filesize
396KB

MD5
3423f160db402e390bb637926801cd32

SHA1
3471dffeb22df07b2ff25771c932d84a0b457027

SHA256
cc01af79dfd34827ef82f6f7611531a281a6ec338af5eb4e340ab478690ff9f0

SHA512
07cfde8dbb133701d7cb698bafd8524e70aa0e49dd48956bad6b0cd05bbeb8a21759ac899e2b32cb1ff6f64f67465f93c7b1adfbbd9c607a1f8a1228bbb6fc4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1zP54RO3.exe
Filesize
314KB

MD5
dfc70f27e8c491def85d422a5145eced

SHA1
5392d2453d0c4fe6d412e6f93c8d2971e6108ad0

SHA256
776d140501896cf58813b6f958a052830fee9c2ecd5801c0eb420e5a4c6aa522

SHA512
a3361d99b27faa1bff2333831a1d3d9cae25dad704ac08931b3e6ebc325dcaa133d9366414da899a912cb8d29daff09f6cd99c3ce1d234b72562e93d69991fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2XH680YB.exe
Filesize
222KB

MD5
21eafed840b66a76a217e04b559c23d2

SHA1
4c37b470fbc8dc860f768a134543e048625f7c49

SHA256
b7806ec9b1c4c1438d727ea7238393a9b39e6b42f272f64a60c85d9712b253bf

SHA512
2052508c9dcbde075445bc804cf0792ee212d17a24c654f2221cf6cb5bccb122a3ea56b9f5c8198776d5562de9c564baf1cc4b89bf06619da5e2c352888133ff

Download Submit
memory/4120-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4120-38-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4120-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4356-42-0x0000000000AF0000-0x0000000000B2E000-memory.dmp

Filesize
248KB

Download
memory/4356-43-0x0000000007F90000-0x0000000008534000-memory.dmp

Filesize
5.6MB

Download
memory/4356-44-0x0000000007A80000-0x0000000007B12000-memory.dmp

Filesize
584KB

Download
memory/4356-45-0x0000000004FD0000-0x0000000004FDA000-memory.dmp

Filesize
40KB

Download
memory/4356-46-0x0000000008B60000-0x0000000009178000-memory.dmp

Filesize
6.1MB

Download
memory/4356-47-0x0000000007E50000-0x0000000007F5A000-memory.dmp

Filesize
1.0MB

Download
memory/4356-49-0x0000000007B60000-0x0000000007B9C000-memory.dmp

Filesize
240KB

Download
memory/4356-48-0x0000000007A40000-0x0000000007A52000-memory.dmp

Filesize
72KB

Download
memory/4356-50-0x0000000007BD0000-0x0000000007C1C000-memory.dmp

Filesize
304KB

Download