mystic | bd5cb5ed04f67f5a6f2f5411e9ad5c457c0c3e3bf3a38e4996624bdfba01d98d

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca2534058cb45fd1c3c81407733fc01f8031c3b4f9d15b4210c762c631de25e4.exe
Size

840KB
MD5

06a78e3337e83b49d1e9dc5681174893
SHA1

24a81377502011be71396b292bff433e7494d26a
SHA256

ca2534058cb45fd1c3c81407733fc01f8031c3b4f9d15b4210c762c631de25e4
SHA512

11bf89fe44bf599e600ba8cf3769124f6907855eb8e1d09752e2462379d273bb1ba4e3d674a1db48cde3ffb268afe87d2fc6d34d4a3f24849c401ccc9258204e
SSDEEP

12288:EMrTy900DY29HfxRQe2yX84pcbj/I8ScC7CtYhUodFgUdmsJ/0j0YlL3I8B44:fy7Y0HfTQe2yoQpGtwngzIO0YlLD

Score

10^/10

mystic redline ramos infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

ramos

77.91.124.82:19071

Attributes

auth_value
42c0ec91d63648bb7119ab787aa3fb94

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral16/memory/3268-21-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral16/memory/3268-25-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral16/memory/3268-22-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral16/memory/3268-23-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral16/files/0x0007000000023411-27.dat	family_redline
behavioral16/memory/2332-29-0x00000000009C0000-0x00000000009F0000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
2700	x6608415.exe
3052	x9182281.exe
5000	g8210553.exe
2332	h1084948.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6608415.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9182281.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ca2534058cb45fd1c3c81407733fc01f8031c3b4f9d15b4210c762c631de25e4.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5000 set thread context of 3268	5000	g8210553.exe	87

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1072	5000	WerFault.exe	86

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 2700	3468	ca2534058cb45fd1c3c81407733fc01f8031c3b4f9d15b4210c762c631de25e4.exe	84
PID 3468 wrote to memory of 2700	3468	ca2534058cb45fd1c3c81407733fc01f8031c3b4f9d15b4210c762c631de25e4.exe	84
PID 3468 wrote to memory of 2700	3468	ca2534058cb45fd1c3c81407733fc01f8031c3b4f9d15b4210c762c631de25e4.exe	84
PID 2700 wrote to memory of 3052	2700	x6608415.exe	85
PID 2700 wrote to memory of 3052	2700	x6608415.exe	85
PID 2700 wrote to memory of 3052	2700	x6608415.exe	85
PID 3052 wrote to memory of 5000	3052	x9182281.exe	86
PID 3052 wrote to memory of 5000	3052	x9182281.exe	86
PID 3052 wrote to memory of 5000	3052	x9182281.exe	86
PID 5000 wrote to memory of 3268	5000	g8210553.exe	87
PID 5000 wrote to memory of 3268	5000	g8210553.exe	87
PID 5000 wrote to memory of 3268	5000	g8210553.exe	87
PID 5000 wrote to memory of 3268	5000	g8210553.exe	87
PID 5000 wrote to memory of 3268	5000	g8210553.exe	87
PID 5000 wrote to memory of 3268	5000	g8210553.exe	87
PID 5000 wrote to memory of 3268	5000	g8210553.exe	87
PID 5000 wrote to memory of 3268	5000	g8210553.exe	87
PID 5000 wrote to memory of 3268	5000	g8210553.exe	87
PID 5000 wrote to memory of 3268	5000	g8210553.exe	87
PID 3052 wrote to memory of 2332	3052	x9182281.exe	91
PID 3052 wrote to memory of 2332	3052	x9182281.exe	91
PID 3052 wrote to memory of 2332	3052	x9182281.exe	91

C:\Users\Admin\AppData\Local\Temp\ca2534058cb45fd1c3c81407733fc01f8031c3b4f9d15b4210c762c631de25e4.exe
"C:\Users\Admin\AppData\Local\Temp\ca2534058cb45fd1c3c81407733fc01f8031c3b4f9d15b4210c762c631de25e4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6608415.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6608415.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9182281.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9182281.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8210553.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8210553.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:5000
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:3268
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 592
        5⤵
        Program crash
        
        PID:1072
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h1084948.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h1084948.exe
      4⤵
      Executes dropped EXE
      PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5000 -ip 5000
1⤵
PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6608415.exe

Filesize
562KB

MD5
e8528ed973e45c37d910684251edb70c

SHA1
ab14d3835a1f7c31419ad6318f52c461b16e40ec

SHA256
5994389d5adc01e859c3e68f56c14bab184c0a9a375d608e0866bba659aa526c

SHA512
6c5a28daeb82a3ad87d7a94a20316cd75dcb58c07a96ea3589700e7c9ef6a580a85c612f9af25b3973313b93bfc295f0d78b1d51e08f42ba730093a3b9b14d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9182281.exe

Filesize
396KB

MD5
7f0ddf8970b4e1ad9b1165200fb01d28

SHA1
161551e3a49ca2bbae478ed47f00ce7a8c3f01ba

SHA256
f59b1752bd8cdcbdf5b21b84b12a33f399710db9cf5c9a1b76bfafdd7849ceb9

SHA512
d6bcc929a8905b66c86a8949406fa36deeda0d6e9db0ec23bae4c1faecfb9e1d3be3af6d72db95408849d77fe9d9de7aedfb244432b763f6580fcd8c8d8cf086

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8210553.exe

Filesize
379KB

MD5
ba53e3c438f8324e5bf821e54e7d67d4

SHA1
1fe6638772007e95a7fa06ce7423d8ba7dad2748

SHA256
4b448b31946f8a0f46f3a998573bda4b98541f5df3cf8a42124a342c0324790c

SHA512
fd559852078097b84134e084dadb719b56f86e0fd26a3a39efc4d879efcaf6fba3e38e7404c0fb3dfed8a14aa0facd209f389f1bc2de99eb2f554cddbd71c4f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h1084948.exe

Filesize
174KB

MD5
e07a85ae578665db5433373012fc6ac9

SHA1
10f45e361c82e810c190163f06e2cbd4bc74bd25

SHA256
65e74a7be27b401cb7cf179bef967ec17f0793de12ecd9cba01f00c2ddd83a5f

SHA512
e8c796a908904b7e62aa0df79a5f70f2e2e66e71998eb23f98cadc9ba95d57607c6cf8e05bee9352ef934929acd88be27a2baf10439240fd3f9a0a0f598066d2

Download Submit
memory/2332-32-0x000000000A830000-0x000000000A93A000-memory.dmp

Filesize
1.0MB

Download
memory/2332-35-0x0000000002B70000-0x0000000002BBC000-memory.dmp

Filesize
304KB

Download
memory/2332-34-0x000000000A7D0000-0x000000000A80C000-memory.dmp

Filesize
240KB

Download
memory/2332-33-0x000000000A770000-0x000000000A782000-memory.dmp

Filesize
72KB

Download
memory/2332-29-0x00000000009C0000-0x00000000009F0000-memory.dmp

Filesize
192KB

Download
memory/2332-30-0x00000000051E0000-0x00000000051E6000-memory.dmp

Filesize
24KB

Download
memory/2332-31-0x000000000ACD0000-0x000000000B2E8000-memory.dmp

Filesize
6.1MB

Download
memory/3268-21-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3268-23-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3268-22-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3268-25-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads