mystic | 47203fc7445c1e0e06643f363dd7d86ccc46b70ab234e5fbfe72badfdd6704ae

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b49de72ab9ae9caaaf0da01fbe6d5bef6546c46b1e0c0b4c4c3f211eaec728f.exe
Size

1.1MB
MD5

d4eb079de1ab0ac84e37b3962f93c7fb
SHA1

5a3d086afad18c9ff744920abcb1ecdb7ea21e7f
SHA256

9b49de72ab9ae9caaaf0da01fbe6d5bef6546c46b1e0c0b4c4c3f211eaec728f
SHA512

7cf20358baa6de9e1cf07cf075e5207114c39422354357550a4b4373c7b658e104382672006e520831022f229d946847b625d6e9d2e766e298ef3143a5667927
SSDEEP

24576:qySdf32T6YZO24dqCqceSWcxTkd0p3FyXiNjkEtLxPj7bgOU:xCf3+Hc7KSHqC3wSVxPjIO

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral12/memory/2132-35-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral12/memory/2132-36-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral12/memory/2132-38-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xj253ya.exe	family_redline
behavioral12/memory/2140-42-0x0000000000C60000-0x0000000000C9E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

KC4dP6Dz.exeaC8Ep3kJ.exemz9Dv5rL.exezN9ng2Hs.exe1ue88pr5.exe2xj253ya.exe

pid process

3904 KC4dP6Dz.exe
5020 aC8Ep3kJ.exe
1444 mz9Dv5rL.exe
4636 zN9ng2Hs.exe
4472 1ue88pr5.exe
2140 2xj253ya.exe

pid	process
3904	KC4dP6Dz.exe
5020	aC8Ep3kJ.exe
1444	mz9Dv5rL.exe
4636	zN9ng2Hs.exe
4472	1ue88pr5.exe
2140	2xj253ya.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9b49de72ab9ae9caaaf0da01fbe6d5bef6546c46b1e0c0b4c4c3f211eaec728f.exeKC4dP6Dz.exeaC8Ep3kJ.exemz9Dv5rL.exezN9ng2Hs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9b49de72ab9ae9caaaf0da01fbe6d5bef6546c46b1e0c0b4c4c3f211eaec728f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	KC4dP6Dz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	aC8Ep3kJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	mz9Dv5rL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	zN9ng2Hs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1ue88pr5.exe

description pid process target process

PID 4472 set thread context of 2132 4472 1ue88pr5.exe AppLaunch.exe

description	pid	process	target process
PID 4472 set thread context of 2132	4472	1ue88pr5.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

9b49de72ab9ae9caaaf0da01fbe6d5bef6546c46b1e0c0b4c4c3f211eaec728f.exeKC4dP6Dz.exeaC8Ep3kJ.exemz9Dv5rL.exezN9ng2Hs.exe1ue88pr5.exe

description	pid	process	target process
PID 3892 wrote to memory of 3904	3892	9b49de72ab9ae9caaaf0da01fbe6d5bef6546c46b1e0c0b4c4c3f211eaec728f.exe	KC4dP6Dz.exe
PID 3892 wrote to memory of 3904	3892	9b49de72ab9ae9caaaf0da01fbe6d5bef6546c46b1e0c0b4c4c3f211eaec728f.exe	KC4dP6Dz.exe
PID 3892 wrote to memory of 3904	3892	9b49de72ab9ae9caaaf0da01fbe6d5bef6546c46b1e0c0b4c4c3f211eaec728f.exe	KC4dP6Dz.exe
PID 3904 wrote to memory of 5020	3904	KC4dP6Dz.exe	aC8Ep3kJ.exe
PID 3904 wrote to memory of 5020	3904	KC4dP6Dz.exe	aC8Ep3kJ.exe
PID 3904 wrote to memory of 5020	3904	KC4dP6Dz.exe	aC8Ep3kJ.exe
PID 5020 wrote to memory of 1444	5020	aC8Ep3kJ.exe	mz9Dv5rL.exe
PID 5020 wrote to memory of 1444	5020	aC8Ep3kJ.exe	mz9Dv5rL.exe
PID 5020 wrote to memory of 1444	5020	aC8Ep3kJ.exe	mz9Dv5rL.exe
PID 1444 wrote to memory of 4636	1444	mz9Dv5rL.exe	zN9ng2Hs.exe
PID 1444 wrote to memory of 4636	1444	mz9Dv5rL.exe	zN9ng2Hs.exe
PID 1444 wrote to memory of 4636	1444	mz9Dv5rL.exe	zN9ng2Hs.exe
PID 4636 wrote to memory of 4472	4636	zN9ng2Hs.exe	1ue88pr5.exe
PID 4636 wrote to memory of 4472	4636	zN9ng2Hs.exe	1ue88pr5.exe
PID 4636 wrote to memory of 4472	4636	zN9ng2Hs.exe	1ue88pr5.exe
PID 4472 wrote to memory of 2864	4472	1ue88pr5.exe	AppLaunch.exe
PID 4472 wrote to memory of 2864	4472	1ue88pr5.exe	AppLaunch.exe
PID 4472 wrote to memory of 2864	4472	1ue88pr5.exe	AppLaunch.exe
PID 4472 wrote to memory of 536	4472	1ue88pr5.exe	AppLaunch.exe
PID 4472 wrote to memory of 536	4472	1ue88pr5.exe	AppLaunch.exe
PID 4472 wrote to memory of 536	4472	1ue88pr5.exe	AppLaunch.exe
PID 4472 wrote to memory of 2132	4472	1ue88pr5.exe	AppLaunch.exe
PID 4472 wrote to memory of 2132	4472	1ue88pr5.exe	AppLaunch.exe
PID 4472 wrote to memory of 2132	4472	1ue88pr5.exe	AppLaunch.exe
PID 4472 wrote to memory of 2132	4472	1ue88pr5.exe	AppLaunch.exe
PID 4472 wrote to memory of 2132	4472	1ue88pr5.exe	AppLaunch.exe
PID 4472 wrote to memory of 2132	4472	1ue88pr5.exe	AppLaunch.exe
PID 4472 wrote to memory of 2132	4472	1ue88pr5.exe	AppLaunch.exe
PID 4472 wrote to memory of 2132	4472	1ue88pr5.exe	AppLaunch.exe
PID 4472 wrote to memory of 2132	4472	1ue88pr5.exe	AppLaunch.exe
PID 4472 wrote to memory of 2132	4472	1ue88pr5.exe	AppLaunch.exe
PID 4636 wrote to memory of 2140	4636	zN9ng2Hs.exe	2xj253ya.exe
PID 4636 wrote to memory of 2140	4636	zN9ng2Hs.exe	2xj253ya.exe
PID 4636 wrote to memory of 2140	4636	zN9ng2Hs.exe	2xj253ya.exe

C:\Users\Admin\AppData\Local\Temp\9b49de72ab9ae9caaaf0da01fbe6d5bef6546c46b1e0c0b4c4c3f211eaec728f.exe
"C:\Users\Admin\AppData\Local\Temp\9b49de72ab9ae9caaaf0da01fbe6d5bef6546c46b1e0c0b4c4c3f211eaec728f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3892

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KC4dP6Dz.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KC4dP6Dz.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3904

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aC8Ep3kJ.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aC8Ep3kJ.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5020

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mz9Dv5rL.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mz9Dv5rL.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1444

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zN9ng2Hs.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zN9ng2Hs.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4636

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ue88pr5.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ue88pr5.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:2864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xj253ya.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xj253ya.exe
6⤵
- Executes dropped EXE
PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KC4dP6Dz.exe

Filesize
1.0MB

MD5
d57014c460afdbdd8855ec39c10381ae

SHA1
66dfd169fe55869751effefb2bd7deb8f5d2a885

SHA256
a0d7530efc1f278c524d141d72928c381a1ba89996bc48a5dd37c19d040c0941

SHA512
9b71d664be61aacc8cce526891dbcac9106d5b5cbd9f24585c898416d354b0fba0e9748b4b73f8179eaad15eb7bb148177d6972966c5027a504092c9474f864c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aC8Ep3kJ.exe

Filesize
839KB

MD5
a1af291f11718026c5389177c8c3351f

SHA1
409c8ab525024b35d1122e7904bd4f2c12212474

SHA256
9bf0c34247430748d059baa7efe83d7001861ffb57caecf1dd09fd993b605429

SHA512
2c1ce14e5c3ea39265b2f4596bd72153192ba9e0e275f1893597de5b377e2bc38d3e1f6be0b329ebbfbeacec5206c641d069f194804848c762c5f0d5dc4d556b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mz9Dv5rL.exe

Filesize
591KB

MD5
97ac7c7fb76b7d9d14c7e5ced801d5cd

SHA1
4d0812c719dd9e4ffc3e1649de0fdf9d36ef9257

SHA256
4b4f8f7e80b64da51496e517b02ac6d78aefb8ab3c8f9e268daf84c1c52ccf1f

SHA512
128b2f786a7b53647b876b9fe4c9f7b2cb61f287ffe6fde4ff17f723edd76c909915c34ed9a097bcad3a297ea57069312377c441d42978c14272a2920265cf59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zN9ng2Hs.exe

Filesize
396KB

MD5
e4b7e6795aa65a1fd0671b89eb25fbd2

SHA1
5a4c2556ebd36073ac866106fc842fba0467b055

SHA256
2f582272777de51bb5e2b8f214c796a0b250e78bfbf8a131ca99d6ca0e9cf262

SHA512
92f6b5f8c4730c834fc3982b9833e94a6d91bb501cb4816f016761169a5163e6c06d3610a88a62653468e2a064ed1994f8f4b082b9285fcfa435ec51ef0025d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ue88pr5.exe

Filesize
314KB

MD5
cd8b0b182768d7b16455f96196adedb5

SHA1
d554d3e37b6b9794fce3e691492f6d5bd15dbcd7

SHA256
03867b690d2dc419b4a5295d29ea09abd0eb2d19a19a53a6e667b6a665762291

SHA512
58ab27d605fea0ae342eb857be659758580042f4f10a4005bf9514c62b20ba3ed4945a02d73c559478afc1d2124e26a3f7b7eca0016a633ecb47563f99c3d816

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xj253ya.exe

Filesize
222KB

MD5
81bd277c6c50dc5a7388a6fbe2ff6026

SHA1
86a9fa2593fb92db39a406a919a0967b25920a2b

SHA256
841637983861aed7ce0b8598a50b090427a1d2419edd9eca3ebc56081e92c8aa

SHA512
e1c98fcdd44e386414cbc73bb7e4fd011fe39f27147604cd01bf474a7b061f8938c71ecff936509ce9a2e8d890f0a7d8dd703613f0347474c44b88266592f216

Download Submit
memory/2132-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2132-38-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2132-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2140-42-0x0000000000C60000-0x0000000000C9E000-memory.dmp

Filesize
248KB

Download
memory/2140-43-0x0000000008070000-0x0000000008614000-memory.dmp

Filesize
5.6MB

Download
memory/2140-44-0x0000000007B60000-0x0000000007BF2000-memory.dmp

Filesize
584KB

Download
memory/2140-45-0x00000000050D0000-0x00000000050DA000-memory.dmp

Filesize
40KB

Download
memory/2140-46-0x0000000008C40000-0x0000000009258000-memory.dmp

Filesize
6.1MB

Download
memory/2140-47-0x0000000008620000-0x000000000872A000-memory.dmp

Filesize
1.0MB

Download
memory/2140-48-0x0000000007C50000-0x0000000007C62000-memory.dmp

Filesize
72KB

Download
memory/2140-49-0x0000000007CE0000-0x0000000007D1C000-memory.dmp

Filesize
240KB

Download
memory/2140-50-0x0000000007C80000-0x0000000007CCC000-memory.dmp

Filesize
304KB

Download