mystic | 3cc30911c3eb32deaf5fb8bc4dfe2ca6abbafa106ab4c16e8ff25a715c1fe7e7

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3c377dc6b3cceb0b4ae2fa0504de53fe1dad61a6bb656af0994220dfea6bdf7.exe
Size

382KB
MD5

2600d98c44bf7addf229345421746121
SHA1

5909cb291178933b0f40491f4ab2c43369fc7047
SHA256

e3c377dc6b3cceb0b4ae2fa0504de53fe1dad61a6bb656af0994220dfea6bdf7
SHA512

336ba8bf7b5a9c335772611b270795fb9b935f25adb757932c26e453798dfda6ee3ef20e48d749d8b99a5453c8e5ab4303e90ea50aea58dcbd5b68e030df81c0
SSDEEP

6144:KDy+bnr+1p0yN90QEY5IfJpscWaUBETleouHWxRgvjbjVMEKdB:lMr5y90Ku7sqFzuHQM7KdB

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral18/memory/796-7-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral18/memory/796-9-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral18/memory/796-11-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral18/memory/796-8-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2ZD276ZK.exe	family_redline
behavioral18/memory/4244-16-0x0000000000FA0000-0x0000000000FDE000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

Processes:

1Bw75fp3.exe2ZD276ZK.exe

pid process

1956 1Bw75fp3.exe
4244 2ZD276ZK.exe

pid	process
1956	1Bw75fp3.exe
4244	2ZD276ZK.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e3c377dc6b3cceb0b4ae2fa0504de53fe1dad61a6bb656af0994220dfea6bdf7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e3c377dc6b3cceb0b4ae2fa0504de53fe1dad61a6bb656af0994220dfea6bdf7.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1Bw75fp3.exe

description pid process target process

PID 1956 set thread context of 796 1956 1Bw75fp3.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4208 1956 WerFault.exe 1Bw75fp3.exe
4484 796 WerFault.exe AppLaunch.exe

description	pid	process	target process
PID 1956 set thread context of 796	1956	1Bw75fp3.exe	AppLaunch.exe

pid	pid_target	process	target process
4208	1956	WerFault.exe	1Bw75fp3.exe
4484	796	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

e3c377dc6b3cceb0b4ae2fa0504de53fe1dad61a6bb656af0994220dfea6bdf7.exe1Bw75fp3.exe

description	pid	process	target process
PID 2536 wrote to memory of 1956	2536	e3c377dc6b3cceb0b4ae2fa0504de53fe1dad61a6bb656af0994220dfea6bdf7.exe	1Bw75fp3.exe
PID 2536 wrote to memory of 1956	2536	e3c377dc6b3cceb0b4ae2fa0504de53fe1dad61a6bb656af0994220dfea6bdf7.exe	1Bw75fp3.exe
PID 2536 wrote to memory of 1956	2536	e3c377dc6b3cceb0b4ae2fa0504de53fe1dad61a6bb656af0994220dfea6bdf7.exe	1Bw75fp3.exe
PID 1956 wrote to memory of 796	1956	1Bw75fp3.exe	AppLaunch.exe
PID 1956 wrote to memory of 796	1956	1Bw75fp3.exe	AppLaunch.exe
PID 1956 wrote to memory of 796	1956	1Bw75fp3.exe	AppLaunch.exe
PID 1956 wrote to memory of 796	1956	1Bw75fp3.exe	AppLaunch.exe
PID 1956 wrote to memory of 796	1956	1Bw75fp3.exe	AppLaunch.exe
PID 1956 wrote to memory of 796	1956	1Bw75fp3.exe	AppLaunch.exe
PID 1956 wrote to memory of 796	1956	1Bw75fp3.exe	AppLaunch.exe
PID 1956 wrote to memory of 796	1956	1Bw75fp3.exe	AppLaunch.exe
PID 1956 wrote to memory of 796	1956	1Bw75fp3.exe	AppLaunch.exe
PID 1956 wrote to memory of 796	1956	1Bw75fp3.exe	AppLaunch.exe
PID 2536 wrote to memory of 4244	2536	e3c377dc6b3cceb0b4ae2fa0504de53fe1dad61a6bb656af0994220dfea6bdf7.exe	2ZD276ZK.exe
PID 2536 wrote to memory of 4244	2536	e3c377dc6b3cceb0b4ae2fa0504de53fe1dad61a6bb656af0994220dfea6bdf7.exe	2ZD276ZK.exe
PID 2536 wrote to memory of 4244	2536	e3c377dc6b3cceb0b4ae2fa0504de53fe1dad61a6bb656af0994220dfea6bdf7.exe	2ZD276ZK.exe

C:\Users\Admin\AppData\Local\Temp\e3c377dc6b3cceb0b4ae2fa0504de53fe1dad61a6bb656af0994220dfea6bdf7.exe
"C:\Users\Admin\AppData\Local\Temp\e3c377dc6b3cceb0b4ae2fa0504de53fe1dad61a6bb656af0994220dfea6bdf7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2536

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Bw75fp3.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Bw75fp3.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 560
4⤵
- Program crash
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 140
3⤵
- Program crash
PID:4208

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2ZD276ZK.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2ZD276ZK.exe
2⤵
- Executes dropped EXE
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1956 -ip 1956
1⤵
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 132 -p 796 -ip 796
1⤵
PID:4644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Bw75fp3.exe

Filesize
295KB

MD5
dbae619ff9c946e3e49dea026a91bb7d

SHA1
299a395a0ea7f8696ae599e966ece9431c167ec3

SHA256
b474c38a83ef574fb7601a47a8e94b1bc8111bff46ace14eb27831d5f9c569af

SHA512
79712a506fadcf629c5841fd29a5e78d1457c08d51f09a78167266ef80f53b8cc382e47de671b40a6981ff609c42948f79d7188cb64af87ca27e23d5602fafe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2ZD276ZK.exe

Filesize
222KB

MD5
6a57dfd2b00f1be4820ff52c089a0ebf

SHA1
2c34412e39d2faac60dd5362f93dd9da622fb8cf

SHA256
60a060104f88e1262b48d43572bb0fbb28b0e630c33503c3380edc247e534855

SHA512
42bf9422e2b2909f207d39db5e73336894aa69db66bdc7d3f75f470d61babc00d9f5e88ead5d3e285b54bea938f48d15e74ae3572b792e3ec139b3397fc35e38

Download Submit
memory/796-7-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/796-9-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/796-11-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/796-8-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4244-17-0x0000000008330000-0x00000000088D4000-memory.dmp

Filesize
5.6MB

Download
memory/4244-16-0x0000000000FA0000-0x0000000000FDE000-memory.dmp

Filesize
248KB

Download
memory/4244-15-0x000000007343E000-0x000000007343F000-memory.dmp

Filesize
4KB

Download
memory/4244-18-0x0000000007E60000-0x0000000007EF2000-memory.dmp

Filesize
584KB

Download
memory/4244-19-0x0000000005460000-0x000000000546A000-memory.dmp

Filesize
40KB

Download
memory/4244-20-0x0000000073430000-0x0000000073BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4244-21-0x0000000008F00000-0x0000000009518000-memory.dmp

Filesize
6.1MB

Download
memory/4244-22-0x0000000008170000-0x000000000827A000-memory.dmp

Filesize
1.0MB

Download
memory/4244-23-0x00000000080A0000-0x00000000080B2000-memory.dmp

Filesize
72KB

Download
memory/4244-24-0x0000000008100000-0x000000000813C000-memory.dmp

Filesize
240KB

Download
memory/4244-25-0x0000000008280000-0x00000000082CC000-memory.dmp

Filesize
304KB

Download
memory/4244-26-0x000000007343E000-0x000000007343F000-memory.dmp

Filesize
4KB

Download
memory/4244-27-0x0000000073430000-0x0000000073BE0000-memory.dmp

Filesize
7.7MB

Download