mystic | bd5cb5ed04f67f5a6f2f5411e9ad5c457c0c3e3bf3a38e4996624bdfba01d98d

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8e229c27623b0e1055a59f9b684a98468f33e92a47da3dcf5b041f74d4eca39.exe
Size

1.5MB
MD5

19f3cbb17138af08c5bd91e3aab324c4
SHA1

f15720768ade102439f446c8d624b4149b603df4
SHA256

c8e229c27623b0e1055a59f9b684a98468f33e92a47da3dcf5b041f74d4eca39
SHA512

1b8acfb018f9bda540ce0ec607a696925fe6578a1c140e13245a74c7217b006cb730c98caa48e0f212a696c5e6693a8ef0ff8090d2960758997c02c6c4083110
SSDEEP

49152:NZ7COdsQvIpUub/r2ypC7hex41knzA1GPL:fCQTkUub/ylhex41kMEPL

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral15/memory/5108-35-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral15/memory/5108-41-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral15/memory/5108-39-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral15/files/0x00070000000235fd-37.dat	family_redline
behavioral15/memory/1388-42-0x0000000000320000-0x000000000035E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
1108	YH3Kn4eu.exe
3188	cc4oF3zs.exe
4488	FI7Kg0Oa.exe
2748	ZA3It0yV.exe
2184	1kx31MM6.exe
1388	2nv850rJ.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c8e229c27623b0e1055a59f9b684a98468f33e92a47da3dcf5b041f74d4eca39.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	YH3Kn4eu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	cc4oF3zs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	FI7Kg0Oa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	ZA3It0yV.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2184 set thread context of 5108	2184	1kx31MM6.exe	99

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 1108	2924	c8e229c27623b0e1055a59f9b684a98468f33e92a47da3dcf5b041f74d4eca39.exe	91
PID 2924 wrote to memory of 1108	2924	c8e229c27623b0e1055a59f9b684a98468f33e92a47da3dcf5b041f74d4eca39.exe	91
PID 2924 wrote to memory of 1108	2924	c8e229c27623b0e1055a59f9b684a98468f33e92a47da3dcf5b041f74d4eca39.exe	91
PID 1108 wrote to memory of 3188	1108	YH3Kn4eu.exe	92
PID 1108 wrote to memory of 3188	1108	YH3Kn4eu.exe	92
PID 1108 wrote to memory of 3188	1108	YH3Kn4eu.exe	92
PID 3188 wrote to memory of 4488	3188	cc4oF3zs.exe	93
PID 3188 wrote to memory of 4488	3188	cc4oF3zs.exe	93
PID 3188 wrote to memory of 4488	3188	cc4oF3zs.exe	93
PID 4488 wrote to memory of 2748	4488	FI7Kg0Oa.exe	94
PID 4488 wrote to memory of 2748	4488	FI7Kg0Oa.exe	94
PID 4488 wrote to memory of 2748	4488	FI7Kg0Oa.exe	94
PID 2748 wrote to memory of 2184	2748	ZA3It0yV.exe	95
PID 2748 wrote to memory of 2184	2748	ZA3It0yV.exe	95
PID 2748 wrote to memory of 2184	2748	ZA3It0yV.exe	95
PID 2184 wrote to memory of 5108	2184	1kx31MM6.exe	99
PID 2184 wrote to memory of 5108	2184	1kx31MM6.exe	99
PID 2184 wrote to memory of 5108	2184	1kx31MM6.exe	99
PID 2184 wrote to memory of 5108	2184	1kx31MM6.exe	99
PID 2184 wrote to memory of 5108	2184	1kx31MM6.exe	99
PID 2184 wrote to memory of 5108	2184	1kx31MM6.exe	99
PID 2184 wrote to memory of 5108	2184	1kx31MM6.exe	99
PID 2184 wrote to memory of 5108	2184	1kx31MM6.exe	99
PID 2184 wrote to memory of 5108	2184	1kx31MM6.exe	99
PID 2184 wrote to memory of 5108	2184	1kx31MM6.exe	99
PID 2748 wrote to memory of 1388	2748	ZA3It0yV.exe	100
PID 2748 wrote to memory of 1388	2748	ZA3It0yV.exe	100
PID 2748 wrote to memory of 1388	2748	ZA3It0yV.exe	100

C:\Users\Admin\AppData\Local\Temp\c8e229c27623b0e1055a59f9b684a98468f33e92a47da3dcf5b041f74d4eca39.exe
"C:\Users\Admin\AppData\Local\Temp\c8e229c27623b0e1055a59f9b684a98468f33e92a47da3dcf5b041f74d4eca39.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YH3Kn4eu.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YH3Kn4eu.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cc4oF3zs.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cc4oF3zs.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3188
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FI7Kg0Oa.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FI7Kg0Oa.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4488
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZA3It0yV.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZA3It0yV.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2748
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1kx31MM6.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1kx31MM6.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:5108
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nv850rJ.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nv850rJ.exe
        6⤵
        Executes dropped EXE
        
        PID:1388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4036,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=1320 /prefetch:8
1⤵
PID:4076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YH3Kn4eu.exe

Filesize
1.4MB

MD5
023031815bd41c9887fb2972897ee8bb

SHA1
829e86161ed9c4582abd5130303a7a8694a56282

SHA256
e073c052d017217f91903bbe0905c7a571e50f51d85b3733d752350167f681e0

SHA512
8e861d7760dbb3b1f700f538ad3e634936eae38b2547205481d853c8bb0796563c5a13eb46d6c4edca365c339f5f365cc9c5f7f5bc30ab859bb6b125deed7a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cc4oF3zs.exe

Filesize
1.2MB

MD5
11013a4152620e19a3b1dbaed0cc30d6

SHA1
f8dc17534a895895e961af934433026232c47533

SHA256
444e1303b6d9a92f39333f57cc48d72a2d60a3bed32498073922cf5f7b5b4a23

SHA512
8024fdd705a9db92e11e6f83732ce17558e48a8cb13066021a38718176783423780a9d7731c79838d5eb1ac74ccc9e67606153f28bda391da1260d601f8a67f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FI7Kg0Oa.exe

Filesize
782KB

MD5
2ce9892f0d934996615d85d0eebe155c

SHA1
1330ce30c0b3ba2b4531a4e9b2caded2521aaecd

SHA256
6df2b523440b497e862f1ecff54c808a6cfc6d6207a1819cdfc8f174d9bd3a75

SHA512
a412696e6a8a50932965f612b62392596838398f24268c2002273aab5ea5fc07b21fe4205bda3d11710b48d220244d342d5f00a02a94a3f497c1cc9ed5f3e010

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZA3It0yV.exe

Filesize
581KB

MD5
2227fe0e2df1f818f66bb77905d01142

SHA1
29f80223798368c466298c973a082f0e8110afd4

SHA256
4438bcadb8d101c0cd0ab0f2120a6737a311390ac24bac5580d08f040eb87cce

SHA512
824115df35a50a44c3d1bfaa39e8ed557d35f8370b52e1bce4159055c211a85fb75189ffeeb725170f12fa4d33fc6e4e86b06185b0e8bf66c4feb63a29d73cc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1kx31MM6.exe

Filesize
1.1MB

MD5
6ef68ec5b2d91cbc9c66fa0553e527ec

SHA1
8d8ab02a5f2433cf12ba62336e4d774f2bbf21d2

SHA256
8ffa8c6bcf0b38b229ac57e8a8eacfad2d27bd2b6ec971af827609bfb919495f

SHA512
1a02ccdf3d1be279169bc25eb2a4452be337389b78050811ea4367ca624d5d169c7c7e157a73fe3be13378412e8d94606f41c157b5892cc76c4344ee85d204a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nv850rJ.exe

Filesize
222KB

MD5
ce4ef7c328d32aa5041adc1659b899da

SHA1
7be450a4fc1c3dbf9fcf4a857e46c9f29f82bf97

SHA256
cc87db02c7c03ce5a30a3fc303c780a6f3f0f04511b114bd78c7d3b888d03ba0

SHA512
57410ac81f54286fb7cdc664195ba51e0ff39e8d8b30d9928b28479b5f839ea56439a9e179b045d6fbf26565b3d69c02815f8c56b9c3cce2396a53e612008835

Download Submit
memory/1388-45-0x0000000004740000-0x000000000474A000-memory.dmp

Filesize
40KB

Download
memory/1388-42-0x0000000000320000-0x000000000035E000-memory.dmp

Filesize
248KB

Download
memory/1388-43-0x0000000007680000-0x0000000007C24000-memory.dmp

Filesize
5.6MB

Download
memory/1388-44-0x0000000007170000-0x0000000007202000-memory.dmp

Filesize
584KB

Download
memory/1388-46-0x0000000008250000-0x0000000008868000-memory.dmp

Filesize
6.1MB

Download
memory/1388-47-0x0000000007410000-0x000000000751A000-memory.dmp

Filesize
1.0MB

Download
memory/1388-48-0x0000000007150000-0x0000000007162000-memory.dmp

Filesize
72KB

Download
memory/1388-49-0x0000000007340000-0x000000000737C000-memory.dmp

Filesize
240KB

Download
memory/1388-50-0x0000000007380000-0x00000000073CC000-memory.dmp

Filesize
304KB

Download
memory/5108-41-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5108-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5108-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads