mystic | eafc2bfbeaeddb89f86da75f29f14435b745b919f0b99dd1d0d30b9d33efb415

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e79c48869da7300155b8f28e75c456d3c8b56a174d85529c97d8307a157a099a.exe
Size

1.1MB
MD5

8928e859550f225a0fa2c3727e6f551a
SHA1

a2ac88ff7cdfd0337a2df772802de116a2001344
SHA256

e79c48869da7300155b8f28e75c456d3c8b56a174d85529c97d8307a157a099a
SHA512

496746371015da58117348e6ba82f814f46a0d1fd5383ef1265abf968906f418bf09d9b3bede061ee57dd17187618a15fe21b1fd45aec12abea819163e86eedd
SSDEEP

24576:NyAHA7bV1IlZkQCi3ED34dM1gaqiANXL4sVBN3Hp0FbK4+Hg4:oxHyCiUD34n1hNXL7N3Gg

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral19/memory/4652-35-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral19/memory/4652-36-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral19/memory/4652-38-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral19/files/0x0007000000023444-41.dat	family_redline
behavioral19/memory/4396-42-0x0000000000FF0000-0x000000000102E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
1056	mr6fe1Ad.exe
4556	uC5iM7zq.exe
664	RE9fs9fY.exe
1888	Sp3zD1OT.exe
3864	1jh48il7.exe
4396	2oG933Dg.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	RE9fs9fY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Sp3zD1OT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e79c48869da7300155b8f28e75c456d3c8b56a174d85529c97d8307a157a099a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	mr6fe1Ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	uC5iM7zq.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3864 set thread context of 4652	3864	1jh48il7.exe	110

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3464 wrote to memory of 1056	3464	e79c48869da7300155b8f28e75c456d3c8b56a174d85529c97d8307a157a099a.exe	83
PID 3464 wrote to memory of 1056	3464	e79c48869da7300155b8f28e75c456d3c8b56a174d85529c97d8307a157a099a.exe	83
PID 3464 wrote to memory of 1056	3464	e79c48869da7300155b8f28e75c456d3c8b56a174d85529c97d8307a157a099a.exe	83
PID 1056 wrote to memory of 4556	1056	mr6fe1Ad.exe	84
PID 1056 wrote to memory of 4556	1056	mr6fe1Ad.exe	84
PID 1056 wrote to memory of 4556	1056	mr6fe1Ad.exe	84
PID 4556 wrote to memory of 664	4556	uC5iM7zq.exe	85
PID 4556 wrote to memory of 664	4556	uC5iM7zq.exe	85
PID 4556 wrote to memory of 664	4556	uC5iM7zq.exe	85
PID 664 wrote to memory of 1888	664	RE9fs9fY.exe	86
PID 664 wrote to memory of 1888	664	RE9fs9fY.exe	86
PID 664 wrote to memory of 1888	664	RE9fs9fY.exe	86
PID 1888 wrote to memory of 3864	1888	Sp3zD1OT.exe	88
PID 1888 wrote to memory of 3864	1888	Sp3zD1OT.exe	88
PID 1888 wrote to memory of 3864	1888	Sp3zD1OT.exe	88
PID 3864 wrote to memory of 4652	3864	1jh48il7.exe	110
PID 3864 wrote to memory of 4652	3864	1jh48il7.exe	110
PID 3864 wrote to memory of 4652	3864	1jh48il7.exe	110
PID 3864 wrote to memory of 4652	3864	1jh48il7.exe	110
PID 3864 wrote to memory of 4652	3864	1jh48il7.exe	110
PID 3864 wrote to memory of 4652	3864	1jh48il7.exe	110
PID 3864 wrote to memory of 4652	3864	1jh48il7.exe	110
PID 3864 wrote to memory of 4652	3864	1jh48il7.exe	110
PID 3864 wrote to memory of 4652	3864	1jh48il7.exe	110
PID 3864 wrote to memory of 4652	3864	1jh48il7.exe	110
PID 1888 wrote to memory of 4396	1888	Sp3zD1OT.exe	111
PID 1888 wrote to memory of 4396	1888	Sp3zD1OT.exe	111
PID 1888 wrote to memory of 4396	1888	Sp3zD1OT.exe	111

C:\Users\Admin\AppData\Local\Temp\e79c48869da7300155b8f28e75c456d3c8b56a174d85529c97d8307a157a099a.exe
"C:\Users\Admin\AppData\Local\Temp\e79c48869da7300155b8f28e75c456d3c8b56a174d85529c97d8307a157a099a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mr6fe1Ad.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mr6fe1Ad.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uC5iM7zq.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uC5iM7zq.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4556
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\RE9fs9fY.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\RE9fs9fY.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:664
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Sp3zD1OT.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Sp3zD1OT.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1888
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jh48il7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jh48il7.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4652
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oG933Dg.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oG933Dg.exe
        6⤵
        Executes dropped EXE
        
        PID:4396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mr6fe1Ad.exe

Filesize
1.0MB

MD5
a33bec5a4ff5bee6094c6790a486df7f

SHA1
9ae1ff1202b847d29c84398fd0b84a12f87e10b4

SHA256
a72aaab98fd4cc954f263d2715662c53ffa7d4222d50900192c6ab2109a99f0a

SHA512
2f797f31e18d70de09a57e790117b2569f2596261c6023fe88cffa01cfb761b948d8c8e3ae16a40c3499f9949eaed4d0d964cf38cdfa33550aa69eda576537ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uC5iM7zq.exe

Filesize
844KB

MD5
c9c21a0c100d324c30fd3b55f0ed4542

SHA1
8f11ddd8bd31b952c9a960c92f220da833f8b5a7

SHA256
bcbc5eaefea6789d2c1f8bf4824cef403414b4a387f6847a5a86b20e7061b862

SHA512
170c14c28dadb643da7b54cdb7bcbfeb92a51a0df87b238c6f324f137a070760ae4253fa01ac84c53ef0761ff05d033ba6fc882f191706c3204ac633fe49c993

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\RE9fs9fY.exe

Filesize
594KB

MD5
86cd2582ed91306f05a61d7ae23b31e5

SHA1
d0d010c336d1f52aa685a7f3f59ec66895d4582e

SHA256
03bd331490a904c6323e87fd14ff45c960b7d64a6e115dbce903cf89e6b0f5bc

SHA512
c485d947d479c366e32d2b7d1733626cea8b971bdc5ea9d1a57f583a29748c825fabacebf179c713f9e3655b843b9dfefb7850d7fb1052b27dcdc46ef00a0aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Sp3zD1OT.exe

Filesize
398KB

MD5
1efa9b18a2563ebebae8a6eabad4db7b

SHA1
b95bc070b14bbb19b209b2d4413db63f79272fbc

SHA256
e2e852038c1504d54c9702b961095f0af961417103d2a5c8b10740dc188ac5e5

SHA512
07bf09d5fa8798b9f0d40650c180275c78e201abd9d5ebfb37d2d37dcb55e0802d6c4e35467695aeec3c930add915d200847bd13ee41bc58762f067b553de5bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jh48il7.exe

Filesize
320KB

MD5
5d46d756761c7b1440076303beeca0ef

SHA1
8e50680d58c89566cf78b067aefed754d9fc4935

SHA256
8ef43142ccd7fbffcd0c4fa2ed3a196f7a964f71753dfc37a895d956e02e0c83

SHA512
19457218e35c87deade73de832140d6def871159eeec74a0df5c72dc0d56757a36c36a17327a73af6f03c6d8ca86d2f031f5d0364222dfcefc49df0d88758683

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oG933Dg.exe

Filesize
222KB

MD5
3a2fb4ae3cb49d3452da38d13bb9a4c9

SHA1
b1aadf5266265ab50b01330037fec3405cf4501a

SHA256
f97449c137f4f454706cd578b7345a4b56fb2dd066558af125773e0ed8b2326a

SHA512
8d1913bf768b1e39e1eaf8ed67b9b47f2e00fb3897a767bbb665c0715bb10f551293aabdc6d6429c26455c364a686cca225596471147813cec679e522c84dcce

Download Submit
memory/4396-42-0x0000000000FF0000-0x000000000102E000-memory.dmp

Filesize
248KB

Download
memory/4396-43-0x00000000083A0000-0x0000000008944000-memory.dmp

Filesize
5.6MB

Download
memory/4396-44-0x0000000007EF0000-0x0000000007F82000-memory.dmp

Filesize
584KB

Download
memory/4396-45-0x0000000003480000-0x000000000348A000-memory.dmp

Filesize
40KB

Download
memory/4396-46-0x0000000008F70000-0x0000000009588000-memory.dmp

Filesize
6.1MB

Download
memory/4396-47-0x00000000081F0000-0x00000000082FA000-memory.dmp

Filesize
1.0MB

Download
memory/4396-48-0x0000000008100000-0x0000000008112000-memory.dmp

Filesize
72KB

Download
memory/4396-49-0x0000000008160000-0x000000000819C000-memory.dmp

Filesize
240KB

Download
memory/4396-50-0x00000000081A0000-0x00000000081EC000-memory.dmp

Filesize
304KB

Download
memory/4652-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4652-38-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4652-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads