mystic | 47203fc7445c1e0e06643f363dd7d86ccc46b70ab234e5fbfe72badfdd6704ae

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf9a62d5a117aaa03d348685a49a3a176c6dd3ef98e68cdcecaabe67cee3aab4.exe
Size

1.1MB
MD5

95573ab04fabc6686129f917a970354b
SHA1

580c9581f15227a6f3b338d4cb7c50faa77e0cf3
SHA256

cf9a62d5a117aaa03d348685a49a3a176c6dd3ef98e68cdcecaabe67cee3aab4
SHA512

cf50641dce3a009b68071be0e80df5778a3344fecdf328e1b44e91b5e8b1b555b12543a1f799124862a6db13af3af0c6f87680ec2fb81cff20b1c682fe78d89c
SSDEEP

24576:fyjP1DXW75bmjvQpgiIjaR1ai8mj2sGEcSC3R+gAGxD:qjdDXsy0rR1Bd2sGEcSC33nx

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

mystic

http://5.42.92.211/

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral19/memory/4852-28-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral19/memory/4852-31-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral19/memory/4852-29-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral19/files/0x0007000000023433-33.dat	family_redline
behavioral19/memory/4088-35-0x00000000002B0000-0x00000000002EE000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
1540	sX1Dm8BD.exe
4720	dv3Yq8sG.exe
4844	as2fX5rj.exe
5096	1Kv84Cc7.exe
4088	2yi860ZD.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	dv3Yq8sG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	as2fX5rj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cf9a62d5a117aaa03d348685a49a3a176c6dd3ef98e68cdcecaabe67cee3aab4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	sX1Dm8BD.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5096 set thread context of 4852	5096	1Kv84Cc7.exe	90

Program crash 1 IoCs

pid	pid_target	Process	procid_target
772	5096	WerFault.exe	87

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 1540	3984	cf9a62d5a117aaa03d348685a49a3a176c6dd3ef98e68cdcecaabe67cee3aab4.exe	83
PID 3984 wrote to memory of 1540	3984	cf9a62d5a117aaa03d348685a49a3a176c6dd3ef98e68cdcecaabe67cee3aab4.exe	83
PID 3984 wrote to memory of 1540	3984	cf9a62d5a117aaa03d348685a49a3a176c6dd3ef98e68cdcecaabe67cee3aab4.exe	83
PID 1540 wrote to memory of 4720	1540	sX1Dm8BD.exe	84
PID 1540 wrote to memory of 4720	1540	sX1Dm8BD.exe	84
PID 1540 wrote to memory of 4720	1540	sX1Dm8BD.exe	84
PID 4720 wrote to memory of 4844	4720	dv3Yq8sG.exe	86
PID 4720 wrote to memory of 4844	4720	dv3Yq8sG.exe	86
PID 4720 wrote to memory of 4844	4720	dv3Yq8sG.exe	86
PID 4844 wrote to memory of 5096	4844	as2fX5rj.exe	87
PID 4844 wrote to memory of 5096	4844	as2fX5rj.exe	87
PID 4844 wrote to memory of 5096	4844	as2fX5rj.exe	87
PID 5096 wrote to memory of 4852	5096	1Kv84Cc7.exe	90
PID 5096 wrote to memory of 4852	5096	1Kv84Cc7.exe	90
PID 5096 wrote to memory of 4852	5096	1Kv84Cc7.exe	90
PID 5096 wrote to memory of 4852	5096	1Kv84Cc7.exe	90
PID 5096 wrote to memory of 4852	5096	1Kv84Cc7.exe	90
PID 5096 wrote to memory of 4852	5096	1Kv84Cc7.exe	90
PID 5096 wrote to memory of 4852	5096	1Kv84Cc7.exe	90
PID 5096 wrote to memory of 4852	5096	1Kv84Cc7.exe	90
PID 5096 wrote to memory of 4852	5096	1Kv84Cc7.exe	90
PID 5096 wrote to memory of 4852	5096	1Kv84Cc7.exe	90
PID 4844 wrote to memory of 4088	4844	as2fX5rj.exe	94
PID 4844 wrote to memory of 4088	4844	as2fX5rj.exe	94
PID 4844 wrote to memory of 4088	4844	as2fX5rj.exe	94

C:\Users\Admin\AppData\Local\Temp\cf9a62d5a117aaa03d348685a49a3a176c6dd3ef98e68cdcecaabe67cee3aab4.exe
"C:\Users\Admin\AppData\Local\Temp\cf9a62d5a117aaa03d348685a49a3a176c6dd3ef98e68cdcecaabe67cee3aab4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sX1Dm8BD.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sX1Dm8BD.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dv3Yq8sG.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dv3Yq8sG.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4720
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\as2fX5rj.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\as2fX5rj.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4844
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Kv84Cc7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Kv84Cc7.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5096
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4852
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 580
        6⤵
        Program crash
        
        PID:772
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yi860ZD.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yi860ZD.exe
        5⤵
        Executes dropped EXE
        
        PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5096 -ip 5096
1⤵
PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sX1Dm8BD.exe

Filesize
948KB

MD5
9b916b6c903f9d4d554cb515daf8cc9f

SHA1
35cf9344416aece5b70ecc2ee9659542af87d74f

SHA256
c2955ee84390349793d06ace28dd83dcce930e1b49a4242829ebdb48d2a4a62f

SHA512
9ad2bcf0223a2c01ce062af17b82a98f104e3f628064dcb6c8f574343f28b405d8bc8d964114654d36f33e52805f8f7b1a25ce2d676f9c8deb8a0297c6cf815d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dv3Yq8sG.exe

Filesize
646KB

MD5
43a9f86ca551a47559dd3824a3ddf0a6

SHA1
8d249a225fa1d92a2aea5aab08aad766cf527ee0

SHA256
0ee9adc5aff470d9f2640eb1aeae485b199a86082142b2059462262fbfc47eff

SHA512
8d71c7d8b9a393e26cec37438101d82a6a907f713eeb2ac81d15046bd65b0a20535f417cdc782427f8ad8c045223dbf7ad1b12118f8368a89fcbfb9402a00a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\as2fX5rj.exe

Filesize
450KB

MD5
e24ec14773ea9acf68c0c1367c48f75e

SHA1
135c3591aac893c52633424e556612dfa5d97b69

SHA256
7ca06755cbf43f91394fbf3d8b6e7991b6f73d00366dc25584928cbcd033366c

SHA512
ed26c6c6b189fd93311729e32bdc3455688bce9df7d51e7d30d30884b0ffd406b39095521feb2f295dfb28908228955193717a9e007921aaf4ffe5aa7224d499

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Kv84Cc7.exe

Filesize
447KB

MD5
d82d3103faaf8ba7c351502eefafd6b2

SHA1
157b9de74d76e1f86a9d30e2d1eb9412160531ff

SHA256
09d06e5064a12cc03f68fd9e0037a251a303066d987641c9132b83c9176f210e

SHA512
78a8da94c96f764d6ae82754e3b3676981751f5414cb7487d384d40707df3e536dbf74d7d26ba8f3e50eae624b05c13491dfd28e8be2f5f8bb72b1c5bb713866

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2yi860ZD.exe

Filesize
221KB

MD5
eca12c453aa37b180b6dcf478445b6d7

SHA1
297aba3501bd52c2487a15270ab72f49632e18e2

SHA256
d4cd571df85b3b6fb3a19f00ebde7009b379280547b0fbfc2eca0bbecdddb85a

SHA512
3e45da26a5733afcd9d5e303c4464a42c42652360c543967a9f0b196680c86daeaadb5dba2d9cf0f4d2e5db813addcf0b76ab936df6d936e0cb39f3ddebb3d75

Download Submit
memory/4088-39-0x00000000081D0000-0x00000000087E8000-memory.dmp

Filesize
6.1MB

Download
memory/4088-35-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/4088-36-0x0000000007600000-0x0000000007BA4000-memory.dmp

Filesize
5.6MB

Download
memory/4088-37-0x00000000070F0000-0x0000000007182000-memory.dmp

Filesize
584KB

Download
memory/4088-38-0x0000000002660000-0x000000000266A000-memory.dmp

Filesize
40KB

Download
memory/4088-40-0x00000000073A0000-0x00000000074AA000-memory.dmp

Filesize
1.0MB

Download
memory/4088-41-0x00000000070C0000-0x00000000070D2000-memory.dmp

Filesize
72KB

Download
memory/4088-42-0x00000000072D0000-0x000000000730C000-memory.dmp

Filesize
240KB

Download
memory/4088-43-0x0000000007310000-0x000000000735C000-memory.dmp

Filesize
304KB

Download
memory/4852-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4852-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4852-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads