mystic | 47203fc7445c1e0e06643f363dd7d86ccc46b70ab234e5fbfe72badfdd6704ae

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca54f6dfd1d165cc099fcff983a1e0d5045ab7589a3cefbb07c34deaf08e0dd5.exe
Size

820KB
MD5

d33443b48c9399fb7256af55874a82b6
SHA1

b6163279131f120ace8ccea306480ee4d507953b
SHA256

ca54f6dfd1d165cc099fcff983a1e0d5045ab7589a3cefbb07c34deaf08e0dd5
SHA512

71f3f23f7325fd17836c065887c7eeb71e955117cd98a02c3e5ab2ed61d49207c611c8712c33f6d63c3a0b7488e6b4e37c7cf07f1f57bdbda24f615fab64c13e
SSDEEP

12288:1Mrty909/n92wPfDYIalgf3zW6dRqymoT9WVSTpwESCqScmndB/Nj/iwAYGhaju/:wyOFxP7YfCBLWQ3nddR/puvWD6Erw1

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral17/memory/2596-21-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral17/memory/2596-23-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral17/memory/2596-25-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral17/memory/2596-22-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral17/files/0x0007000000023408-26.dat	family_redline
behavioral17/memory/3564-29-0x0000000000D40000-0x0000000000D7E000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
212	ZN8gG5AB.exe
2260	GE2Zv4KE.exe
604	1ts41dp1.exe
3564	2jp904bl.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ca54f6dfd1d165cc099fcff983a1e0d5045ab7589a3cefbb07c34deaf08e0dd5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ZN8gG5AB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	GE2Zv4KE.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 604 set thread context of 2596	604	1ts41dp1.exe	99

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4892	604	WerFault.exe	85

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 212	4760	ca54f6dfd1d165cc099fcff983a1e0d5045ab7589a3cefbb07c34deaf08e0dd5.exe	83
PID 4760 wrote to memory of 212	4760	ca54f6dfd1d165cc099fcff983a1e0d5045ab7589a3cefbb07c34deaf08e0dd5.exe	83
PID 4760 wrote to memory of 212	4760	ca54f6dfd1d165cc099fcff983a1e0d5045ab7589a3cefbb07c34deaf08e0dd5.exe	83
PID 212 wrote to memory of 2260	212	ZN8gG5AB.exe	84
PID 212 wrote to memory of 2260	212	ZN8gG5AB.exe	84
PID 212 wrote to memory of 2260	212	ZN8gG5AB.exe	84
PID 2260 wrote to memory of 604	2260	GE2Zv4KE.exe	85
PID 2260 wrote to memory of 604	2260	GE2Zv4KE.exe	85
PID 2260 wrote to memory of 604	2260	GE2Zv4KE.exe	85
PID 604 wrote to memory of 2596	604	1ts41dp1.exe	99
PID 604 wrote to memory of 2596	604	1ts41dp1.exe	99
PID 604 wrote to memory of 2596	604	1ts41dp1.exe	99
PID 604 wrote to memory of 2596	604	1ts41dp1.exe	99
PID 604 wrote to memory of 2596	604	1ts41dp1.exe	99
PID 604 wrote to memory of 2596	604	1ts41dp1.exe	99
PID 604 wrote to memory of 2596	604	1ts41dp1.exe	99
PID 604 wrote to memory of 2596	604	1ts41dp1.exe	99
PID 604 wrote to memory of 2596	604	1ts41dp1.exe	99
PID 604 wrote to memory of 2596	604	1ts41dp1.exe	99
PID 2260 wrote to memory of 3564	2260	GE2Zv4KE.exe	103
PID 2260 wrote to memory of 3564	2260	GE2Zv4KE.exe	103
PID 2260 wrote to memory of 3564	2260	GE2Zv4KE.exe	103

C:\Users\Admin\AppData\Local\Temp\ca54f6dfd1d165cc099fcff983a1e0d5045ab7589a3cefbb07c34deaf08e0dd5.exe
"C:\Users\Admin\AppData\Local\Temp\ca54f6dfd1d165cc099fcff983a1e0d5045ab7589a3cefbb07c34deaf08e0dd5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZN8gG5AB.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZN8gG5AB.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GE2Zv4KE.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GE2Zv4KE.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2260
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ts41dp1.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ts41dp1.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:604
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:2596
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 604 -s 136
        5⤵
        Program crash
        
        PID:4892
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2jp904bl.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2jp904bl.exe
      4⤵
      Executes dropped EXE
      PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 604 -ip 604
1⤵
PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZN8gG5AB.exe

Filesize
584KB

MD5
1356347519572215b2226ff2f4d5da38

SHA1
2f1d23d34125c7af745d59f168f2ee4cb6cf0950

SHA256
279d7c1914465fbb42d4677eb50c5a02f92314f80c42a3795f5295f1d97be42a

SHA512
7d8d6448e005efa9dd847c401c59e11bfbcdc45934be8a75adf7dca0a5274e0754243fe72db6e23898b2dd547e08e2bdbed5013cb8ed31dcdd6e94ac72166f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GE2Zv4KE.exe

Filesize
383KB

MD5
0a675524b6f504686817baa18c3c0418

SHA1
86be01709e5fe498a478bfed8d1d529210fd16cb

SHA256
e245fb6e27067639bc2e102e0e2e2f3708490eb19866cd77b9473af14031324e

SHA512
553c26873bf8e65e22ee32ec471f220e4618b5d485b82df6001dff817e91094efbcba5e84b30f790105d6f95b03d3d3f4e938a6d9bc65c47901ecec75d668e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ts41dp1.exe

Filesize
298KB

MD5
c0ba6ce1ae8be3c06733b0abdbc0d06d

SHA1
58406ab3ca036de6eadd1b82ca07344aa06b0b05

SHA256
d32415f7613d31c40ca688aca0f7fea9bc20d10dbf69a20b65920e89f9d30ddf

SHA512
1352e6d2320b64b5e4ae490058c0fee2ae54c9075091b3576acac454aa0855b77204d8362886428685d130a1fc979633b0db58aa80a5dffd6d57d4e6d27d2ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2jp904bl.exe

Filesize
222KB

MD5
73e61849be9c3785be9a784b5c3980ba

SHA1
4570306d03024adaeddf0fc65b87a38a11925399

SHA256
916d37ab2cc4a2ece7e219dc65025fc4b9a5ff3ebed6cc965009c0d27cb8c12f

SHA512
601f5e5e45af5a5fa7590ab2fe32b79fd90db8ec831903c79db64c17d4d7d344765390f69dc58cbc55d0d9763d127a52cc3639ebce07cc9970ede5c8aa554f77

Download Submit
memory/2596-21-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2596-23-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2596-25-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2596-22-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3564-29-0x0000000000D40000-0x0000000000D7E000-memory.dmp

Filesize
248KB

Download
memory/3564-30-0x00000000081E0000-0x0000000008784000-memory.dmp

Filesize
5.6MB

Download
memory/3564-31-0x0000000007C30000-0x0000000007CC2000-memory.dmp

Filesize
584KB

Download
memory/3564-32-0x0000000005280000-0x000000000528A000-memory.dmp

Filesize
40KB

Download
memory/3564-33-0x0000000008DB0000-0x00000000093C8000-memory.dmp

Filesize
6.1MB

Download
memory/3564-34-0x0000000008090000-0x000000000819A000-memory.dmp

Filesize
1.0MB

Download
memory/3564-35-0x0000000007D30000-0x0000000007D42000-memory.dmp

Filesize
72KB

Download
memory/3564-36-0x0000000007EC0000-0x0000000007EFC000-memory.dmp

Filesize
240KB

Download
memory/3564-37-0x0000000007F00000-0x0000000007F4C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads