mystic | bd5cb5ed04f67f5a6f2f5411e9ad5c457c0c3e3bf3a38e4996624bdfba01d98d

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca2534058cb45fd1c3c81407733fc01f8031c3b4f9d15b4210c762c631de25e4.exe
Size

840KB
MD5

06a78e3337e83b49d1e9dc5681174893
SHA1

24a81377502011be71396b292bff433e7494d26a
SHA256

ca2534058cb45fd1c3c81407733fc01f8031c3b4f9d15b4210c762c631de25e4
SHA512

11bf89fe44bf599e600ba8cf3769124f6907855eb8e1d09752e2462379d273bb1ba4e3d674a1db48cde3ffb268afe87d2fc6d34d4a3f24849c401ccc9258204e
SSDEEP

12288:EMrTy900DY29HfxRQe2yX84pcbj/I8ScC7CtYhUodFgUdmsJ/0j0YlL3I8B44:fy7Y0HfTQe2yoQpGtwngzIO0YlLD

Score

10^/10

mystic redline ramos infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

ramos

77.91.124.82:19071

Attributes

auth_value
42c0ec91d63648bb7119ab787aa3fb94

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral16/memory/3268-21-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral16/memory/3268-25-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral16/memory/3268-22-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral16/memory/3268-23-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h1084948.exe	family_redline
behavioral16/memory/2332-29-0x00000000009C0000-0x00000000009F0000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

x6608415.exex9182281.exeg8210553.exeh1084948.exe

pid process

2700 x6608415.exe
3052 x9182281.exe
5000 g8210553.exe
2332 h1084948.exe

pid	process
2700	x6608415.exe
3052	x9182281.exe
5000	g8210553.exe
2332	h1084948.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

x6608415.exex9182281.execa2534058cb45fd1c3c81407733fc01f8031c3b4f9d15b4210c762c631de25e4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6608415.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9182281.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ca2534058cb45fd1c3c81407733fc01f8031c3b4f9d15b4210c762c631de25e4.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

g8210553.exe

description pid process target process

PID 5000 set thread context of 3268 5000 g8210553.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1072 5000 WerFault.exe g8210553.exe

description	pid	process	target process
PID 5000 set thread context of 3268	5000	g8210553.exe	AppLaunch.exe

pid	pid_target	process	target process
1072	5000	WerFault.exe	g8210553.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

ca2534058cb45fd1c3c81407733fc01f8031c3b4f9d15b4210c762c631de25e4.exex6608415.exex9182281.exeg8210553.exe

description	pid	process	target process
PID 3468 wrote to memory of 2700	3468	ca2534058cb45fd1c3c81407733fc01f8031c3b4f9d15b4210c762c631de25e4.exe	x6608415.exe
PID 3468 wrote to memory of 2700	3468	ca2534058cb45fd1c3c81407733fc01f8031c3b4f9d15b4210c762c631de25e4.exe	x6608415.exe
PID 3468 wrote to memory of 2700	3468	ca2534058cb45fd1c3c81407733fc01f8031c3b4f9d15b4210c762c631de25e4.exe	x6608415.exe
PID 2700 wrote to memory of 3052	2700	x6608415.exe	x9182281.exe
PID 2700 wrote to memory of 3052	2700	x6608415.exe	x9182281.exe
PID 2700 wrote to memory of 3052	2700	x6608415.exe	x9182281.exe
PID 3052 wrote to memory of 5000	3052	x9182281.exe	g8210553.exe
PID 3052 wrote to memory of 5000	3052	x9182281.exe	g8210553.exe
PID 3052 wrote to memory of 5000	3052	x9182281.exe	g8210553.exe
PID 5000 wrote to memory of 3268	5000	g8210553.exe	AppLaunch.exe
PID 5000 wrote to memory of 3268	5000	g8210553.exe	AppLaunch.exe
PID 5000 wrote to memory of 3268	5000	g8210553.exe	AppLaunch.exe
PID 5000 wrote to memory of 3268	5000	g8210553.exe	AppLaunch.exe
PID 5000 wrote to memory of 3268	5000	g8210553.exe	AppLaunch.exe
PID 5000 wrote to memory of 3268	5000	g8210553.exe	AppLaunch.exe
PID 5000 wrote to memory of 3268	5000	g8210553.exe	AppLaunch.exe
PID 5000 wrote to memory of 3268	5000	g8210553.exe	AppLaunch.exe
PID 5000 wrote to memory of 3268	5000	g8210553.exe	AppLaunch.exe
PID 5000 wrote to memory of 3268	5000	g8210553.exe	AppLaunch.exe
PID 3052 wrote to memory of 2332	3052	x9182281.exe	h1084948.exe
PID 3052 wrote to memory of 2332	3052	x9182281.exe	h1084948.exe
PID 3052 wrote to memory of 2332	3052	x9182281.exe	h1084948.exe

C:\Users\Admin\AppData\Local\Temp\ca2534058cb45fd1c3c81407733fc01f8031c3b4f9d15b4210c762c631de25e4.exe
"C:\Users\Admin\AppData\Local\Temp\ca2534058cb45fd1c3c81407733fc01f8031c3b4f9d15b4210c762c631de25e4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3468

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6608415.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6608415.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2700

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9182281.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9182281.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3052

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8210553.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8210553.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 592
5⤵
- Program crash
PID:1072

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h1084948.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h1084948.exe
4⤵
- Executes dropped EXE
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5000 -ip 5000
1⤵
PID:1968

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6608415.exe
Filesize
562KB

MD5
e8528ed973e45c37d910684251edb70c

SHA1
ab14d3835a1f7c31419ad6318f52c461b16e40ec

SHA256
5994389d5adc01e859c3e68f56c14bab184c0a9a375d608e0866bba659aa526c

SHA512
6c5a28daeb82a3ad87d7a94a20316cd75dcb58c07a96ea3589700e7c9ef6a580a85c612f9af25b3973313b93bfc295f0d78b1d51e08f42ba730093a3b9b14d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9182281.exe
Filesize
396KB

MD5
7f0ddf8970b4e1ad9b1165200fb01d28

SHA1
161551e3a49ca2bbae478ed47f00ce7a8c3f01ba

SHA256
f59b1752bd8cdcbdf5b21b84b12a33f399710db9cf5c9a1b76bfafdd7849ceb9

SHA512
d6bcc929a8905b66c86a8949406fa36deeda0d6e9db0ec23bae4c1faecfb9e1d3be3af6d72db95408849d77fe9d9de7aedfb244432b763f6580fcd8c8d8cf086

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8210553.exe
Filesize
379KB

MD5
ba53e3c438f8324e5bf821e54e7d67d4

SHA1
1fe6638772007e95a7fa06ce7423d8ba7dad2748

SHA256
4b448b31946f8a0f46f3a998573bda4b98541f5df3cf8a42124a342c0324790c

SHA512
fd559852078097b84134e084dadb719b56f86e0fd26a3a39efc4d879efcaf6fba3e38e7404c0fb3dfed8a14aa0facd209f389f1bc2de99eb2f554cddbd71c4f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h1084948.exe
Filesize
174KB

MD5
e07a85ae578665db5433373012fc6ac9

SHA1
10f45e361c82e810c190163f06e2cbd4bc74bd25

SHA256
65e74a7be27b401cb7cf179bef967ec17f0793de12ecd9cba01f00c2ddd83a5f

SHA512
e8c796a908904b7e62aa0df79a5f70f2e2e66e71998eb23f98cadc9ba95d57607c6cf8e05bee9352ef934929acd88be27a2baf10439240fd3f9a0a0f598066d2

Download Submit
memory/2332-32-0x000000000A830000-0x000000000A93A000-memory.dmp

Filesize
1.0MB

Download
memory/2332-35-0x0000000002B70000-0x0000000002BBC000-memory.dmp

Filesize
304KB

Download
memory/2332-34-0x000000000A7D0000-0x000000000A80C000-memory.dmp

Filesize
240KB

Download
memory/2332-33-0x000000000A770000-0x000000000A782000-memory.dmp

Filesize
72KB

Download
memory/2332-29-0x00000000009C0000-0x00000000009F0000-memory.dmp

Filesize
192KB

Download
memory/2332-30-0x00000000051E0000-0x00000000051E6000-memory.dmp

Filesize
24KB

Download
memory/2332-31-0x000000000ACD0000-0x000000000B2E8000-memory.dmp

Filesize
6.1MB

Download
memory/3268-21-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3268-23-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3268-22-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3268-25-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download