mystic | eafc2bfbeaeddb89f86da75f29f14435b745b919f0b99dd1d0d30b9d33efb415

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92903f5aac10e31279ef8ae844a86a677e02e1799ba17380867ee77d55b31433.exe
Size

928KB
MD5

6de73278543ec875906fb3c292e51098
SHA1

3b9acda7cde3eebd35aaa0cd287a79f13edcce61
SHA256

92903f5aac10e31279ef8ae844a86a677e02e1799ba17380867ee77d55b31433
SHA512

81a541a41f9e96eb19a645e6e16d8c2dd80532d7186ba4aff04a6f5e1e38096ad4a6bcecf487a76dd922b708d8732ef0725f915b6d7f1b95cf1b8003314f761c
SSDEEP

24576:4yNx/u/e4828PhjEs++YqQ/q3GC6h38y7YdgecwmbDwuu:/Nx/Ee485Q66h3tYdge+D

Score

10^/10

mystic redline kendo infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kendo

77.91.124.82:19071

Attributes

auth_value
5a22a881561d49941415902859b51f14

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral12/memory/2072-28-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral12/memory/2072-31-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral12/memory/2072-29-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1715863.exe	family_redline
behavioral12/memory/552-35-0x0000000000120000-0x0000000000150000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

Processes:

x3693943.exex1381890.exex2549134.exeg1410282.exeh1715863.exe

pid process

2168 x3693943.exe
4424 x1381890.exe
692 x2549134.exe
2480 g1410282.exe
552 h1715863.exe

pid	process
2168	x3693943.exe
4424	x1381890.exe
692	x2549134.exe
2480	g1410282.exe
552	h1715863.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

92903f5aac10e31279ef8ae844a86a677e02e1799ba17380867ee77d55b31433.exex3693943.exex1381890.exex2549134.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	92903f5aac10e31279ef8ae844a86a677e02e1799ba17380867ee77d55b31433.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3693943.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1381890.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x2549134.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

g1410282.exe

description pid process target process

PID 2480 set thread context of 2072 2480 g1410282.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2108 2480 WerFault.exe g1410282.exe

description	pid	process	target process
PID 2480 set thread context of 2072	2480	g1410282.exe	AppLaunch.exe

pid	pid_target	process	target process
2108	2480	WerFault.exe	g1410282.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

92903f5aac10e31279ef8ae844a86a677e02e1799ba17380867ee77d55b31433.exex3693943.exex1381890.exex2549134.exeg1410282.exe

description	pid	process	target process
PID 208 wrote to memory of 2168	208	92903f5aac10e31279ef8ae844a86a677e02e1799ba17380867ee77d55b31433.exe	x3693943.exe
PID 208 wrote to memory of 2168	208	92903f5aac10e31279ef8ae844a86a677e02e1799ba17380867ee77d55b31433.exe	x3693943.exe
PID 208 wrote to memory of 2168	208	92903f5aac10e31279ef8ae844a86a677e02e1799ba17380867ee77d55b31433.exe	x3693943.exe
PID 2168 wrote to memory of 4424	2168	x3693943.exe	x1381890.exe
PID 2168 wrote to memory of 4424	2168	x3693943.exe	x1381890.exe
PID 2168 wrote to memory of 4424	2168	x3693943.exe	x1381890.exe
PID 4424 wrote to memory of 692	4424	x1381890.exe	x2549134.exe
PID 4424 wrote to memory of 692	4424	x1381890.exe	x2549134.exe
PID 4424 wrote to memory of 692	4424	x1381890.exe	x2549134.exe
PID 692 wrote to memory of 2480	692	x2549134.exe	g1410282.exe
PID 692 wrote to memory of 2480	692	x2549134.exe	g1410282.exe
PID 692 wrote to memory of 2480	692	x2549134.exe	g1410282.exe
PID 2480 wrote to memory of 2072	2480	g1410282.exe	AppLaunch.exe
PID 2480 wrote to memory of 2072	2480	g1410282.exe	AppLaunch.exe
PID 2480 wrote to memory of 2072	2480	g1410282.exe	AppLaunch.exe
PID 2480 wrote to memory of 2072	2480	g1410282.exe	AppLaunch.exe
PID 2480 wrote to memory of 2072	2480	g1410282.exe	AppLaunch.exe
PID 2480 wrote to memory of 2072	2480	g1410282.exe	AppLaunch.exe
PID 2480 wrote to memory of 2072	2480	g1410282.exe	AppLaunch.exe
PID 2480 wrote to memory of 2072	2480	g1410282.exe	AppLaunch.exe
PID 2480 wrote to memory of 2072	2480	g1410282.exe	AppLaunch.exe
PID 2480 wrote to memory of 2072	2480	g1410282.exe	AppLaunch.exe
PID 692 wrote to memory of 552	692	x2549134.exe	h1715863.exe
PID 692 wrote to memory of 552	692	x2549134.exe	h1715863.exe
PID 692 wrote to memory of 552	692	x2549134.exe	h1715863.exe

C:\Users\Admin\AppData\Local\Temp\92903f5aac10e31279ef8ae844a86a677e02e1799ba17380867ee77d55b31433.exe
"C:\Users\Admin\AppData\Local\Temp\92903f5aac10e31279ef8ae844a86a677e02e1799ba17380867ee77d55b31433.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:208

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3693943.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3693943.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2168

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1381890.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1381890.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4424

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2549134.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2549134.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:692

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1410282.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1410282.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 552
6⤵
- Program crash
PID:2108

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1715863.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1715863.exe
5⤵
- Executes dropped EXE
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2480 -ip 2480
1⤵
PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3693943.exe

Filesize
826KB

MD5
0dd2a8e7ad60cb214f3b6e8763f0a30d

SHA1
9c5889ef6787529955445a6bfb43928702eeae3d

SHA256
f0d264c1624cd196b93c7e8197d92a7c299357d1eaab8e904608ac89ca2a4413

SHA512
477849ea9b975d63a5687c5826929b0801dc325748eca292e1adb1d2139cdbc72327902224bc304267d03f185652d5cda4b1411ec7f7a5ac4ba7fc7857c5268d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1381890.exe

Filesize
556KB

MD5
b360c5b0d85dd3c43f71ef31280bedee

SHA1
4a3158e3d8545ad613c9157eea9dabaf989c7a5e

SHA256
c625af9d3602c3f1351cc53c582a55a34d82152d5c09dbf26fb5ab56f1462894

SHA512
3368b9c0a3d4ad5acf6740685c1d12c1f7053307bb1d6a004c5560318cb8db267bc646cedd5bedac1114e6c3b8050a7004af2bf58017b37b428ac09b82b1a719

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2549134.exe

Filesize
390KB

MD5
9614acc46b0349449d23fec12ae4651a

SHA1
83a4d958cccc42066d5ae9a27160259261bb6447

SHA256
67848020e95907888ca3b235c79ce5f31c34882a9cdfef5ac4c5118162f33b08

SHA512
c1e764b98faf44af0200f2662017a4222f63d978834cdc4da3c7f713e83c59ef620e6e223e0a764018e6a278f74d18fbac72ef007c87a8304be933e4a4a9adda

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1410282.exe

Filesize
364KB

MD5
3eb8082924edae8bbbd92a02dc697906

SHA1
a8cce836499c9f8e6227166e7bfe10d0c3f668b1

SHA256
49fb355f83fde75d493ace0636630bb12ba5ae02c1641fba410281fba78af9d2

SHA512
ba7e92de40898df20e510e09a44a1785a661e4d448032b4703639989ab27a6ed77e751aaf9a833c13b673f6a744ce4ac3c16226a37e2f4d5ff43648c31293053

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1715863.exe

Filesize
174KB

MD5
d33815ad108006cddcc9d75c8b3a0158

SHA1
86019f7d33d15d093b75cb5f930351cf2d85ff84

SHA256
79ef9c50ae8fe912a351f9210028468af66b6eb6a9ee2bda42e67e450f55dba5

SHA512
5d5cc43aa6cc41ab5e0bfe7baeecf9282711b83078b9a5248272af86753b04eb45c5395eac417f76a4f28d24d7000bb6b32356d600d700b0922864b47f54bd58

Download Submit
memory/552-36-0x0000000000920000-0x0000000000926000-memory.dmp

Filesize
24KB

Download
memory/552-35-0x0000000000120000-0x0000000000150000-memory.dmp

Filesize
192KB

Download
memory/552-37-0x000000000A420000-0x000000000AA38000-memory.dmp

Filesize
6.1MB

Download
memory/552-38-0x0000000009F90000-0x000000000A09A000-memory.dmp

Filesize
1.0MB

Download
memory/552-39-0x0000000009ED0000-0x0000000009EE2000-memory.dmp

Filesize
72KB

Download
memory/552-40-0x0000000009F30000-0x0000000009F6C000-memory.dmp

Filesize
240KB

Download
memory/552-41-0x0000000002400000-0x000000000244C000-memory.dmp

Filesize
304KB

Download
memory/2072-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2072-31-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2072-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download