mystic | 3cc30911c3eb32deaf5fb8bc4dfe2ca6abbafa106ab4c16e8ff25a715c1fe7e7

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

131b47af993204905e6dd4dd4ff06b43cb1a0fe2e2b140520d4962f73d4b6432.exe
Size

930KB
MD5

0cfe607a0e71e8e8185964b116396f08
SHA1

67406c6194bd8455a7f7112787cef8ecfc17d060
SHA256

131b47af993204905e6dd4dd4ff06b43cb1a0fe2e2b140520d4962f73d4b6432
SHA512

1e3bf90ce8060d336f4eb45e920c6d6b544fbf3eb70cbe5a3f15d1dac8c385fca16409aaedf2fe6d72bd8e1a144d61c21ee3ef7dec7c21d79f2cbb6244c3d049
SSDEEP

24576:iytg+WfHZn2cMrrPTotPR47e2EmHTsjF7k6:J8fHZ2bdilNk

Score

10^/10

mystic redline kendo infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kendo

77.91.124.82:19071

Attributes

auth_value
5a22a881561d49941415902859b51f14

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral1/memory/1216-28-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral1/memory/1216-29-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral1/memory/1216-31-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023401-33.dat	family_redline
behavioral1/memory/4412-35-0x0000000000DA0000-0x0000000000DD0000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
4544	x4885474.exe
3636	x3815247.exe
1888	x5031597.exe
2956	g8385831.exe
4412	h3469781.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	131b47af993204905e6dd4dd4ff06b43cb1a0fe2e2b140520d4962f73d4b6432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4885474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3815247.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x5031597.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2956 set thread context of 1216	2956	g8385831.exe	90

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2684	2956	WerFault.exe	86

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 644 wrote to memory of 4544	644	131b47af993204905e6dd4dd4ff06b43cb1a0fe2e2b140520d4962f73d4b6432.exe	83
PID 644 wrote to memory of 4544	644	131b47af993204905e6dd4dd4ff06b43cb1a0fe2e2b140520d4962f73d4b6432.exe	83
PID 644 wrote to memory of 4544	644	131b47af993204905e6dd4dd4ff06b43cb1a0fe2e2b140520d4962f73d4b6432.exe	83
PID 4544 wrote to memory of 3636	4544	x4885474.exe	84
PID 4544 wrote to memory of 3636	4544	x4885474.exe	84
PID 4544 wrote to memory of 3636	4544	x4885474.exe	84
PID 3636 wrote to memory of 1888	3636	x3815247.exe	85
PID 3636 wrote to memory of 1888	3636	x3815247.exe	85
PID 3636 wrote to memory of 1888	3636	x3815247.exe	85
PID 1888 wrote to memory of 2956	1888	x5031597.exe	86
PID 1888 wrote to memory of 2956	1888	x5031597.exe	86
PID 1888 wrote to memory of 2956	1888	x5031597.exe	86
PID 2956 wrote to memory of 4304	2956	g8385831.exe	89
PID 2956 wrote to memory of 4304	2956	g8385831.exe	89
PID 2956 wrote to memory of 4304	2956	g8385831.exe	89
PID 2956 wrote to memory of 1216	2956	g8385831.exe	90
PID 2956 wrote to memory of 1216	2956	g8385831.exe	90
PID 2956 wrote to memory of 1216	2956	g8385831.exe	90
PID 2956 wrote to memory of 1216	2956	g8385831.exe	90
PID 2956 wrote to memory of 1216	2956	g8385831.exe	90
PID 2956 wrote to memory of 1216	2956	g8385831.exe	90
PID 2956 wrote to memory of 1216	2956	g8385831.exe	90
PID 2956 wrote to memory of 1216	2956	g8385831.exe	90
PID 2956 wrote to memory of 1216	2956	g8385831.exe	90
PID 2956 wrote to memory of 1216	2956	g8385831.exe	90
PID 1888 wrote to memory of 4412	1888	x5031597.exe	95
PID 1888 wrote to memory of 4412	1888	x5031597.exe	95
PID 1888 wrote to memory of 4412	1888	x5031597.exe	95

C:\Users\Admin\AppData\Local\Temp\131b47af993204905e6dd4dd4ff06b43cb1a0fe2e2b140520d4962f73d4b6432.exe
"C:\Users\Admin\AppData\Local\Temp\131b47af993204905e6dd4dd4ff06b43cb1a0fe2e2b140520d4962f73d4b6432.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:644
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4885474.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4885474.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3815247.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3815247.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3636
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5031597.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5031597.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1888
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8385831.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8385831.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2956
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4304
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1216
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 588
        6⤵
        Program crash
        
        PID:2684
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3469781.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3469781.exe
        5⤵
        Executes dropped EXE
        
        PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2956 -ip 2956
1⤵
PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4885474.exe

Filesize
828KB

MD5
be200f6e1cbeeef4aad5688a85e4bac1

SHA1
f16c641000c9fee24f6246581a06abba88bb7929

SHA256
d53dccdf974af097276df989f4b782c97c04f21615be89d04329d64deddc1f50

SHA512
af2d5cf8912b3b205315bac5ab108ba483730c4f58c2d879e68b8c1ce4a44d2fe66778f1504d015bc77f524867a4817be0c61b7e788edc81114c30e9fb2b8d9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3815247.exe

Filesize
557KB

MD5
d074331463985aea471350cee1fe1031

SHA1
bc2632a81a6427f35329ce84f81678ca213b146e

SHA256
88dd13404fab17b32994690e7fc7eeb4d35643200f172d2234fcc6461ce1c441

SHA512
eed55d07aacceb1f2892359e48c5be5f01ab815cf97026c25104004118822ce8a1f33257b225d48dab36c2b3043580f946f327eedcd6f994724e3e988fdc42f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5031597.exe

Filesize
391KB

MD5
c9056cbf620b931ba2cad390a1244790

SHA1
85ee5c7f579f1075f709bc4c119b519a005f9a09

SHA256
e102043d37dd318e441f0517798befd1207f3962a9294dfecddad2dde03bb4d3

SHA512
5bbfc29878e4b8a9757a9e03b2b003b2515d2a3c1a13e9a3a4522bab384b5084095ddb2dfc6a4d28bf326a64b642c6ce1a2d0fbfe71f937b3c4d2883cbffe7ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8385831.exe

Filesize
364KB

MD5
7ffdfae73d61cbb3489e5fbc9ea3cfc9

SHA1
9bc6f0e00b730639dec6d6d81d5a46f33ca30de1

SHA256
c9d63d7ee133732b8d3b3de7d35aa6ff211abd0205dfb55ae4d91cc89109b11a

SHA512
785538bb34d8d8707885c0a29405c2eb1dd9ab5b89565306b432d014447767ce07cbdfc4e5fa64ed85b944d1405704ffc5b4a5c3d9500ffeb9090abb543bd8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3469781.exe

Filesize
174KB

MD5
c2c9494497cd0393f8f80d185df87c29

SHA1
e1c7e65be0cb20fcd3118030131395027c93a690

SHA256
b35bc4db20f68856bbed0e5457e46966e6a16d2a42eb462383d7894ce1c3037b

SHA512
cc928feb4c1e00b99be414dd491b86a246fcf594fa3ffe56e2c610a37a971e66052c4850ff41d31e0e9b45811b7345ee836454ebdeb62ce057b5ac8f86e77a73

Download Submit
memory/1216-31-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1216-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1216-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4412-35-0x0000000000DA0000-0x0000000000DD0000-memory.dmp

Filesize
192KB

Download
memory/4412-36-0x0000000003190000-0x0000000003196000-memory.dmp

Filesize
24KB

Download
memory/4412-37-0x000000000B1F0000-0x000000000B808000-memory.dmp

Filesize
6.1MB

Download
memory/4412-38-0x000000000AD50000-0x000000000AE5A000-memory.dmp

Filesize
1.0MB

Download
memory/4412-39-0x000000000AC90000-0x000000000ACA2000-memory.dmp

Filesize
72KB

Download
memory/4412-40-0x000000000ACF0000-0x000000000AD2C000-memory.dmp

Filesize
240KB

Download
memory/4412-41-0x00000000051E0000-0x000000000522C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads