mystic | 3cc30911c3eb32deaf5fb8bc4dfe2ca6abbafa106ab4c16e8ff25a715c1fe7e7

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9172c16918ce5309dd65e1af444189e955a30b3ccec8e619cf23b147ebfb586.exe
Size

1008KB
MD5

100602fe3e9beff6fafb32f8be16a64d
SHA1

93941e2aae1f0f717c72cb708f41598b24908df8
SHA256

e9172c16918ce5309dd65e1af444189e955a30b3ccec8e619cf23b147ebfb586
SHA512

db129a290ceb46fc264dabd3dca635860678bf936ae69813e7ab4a2efcab608a38689bb18b4219e3c19f264baa0bcc5997811a0a6a8181d7754a5ad28c310839
SSDEEP

24576:jyRyvg2jeg6TBTHnRO2erkrkluTI7hLdyVS:2G36TBTHrikhTKa

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral19/memory/2348-28-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral19/memory/2348-31-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral19/memory/2348-29-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral19/files/0x0007000000023436-33.dat	family_redline
behavioral19/memory/3664-35-0x00000000007D0000-0x000000000080E000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
668	uh8Du2vY.exe
3152	qT0eO1bT.exe
1728	FG1XJ1YF.exe
3236	1dC74YX1.exe
3664	2sQ117lJ.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	FG1XJ1YF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e9172c16918ce5309dd65e1af444189e955a30b3ccec8e619cf23b147ebfb586.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	uh8Du2vY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	qT0eO1bT.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3236 set thread context of 2348	3236	1dC74YX1.exe	101

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2336	3236	WerFault.exe	87

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 528 wrote to memory of 668	528	e9172c16918ce5309dd65e1af444189e955a30b3ccec8e619cf23b147ebfb586.exe	83
PID 528 wrote to memory of 668	528	e9172c16918ce5309dd65e1af444189e955a30b3ccec8e619cf23b147ebfb586.exe	83
PID 528 wrote to memory of 668	528	e9172c16918ce5309dd65e1af444189e955a30b3ccec8e619cf23b147ebfb586.exe	83
PID 668 wrote to memory of 3152	668	uh8Du2vY.exe	84
PID 668 wrote to memory of 3152	668	uh8Du2vY.exe	84
PID 668 wrote to memory of 3152	668	uh8Du2vY.exe	84
PID 3152 wrote to memory of 1728	3152	qT0eO1bT.exe	85
PID 3152 wrote to memory of 1728	3152	qT0eO1bT.exe	85
PID 3152 wrote to memory of 1728	3152	qT0eO1bT.exe	85
PID 1728 wrote to memory of 3236	1728	FG1XJ1YF.exe	87
PID 1728 wrote to memory of 3236	1728	FG1XJ1YF.exe	87
PID 1728 wrote to memory of 3236	1728	FG1XJ1YF.exe	87
PID 3236 wrote to memory of 2348	3236	1dC74YX1.exe	101
PID 3236 wrote to memory of 2348	3236	1dC74YX1.exe	101
PID 3236 wrote to memory of 2348	3236	1dC74YX1.exe	101
PID 3236 wrote to memory of 2348	3236	1dC74YX1.exe	101
PID 3236 wrote to memory of 2348	3236	1dC74YX1.exe	101
PID 3236 wrote to memory of 2348	3236	1dC74YX1.exe	101
PID 3236 wrote to memory of 2348	3236	1dC74YX1.exe	101
PID 3236 wrote to memory of 2348	3236	1dC74YX1.exe	101
PID 3236 wrote to memory of 2348	3236	1dC74YX1.exe	101
PID 3236 wrote to memory of 2348	3236	1dC74YX1.exe	101
PID 1728 wrote to memory of 3664	1728	FG1XJ1YF.exe	105
PID 1728 wrote to memory of 3664	1728	FG1XJ1YF.exe	105
PID 1728 wrote to memory of 3664	1728	FG1XJ1YF.exe	105

C:\Users\Admin\AppData\Local\Temp\e9172c16918ce5309dd65e1af444189e955a30b3ccec8e619cf23b147ebfb586.exe
"C:\Users\Admin\AppData\Local\Temp\e9172c16918ce5309dd65e1af444189e955a30b3ccec8e619cf23b147ebfb586.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:528
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uh8Du2vY.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uh8Du2vY.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qT0eO1bT.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qT0eO1bT.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3152
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FG1XJ1YF.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FG1XJ1YF.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1728
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dC74YX1.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dC74YX1.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3236
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2348
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 556
        6⤵
        Program crash
        
        PID:2336
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2sQ117lJ.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2sQ117lJ.exe
        5⤵
        Executes dropped EXE
        
        PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3236 -ip 3236
1⤵
PID:4076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uh8Du2vY.exe

Filesize
819KB

MD5
e13f774a4cb371aaaa0c2302ac79994d

SHA1
21824f4eb32e4f1d2b65c0aa877f42c96e5f2e41

SHA256
cf1fbd44626e403e64c787a8199e4e5e2f1784d9d2375ef8167e7a2eb845ffda

SHA512
9b358526ac569efddbca425a1122f7ba08f702a3ae918ad4a41d14aa4bf266f0ab960c455e878e51e1ae254ef61f493a4f7f364624aa1d20b4eb12ac24b02327

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qT0eO1bT.exe

Filesize
584KB

MD5
e4403408fd53fd20a5d933cce9d53604

SHA1
96823b76363496d4d2e5f36a65da35c055c5a804

SHA256
73a72e1eef3f2ed3174b908e547048c0da4b337bcd6872d691773fcf040c0984

SHA512
2ecda542042ed3472b86098082e8fae7cc1d4fe8d98d307d27b70e732861250811cd92fce4dd283a92e4011b579571309852c27f82d7ca6f8573ce961e38aae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FG1XJ1YF.exe

Filesize
383KB

MD5
be39646ff930e80702b9c1d6ebb84fc1

SHA1
9ce7885c18741f5b4eefcf5b2fc88d29f9ca0420

SHA256
1c19e9b907b3aa307e2fc2ae9905e782970ccf81e14123b55c004073f1b164e3

SHA512
0953d240adbb48569bd835ef4e1b35d75651469bab0441a356fc3bd28e8989fee6bd558881986fa4ea002f9c90ffeda1247e9022c06c89ce5205badd10de36dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dC74YX1.exe

Filesize
298KB

MD5
5a68175e7359ff82a80bd6712969f9cf

SHA1
9e6ea0c2a1dbd290c3ccdbb82ead4e81737c8ead

SHA256
b0f917fd6741a333629752b521fd212ad13612b40683db20ed651f3da4a4bf23

SHA512
f63dd74156cb8cbe4a781edf01b889b61ffc2c6d33971f3bdb673934a7ab7ad1c1f943c8cd7208a125c6aec62ecd2fc57d53eb6dace71e63dbd5fd102011d58b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2sQ117lJ.exe

Filesize
222KB

MD5
681fe6d6c47f8871611f29f573a7c411

SHA1
8ff239c9bcffd31c610de43c1e71dd8f16814064

SHA256
9e256a518ab2e7c9dcca3a18bae1ca1eda33dcfbd91ff20d604f60c6c95fa813

SHA512
abfcc1461d598aba3f228ce7c8d9f34486f70e956d0a9cdc3e384ddb1654af703b53bc616c42e4aea22e787a93ccb0f398b3695f60d9d117788bbed2e41205b3

Download Submit
memory/2348-28-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2348-31-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2348-29-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3664-35-0x00000000007D0000-0x000000000080E000-memory.dmp

Filesize
248KB

Download
memory/3664-36-0x0000000007B90000-0x0000000008134000-memory.dmp

Filesize
5.6MB

Download
memory/3664-37-0x0000000007690000-0x0000000007722000-memory.dmp

Filesize
584KB

Download
memory/3664-38-0x0000000004D00000-0x0000000004D0A000-memory.dmp

Filesize
40KB

Download
memory/3664-39-0x0000000008760000-0x0000000008D78000-memory.dmp

Filesize
6.1MB

Download
memory/3664-40-0x00000000079A0000-0x0000000007AAA000-memory.dmp

Filesize
1.0MB

Download
memory/3664-41-0x00000000078D0000-0x00000000078E2000-memory.dmp

Filesize
72KB

Download
memory/3664-42-0x0000000007930000-0x000000000796C000-memory.dmp

Filesize
240KB

Download
memory/3664-43-0x0000000007AB0000-0x0000000007AFC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads