mystic | bd5cb5ed04f67f5a6f2f5411e9ad5c457c0c3e3bf3a38e4996624bdfba01d98d

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d40527d1f87af48fe58a0377e98e5eafc8b6f2ba2f0023257f76d0c61f1096ed.exe
Size

382KB
MD5

49ab42ec06f1fb7a80cd3f814a6c04a0
SHA1

ef44e2abe916c31fcf960c7181be014043d5e1e7
SHA256

d40527d1f87af48fe58a0377e98e5eafc8b6f2ba2f0023257f76d0c61f1096ed
SHA512

04538c42df4c1643a55c5b561f56fc04e7c309e98a72e72acd2c01ded7fd42b836401fd762b55b19425d25db46d2295c3373b721b4ed69467eb64f4416befbbf
SSDEEP

6144:Kzy+bnr+Pp0yN90QE6MvKlW1Qy7/1UWASQfiwf3XlqM6OKE/ln7JN:BMrny90aoei9UWhwf3Xlq1UN

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral19/memory/720-7-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral19/memory/720-9-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral19/memory/720-11-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral19/memory/720-8-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral19/files/0x00070000000233d3-12.dat	family_redline
behavioral19/memory/440-16-0x0000000000F90000-0x0000000000FCE000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

pid	Process
2460	1Ze74ft0.exe
440	2Wp919aV.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d40527d1f87af48fe58a0377e98e5eafc8b6f2ba2f0023257f76d0c61f1096ed.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2460 set thread context of 720	2460	1Ze74ft0.exe	86

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4332	720	WerFault.exe	86
2284	2460	WerFault.exe	83

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 2460	5096	d40527d1f87af48fe58a0377e98e5eafc8b6f2ba2f0023257f76d0c61f1096ed.exe	83
PID 5096 wrote to memory of 2460	5096	d40527d1f87af48fe58a0377e98e5eafc8b6f2ba2f0023257f76d0c61f1096ed.exe	83
PID 5096 wrote to memory of 2460	5096	d40527d1f87af48fe58a0377e98e5eafc8b6f2ba2f0023257f76d0c61f1096ed.exe	83
PID 2460 wrote to memory of 720	2460	1Ze74ft0.exe	86
PID 2460 wrote to memory of 720	2460	1Ze74ft0.exe	86
PID 2460 wrote to memory of 720	2460	1Ze74ft0.exe	86
PID 2460 wrote to memory of 720	2460	1Ze74ft0.exe	86
PID 2460 wrote to memory of 720	2460	1Ze74ft0.exe	86
PID 2460 wrote to memory of 720	2460	1Ze74ft0.exe	86
PID 2460 wrote to memory of 720	2460	1Ze74ft0.exe	86
PID 2460 wrote to memory of 720	2460	1Ze74ft0.exe	86
PID 2460 wrote to memory of 720	2460	1Ze74ft0.exe	86
PID 2460 wrote to memory of 720	2460	1Ze74ft0.exe	86
PID 5096 wrote to memory of 440	5096	d40527d1f87af48fe58a0377e98e5eafc8b6f2ba2f0023257f76d0c61f1096ed.exe	94
PID 5096 wrote to memory of 440	5096	d40527d1f87af48fe58a0377e98e5eafc8b6f2ba2f0023257f76d0c61f1096ed.exe	94
PID 5096 wrote to memory of 440	5096	d40527d1f87af48fe58a0377e98e5eafc8b6f2ba2f0023257f76d0c61f1096ed.exe	94

C:\Users\Admin\AppData\Local\Temp\d40527d1f87af48fe58a0377e98e5eafc8b6f2ba2f0023257f76d0c61f1096ed.exe
"C:\Users\Admin\AppData\Local\Temp\d40527d1f87af48fe58a0377e98e5eafc8b6f2ba2f0023257f76d0c61f1096ed.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Ze74ft0.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Ze74ft0.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:720
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 720 -s 540
      4⤵
      Program crash
      PID:4332
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 140
    3⤵
    - Program crash
    PID:2284
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Wp919aV.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Wp919aV.exe
  2⤵
  - Executes dropped EXE
  PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 720 -ip 720
1⤵
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2460 -ip 2460
1⤵
PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Ze74ft0.exe

Filesize
295KB

MD5
97b5afc905cd9abd3963d111c685a7bc

SHA1
a1663623f6e14213799d9a9f0e340717de645441

SHA256
f693b711ad2eb748b3f7dc01115f6de6d6d0e3333cecb1e0afecc5a5cd4b8dbc

SHA512
cca675d10957404645834b2996ea79b51a899158453194e272e11c349fa5b79c61b735bd26d159efdc16373b9d5e307f025b8830c31398706fdc95553d480059

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Wp919aV.exe

Filesize
222KB

MD5
e62df105e2b9077cbcf158fc9795ced1

SHA1
742cc044132a05bd1142805fd0718dc7ce8cf407

SHA256
e4039e65d48913196f34a836eda42d87d9d769536c3281b455c1ec6948d48d87

SHA512
a1c3d5b9de4077576a1b576e285a5a0ec59063cec5936ccc3b0a286d154bb9b7af1611cf999db642d7535daea404b68bbee043c063909020748c98b4028d649f

Download Submit
memory/440-21-0x0000000008FF0000-0x0000000009608000-memory.dmp

Filesize
6.1MB

Download
memory/440-20-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/440-27-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/440-26-0x00000000745EE000-0x00000000745EF000-memory.dmp

Filesize
4KB

Download
memory/440-15-0x00000000745EE000-0x00000000745EF000-memory.dmp

Filesize
4KB

Download
memory/440-16-0x0000000000F90000-0x0000000000FCE000-memory.dmp

Filesize
248KB

Download
memory/440-17-0x0000000008420000-0x00000000089C4000-memory.dmp

Filesize
5.6MB

Download
memory/440-18-0x0000000007F10000-0x0000000007FA2000-memory.dmp

Filesize
584KB

Download
memory/440-19-0x0000000003460000-0x000000000346A000-memory.dmp

Filesize
40KB

Download
memory/440-25-0x00000000080B0000-0x00000000080FC000-memory.dmp

Filesize
304KB

Download
memory/440-24-0x0000000008110000-0x000000000814C000-memory.dmp

Filesize
240KB

Download
memory/440-22-0x0000000008220000-0x000000000832A000-memory.dmp

Filesize
1.0MB

Download
memory/440-23-0x0000000007EF0000-0x0000000007F02000-memory.dmp

Filesize
72KB

Download
memory/720-7-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/720-11-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/720-9-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/720-8-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads