mystic | bd5cb5ed04f67f5a6f2f5411e9ad5c457c0c3e3bf3a38e4996624bdfba01d98d

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c0f7f64959c0f4f98391ebbba925fb68cac09522971875cdbdf5e52983343f7.exe
Size

1.5MB
MD5

86625ad75631f83ea4cd8fa7a4b14746
SHA1

bc7fbd2f348d7b584354e3600c3b68b85aff2fd1
SHA256

9c0f7f64959c0f4f98391ebbba925fb68cac09522971875cdbdf5e52983343f7
SHA512

93f578cc3a6eee6de5d609a8216fc2a600be8ab977aab66ec16c257281f7205e46331d182665249ab5a99a80238f1dbd7aa8aad7154b0f1e47e6661404aa3502
SSDEEP

24576:NybWSXHURab0mUxblcutLA4FH0mvqFnXhbmWg9KhGxtWLqNjE3Gx:obhOcuDUmmhqWYyGjW2pUG

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral12/memory/4992-35-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral12/memory/4992-38-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral12/memory/4992-36-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral12/files/0x0007000000023422-40.dat	family_redline
behavioral12/memory/4164-42-0x0000000000E10000-0x0000000000E4E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
628	fZ2kt5kZ.exe
2528	tR1zZ0Xe.exe
4692	lS8QE3qC.exe
1268	aq7HB9RZ.exe
4836	1yj08tq1.exe
4164	2bt514pE.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9c0f7f64959c0f4f98391ebbba925fb68cac09522971875cdbdf5e52983343f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	fZ2kt5kZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	tR1zZ0Xe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	lS8QE3qC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	aq7HB9RZ.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4836 set thread context of 4992	4836	1yj08tq1.exe	97

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 628	1848	9c0f7f64959c0f4f98391ebbba925fb68cac09522971875cdbdf5e52983343f7.exe	84
PID 1848 wrote to memory of 628	1848	9c0f7f64959c0f4f98391ebbba925fb68cac09522971875cdbdf5e52983343f7.exe	84
PID 1848 wrote to memory of 628	1848	9c0f7f64959c0f4f98391ebbba925fb68cac09522971875cdbdf5e52983343f7.exe	84
PID 628 wrote to memory of 2528	628	fZ2kt5kZ.exe	85
PID 628 wrote to memory of 2528	628	fZ2kt5kZ.exe	85
PID 628 wrote to memory of 2528	628	fZ2kt5kZ.exe	85
PID 2528 wrote to memory of 4692	2528	tR1zZ0Xe.exe	86
PID 2528 wrote to memory of 4692	2528	tR1zZ0Xe.exe	86
PID 2528 wrote to memory of 4692	2528	tR1zZ0Xe.exe	86
PID 4692 wrote to memory of 1268	4692	lS8QE3qC.exe	87
PID 4692 wrote to memory of 1268	4692	lS8QE3qC.exe	87
PID 4692 wrote to memory of 1268	4692	lS8QE3qC.exe	87
PID 1268 wrote to memory of 4836	1268	aq7HB9RZ.exe	88
PID 1268 wrote to memory of 4836	1268	aq7HB9RZ.exe	88
PID 1268 wrote to memory of 4836	1268	aq7HB9RZ.exe	88
PID 4836 wrote to memory of 4992	4836	1yj08tq1.exe	97
PID 4836 wrote to memory of 4992	4836	1yj08tq1.exe	97
PID 4836 wrote to memory of 4992	4836	1yj08tq1.exe	97
PID 4836 wrote to memory of 4992	4836	1yj08tq1.exe	97
PID 4836 wrote to memory of 4992	4836	1yj08tq1.exe	97
PID 4836 wrote to memory of 4992	4836	1yj08tq1.exe	97
PID 4836 wrote to memory of 4992	4836	1yj08tq1.exe	97
PID 4836 wrote to memory of 4992	4836	1yj08tq1.exe	97
PID 4836 wrote to memory of 4992	4836	1yj08tq1.exe	97
PID 4836 wrote to memory of 4992	4836	1yj08tq1.exe	97
PID 1268 wrote to memory of 4164	1268	aq7HB9RZ.exe	98
PID 1268 wrote to memory of 4164	1268	aq7HB9RZ.exe	98
PID 1268 wrote to memory of 4164	1268	aq7HB9RZ.exe	98

C:\Users\Admin\AppData\Local\Temp\9c0f7f64959c0f4f98391ebbba925fb68cac09522971875cdbdf5e52983343f7.exe
"C:\Users\Admin\AppData\Local\Temp\9c0f7f64959c0f4f98391ebbba925fb68cac09522971875cdbdf5e52983343f7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fZ2kt5kZ.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fZ2kt5kZ.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tR1zZ0Xe.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tR1zZ0Xe.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lS8QE3qC.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lS8QE3qC.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4692
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aq7HB9RZ.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aq7HB9RZ.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1268
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1yj08tq1.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1yj08tq1.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4992
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bt514pE.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bt514pE.exe
        6⤵
        Executes dropped EXE
        
        PID:4164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fZ2kt5kZ.exe

Filesize
1.4MB

MD5
26ac9a3737d6e0ddbab4cc8e0609e93d

SHA1
f40baa44090136a3fe29802097198aef7c96852e

SHA256
42846a76665d575de3dc0b30c08c1d114d86e8038739b60f34bc4012ca3f88a0

SHA512
52004860387ffc9ffa1c2ac77bab0092e1af7075600055815c0f5b84c5e0616b7239933425fc8b8c62819bb7a5a32c27326f3d617cf816d4491c8d044fc88d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tR1zZ0Xe.exe

Filesize
1.2MB

MD5
e8c2e01758a93140c75a1eb0ba0b2e1d

SHA1
72d94d557a93135b20dfdd1c7ff1eea95ec1978d

SHA256
62e40677bfbb7c55a8147e7e45e6319d600cc2fa522227f09f83f94c9de73763

SHA512
74ba1e32a7b50cca794cda94be70795b92b4309d2b3831693b048962119425a16a74e8c0dfa632be9d44d43bba84573fbdd84e502028e99bae333e6b379535e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lS8QE3qC.exe

Filesize
776KB

MD5
42109ee492b42aed7f675f2dd32277aa

SHA1
5062c31fb5771e927b78a168774610253a305ee5

SHA256
3291f46bfe44e15984a5ee7726fa3cb2eb296bf69bd3d5f0cd02bbc2602b766a

SHA512
c7eb62f5fc5565d9eb18c17836409ca44ec407175950c7fe4b5d3785f8bc17507034badf45930def032a8c8c15a1427df27779c813cd3e5740dd378c7ac69c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aq7HB9RZ.exe

Filesize
580KB

MD5
05b2803fa9a236af0cf2375b6a608424

SHA1
5acc92d45d83b459f30c96a0b2a0acb651b2a97a

SHA256
69f32b734666bb3c9cb10f0e2852a098a4f371745742166323428a8c6f83aad8

SHA512
608a82a4b8576c18c9b6dee453b59dd94bd40bdbdaac8ca573d464267053c545a2320a1de0d826f1db9d538b362cc320de034dc998d7b5341ee299075d4e2479

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1yj08tq1.exe

Filesize
1.1MB

MD5
a1c1c44e837edbc2d55d33ba9620a109

SHA1
0ba4e08d7b6f17f968d1f7cad75d0a3885bae998

SHA256
4160c00350706d7630b0a8bfb47722e7ec956858ab07d5adc9345e37ccb751e5

SHA512
75267e9d0652e006107506457c5253fe701149888ad977d95f52d215410b18e3b145c8779ae389b718f090c5aa41d614e45deb38a96852a07a299a5b075c02bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bt514pE.exe

Filesize
222KB

MD5
6bdd3fefb28f8d707b7b443572e3dad2

SHA1
10a4adc48f13aee4a864347a2112cb6ae65a8162

SHA256
688079516c1fd6e9c307cfd1fe9f928503e4e9ee593ee3a602c65d2395f120c0

SHA512
e7294bb3f6b431827e40315d47b1836cb9ea6df977b16ac402328c8b94f35ee67a2ff9b84d67fcda172ea3bb0ff262c795e83a039d338dba5c729855047de5e0

Download Submit
memory/4164-42-0x0000000000E10000-0x0000000000E4E000-memory.dmp

Filesize
248KB

Download
memory/4164-43-0x0000000008110000-0x00000000086B4000-memory.dmp

Filesize
5.6MB

Download
memory/4164-44-0x0000000007C00000-0x0000000007C92000-memory.dmp

Filesize
584KB

Download
memory/4164-45-0x0000000003020000-0x000000000302A000-memory.dmp

Filesize
40KB

Download
memory/4164-46-0x0000000008CE0000-0x00000000092F8000-memory.dmp

Filesize
6.1MB

Download
memory/4164-47-0x0000000007F30000-0x000000000803A000-memory.dmp

Filesize
1.0MB

Download
memory/4164-48-0x0000000007DC0000-0x0000000007DD2000-memory.dmp

Filesize
72KB

Download
memory/4164-49-0x0000000007E60000-0x0000000007E9C000-memory.dmp

Filesize
240KB

Download
memory/4164-50-0x0000000007EA0000-0x0000000007EEC000-memory.dmp

Filesize
304KB

Download
memory/4992-38-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4992-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4992-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads