mystic | cc5e37d73955fc0316a074c4b20f0296dee40952f8d275b2c6c6eb4eb0947059

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2800d64eb3bc5b7c1f807e9baaf76c469f1d63f07cc116fb310c5c866087d931.exe
Size

1.1MB
MD5

970cebd220b029f825b123655aa738f0
SHA1

9f36d37a6ff67d00e1eae8114acf2efaac6a3a1d
SHA256

2800d64eb3bc5b7c1f807e9baaf76c469f1d63f07cc116fb310c5c866087d931
SHA512

aaeb2d0307843b73b03609bea764d95ed871076a6fc0b95a9e50c09b303c1009558086c1ad5bdc16f23c0e769007a4c9d0743a1b17281014bd7efbecaea358bf
SSDEEP

24576:VyVq1fbot71KmfaA+5+MrTOnbX/S4tJ5iFbaQ9Qe2w9rG7:wVqpmzhT8TmX35iL9V2SrG

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral4/memory/4216-35-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral4/memory/4216-41-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral4/memory/4216-39-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Rz339yU.exe	family_redline
behavioral4/memory/3036-42-0x00000000008E0000-0x000000000091E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

RR8tE9MD.exefk5AT9qf.exeOT7za0gK.exebv2Pn2wB.exe1HW27Pj0.exe2Rz339yU.exe

pid process

2164 RR8tE9MD.exe
4804 fk5AT9qf.exe
5036 OT7za0gK.exe
4100 bv2Pn2wB.exe
3552 1HW27Pj0.exe
3036 2Rz339yU.exe

pid	process
2164	RR8tE9MD.exe
4804	fk5AT9qf.exe
5036	OT7za0gK.exe
4100	bv2Pn2wB.exe
3552	1HW27Pj0.exe
3036	2Rz339yU.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RR8tE9MD.exefk5AT9qf.exeOT7za0gK.exebv2Pn2wB.exe2800d64eb3bc5b7c1f807e9baaf76c469f1d63f07cc116fb310c5c866087d931.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	RR8tE9MD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	fk5AT9qf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	OT7za0gK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	bv2Pn2wB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2800d64eb3bc5b7c1f807e9baaf76c469f1d63f07cc116fb310c5c866087d931.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1HW27Pj0.exe

description pid process target process

PID 3552 set thread context of 4216 3552 1HW27Pj0.exe AppLaunch.exe

description	pid	process	target process
PID 3552 set thread context of 4216	3552	1HW27Pj0.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

2800d64eb3bc5b7c1f807e9baaf76c469f1d63f07cc116fb310c5c866087d931.exeRR8tE9MD.exefk5AT9qf.exeOT7za0gK.exebv2Pn2wB.exe1HW27Pj0.exe

description	pid	process	target process
PID 2228 wrote to memory of 2164	2228	2800d64eb3bc5b7c1f807e9baaf76c469f1d63f07cc116fb310c5c866087d931.exe	RR8tE9MD.exe
PID 2228 wrote to memory of 2164	2228	2800d64eb3bc5b7c1f807e9baaf76c469f1d63f07cc116fb310c5c866087d931.exe	RR8tE9MD.exe
PID 2228 wrote to memory of 2164	2228	2800d64eb3bc5b7c1f807e9baaf76c469f1d63f07cc116fb310c5c866087d931.exe	RR8tE9MD.exe
PID 2164 wrote to memory of 4804	2164	RR8tE9MD.exe	fk5AT9qf.exe
PID 2164 wrote to memory of 4804	2164	RR8tE9MD.exe	fk5AT9qf.exe
PID 2164 wrote to memory of 4804	2164	RR8tE9MD.exe	fk5AT9qf.exe
PID 4804 wrote to memory of 5036	4804	fk5AT9qf.exe	OT7za0gK.exe
PID 4804 wrote to memory of 5036	4804	fk5AT9qf.exe	OT7za0gK.exe
PID 4804 wrote to memory of 5036	4804	fk5AT9qf.exe	OT7za0gK.exe
PID 5036 wrote to memory of 4100	5036	OT7za0gK.exe	bv2Pn2wB.exe
PID 5036 wrote to memory of 4100	5036	OT7za0gK.exe	bv2Pn2wB.exe
PID 5036 wrote to memory of 4100	5036	OT7za0gK.exe	bv2Pn2wB.exe
PID 4100 wrote to memory of 3552	4100	bv2Pn2wB.exe	1HW27Pj0.exe
PID 4100 wrote to memory of 3552	4100	bv2Pn2wB.exe	1HW27Pj0.exe
PID 4100 wrote to memory of 3552	4100	bv2Pn2wB.exe	1HW27Pj0.exe
PID 3552 wrote to memory of 4216	3552	1HW27Pj0.exe	AppLaunch.exe
PID 3552 wrote to memory of 4216	3552	1HW27Pj0.exe	AppLaunch.exe
PID 3552 wrote to memory of 4216	3552	1HW27Pj0.exe	AppLaunch.exe
PID 3552 wrote to memory of 4216	3552	1HW27Pj0.exe	AppLaunch.exe
PID 3552 wrote to memory of 4216	3552	1HW27Pj0.exe	AppLaunch.exe
PID 3552 wrote to memory of 4216	3552	1HW27Pj0.exe	AppLaunch.exe
PID 3552 wrote to memory of 4216	3552	1HW27Pj0.exe	AppLaunch.exe
PID 3552 wrote to memory of 4216	3552	1HW27Pj0.exe	AppLaunch.exe
PID 3552 wrote to memory of 4216	3552	1HW27Pj0.exe	AppLaunch.exe
PID 3552 wrote to memory of 4216	3552	1HW27Pj0.exe	AppLaunch.exe
PID 4100 wrote to memory of 3036	4100	bv2Pn2wB.exe	2Rz339yU.exe
PID 4100 wrote to memory of 3036	4100	bv2Pn2wB.exe	2Rz339yU.exe
PID 4100 wrote to memory of 3036	4100	bv2Pn2wB.exe	2Rz339yU.exe

C:\Users\Admin\AppData\Local\Temp\2800d64eb3bc5b7c1f807e9baaf76c469f1d63f07cc116fb310c5c866087d931.exe
"C:\Users\Admin\AppData\Local\Temp\2800d64eb3bc5b7c1f807e9baaf76c469f1d63f07cc116fb310c5c866087d931.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RR8tE9MD.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RR8tE9MD.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fk5AT9qf.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fk5AT9qf.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4804
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OT7za0gK.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OT7za0gK.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:5036
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bv2Pn2wB.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bv2Pn2wB.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4100
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1HW27Pj0.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1HW27Pj0.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4216
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Rz339yU.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Rz339yU.exe
        6⤵
        Executes dropped EXE
        
        PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RR8tE9MD.exe

Filesize
1.0MB

MD5
8e9d8ebcd2382ffc899a5a5e1852f2f6

SHA1
497df074b848357ceba2b44b77e07350d4d6ef03

SHA256
1b0e648da1469efd1f02f740ad043a935878ac312183bfc65a9f988468e64698

SHA512
2f16389bc7e069bc62dd97ef29eeb39c492fdbefe0e11bdcb134962b407be4b3bd79a797884828f5ec8e09e2b9d60222e589800f1c7553198107ac8a9f3e1fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fk5AT9qf.exe

Filesize
843KB

MD5
1ddcb5112b7c1e5326c7ec5e87173aed

SHA1
fcf501bfb4ccb5c3e5340db382e045d9f32881eb

SHA256
1a8a236034e2c576c6924026692b9f6524cc548a59e92f569dc76589ba9fd67e

SHA512
9b0620dbf55d0db60fef5fa0059c69c6647e2166759454ea9d0c5e50ceda6cb031c2480e69d7af3fa2d4913307f912b9379a3afd8455b90954881817ae044ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OT7za0gK.exe

Filesize
593KB

MD5
70e9a0ec14e10ce0e549a2dcd38a0b01

SHA1
e5f6023476ab7b7c868bb7440dab33acc700be27

SHA256
c08512817ad45bb8fab043e5e41b577220217b063ca6d89d314b7dba86f730e0

SHA512
6ed52977ec50f4c2e4437d230ff5fe1857231aa52e4110968cec51115f8771de5dfa3d83b782756936adc969beb44c02cdf25caca311ce551b2ba52df47c9d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bv2Pn2wB.exe

Filesize
398KB

MD5
fc1574455426b3e4ca876f876a77cee1

SHA1
8c3e40e1ee8c07740ea61e415875bb5eed8e95f7

SHA256
ceff140b6c413473c4309a57608fe3a5a05afbad828760151b1c8c25c5fedebf

SHA512
b71372a95d91d12e220ae3dedf80f69514732808663da5b7bd194169a2ea4ec14171e2bab9ebef2d595ad3182e059b9b86b651afb0fbbdc02dbf2f6bb1f34f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1HW27Pj0.exe

Filesize
320KB

MD5
349e1ef09460edbf392bed66ad938a27

SHA1
45364d14af3c063e9793be9ef2d3c312e8110894

SHA256
a07295c522b29f5e25bc86c97f8483d53711b2712d0aad7345ab4485fd49d3c6

SHA512
43fe5811dead7094849a9fe7f83a805e00cd5fb644e50d72eaed1262f5d5de4444b5d8524a334414f31776f8afb76b3dbf8daed611c09b2d32926d3552725f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Rz339yU.exe

Filesize
222KB

MD5
7c36d42a30566d10c40e4e64dcf79785

SHA1
56571c58a5648bf3115c3803faf5c58dc9b8c949

SHA256
1dc4cd3ca1a6aff16fb952a20799590abeeb1c070dd3fe8ee4f3f48aba341a7d

SHA512
8ac190dc1fb969b7024d1c7e84e9cd6f7eafd7d662f79230de542139aedbc0a87cebf8cf49aaaf7e3a7fc1b1165bde15e702446126ceb360da7a8401ae1a0c32

Download Submit
memory/3036-45-0x0000000004DD0000-0x0000000004DDA000-memory.dmp

Filesize
40KB

Download
memory/3036-42-0x00000000008E0000-0x000000000091E000-memory.dmp

Filesize
248KB

Download
memory/3036-43-0x0000000007CB0000-0x0000000008254000-memory.dmp

Filesize
5.6MB

Download
memory/3036-44-0x00000000077E0000-0x0000000007872000-memory.dmp

Filesize
584KB

Download
memory/3036-46-0x0000000008880000-0x0000000008E98000-memory.dmp

Filesize
6.1MB

Download
memory/3036-47-0x0000000008260000-0x000000000836A000-memory.dmp

Filesize
1.0MB

Download
memory/3036-48-0x00000000078D0000-0x00000000078E2000-memory.dmp

Filesize
72KB

Download
memory/3036-49-0x0000000007940000-0x000000000797C000-memory.dmp

Filesize
240KB

Download
memory/3036-50-0x0000000007980000-0x00000000079CC000-memory.dmp

Filesize
304KB

Download
memory/4216-41-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4216-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4216-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download