mystic | 3cc30911c3eb32deaf5fb8bc4dfe2ca6abbafa106ab4c16e8ff25a715c1fe7e7

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6c86e8cbc27556d873bb54eaa4778cf8529fe90df5c8b3070e8ed040254afda.exe
Size

381KB
MD5

6989654d4a8e854885b551c22957d828
SHA1

ff366f5fcb1208c106f4415722c3dfdc83e5cbbf
SHA256

f6c86e8cbc27556d873bb54eaa4778cf8529fe90df5c8b3070e8ed040254afda
SHA512

2ac699e41092271a137ea2609d9b556a493f2ab1bd3afd5b7a4300a5a3a90e8639451a10c04a48f07d4053ac9091670a3353b223f109e7f81332cb5569cff161
SSDEEP

6144:KBy+bnr+np0yN90QEBgipOiI8821AgFFBKmbrIkqlq8HCtYpJUnfCKM52U:DMrby90DgWOW8sEmbrIDlq8Hh7UnKKMr

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral20/memory/4628-7-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral20/memory/4628-9-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral20/memory/4628-11-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral20/memory/4628-8-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral20/files/0x000700000002342f-13.dat	family_redline
behavioral20/memory/2924-16-0x0000000000C50000-0x0000000000C8E000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

pid	Process
1364	1Je03YS9.exe
2924	2GU496eR.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f6c86e8cbc27556d873bb54eaa4778cf8529fe90df5c8b3070e8ed040254afda.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1364 set thread context of 4628	1364	1Je03YS9.exe	85

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3848	1364	WerFault.exe	82
1368	4628	WerFault.exe	85

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3936 wrote to memory of 1364	3936	f6c86e8cbc27556d873bb54eaa4778cf8529fe90df5c8b3070e8ed040254afda.exe	82
PID 3936 wrote to memory of 1364	3936	f6c86e8cbc27556d873bb54eaa4778cf8529fe90df5c8b3070e8ed040254afda.exe	82
PID 3936 wrote to memory of 1364	3936	f6c86e8cbc27556d873bb54eaa4778cf8529fe90df5c8b3070e8ed040254afda.exe	82
PID 1364 wrote to memory of 4628	1364	1Je03YS9.exe	85
PID 1364 wrote to memory of 4628	1364	1Je03YS9.exe	85
PID 1364 wrote to memory of 4628	1364	1Je03YS9.exe	85
PID 1364 wrote to memory of 4628	1364	1Je03YS9.exe	85
PID 1364 wrote to memory of 4628	1364	1Je03YS9.exe	85
PID 1364 wrote to memory of 4628	1364	1Je03YS9.exe	85
PID 1364 wrote to memory of 4628	1364	1Je03YS9.exe	85
PID 1364 wrote to memory of 4628	1364	1Je03YS9.exe	85
PID 1364 wrote to memory of 4628	1364	1Je03YS9.exe	85
PID 1364 wrote to memory of 4628	1364	1Je03YS9.exe	85
PID 3936 wrote to memory of 2924	3936	f6c86e8cbc27556d873bb54eaa4778cf8529fe90df5c8b3070e8ed040254afda.exe	93
PID 3936 wrote to memory of 2924	3936	f6c86e8cbc27556d873bb54eaa4778cf8529fe90df5c8b3070e8ed040254afda.exe	93
PID 3936 wrote to memory of 2924	3936	f6c86e8cbc27556d873bb54eaa4778cf8529fe90df5c8b3070e8ed040254afda.exe	93

C:\Users\Admin\AppData\Local\Temp\f6c86e8cbc27556d873bb54eaa4778cf8529fe90df5c8b3070e8ed040254afda.exe
"C:\Users\Admin\AppData\Local\Temp\f6c86e8cbc27556d873bb54eaa4778cf8529fe90df5c8b3070e8ed040254afda.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Je03YS9.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Je03YS9.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:4628
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 196
      4⤵
      Program crash
      PID:1368
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 592
    3⤵
    - Program crash
    PID:3848
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2GU496eR.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2GU496eR.exe
  2⤵
  - Executes dropped EXE
  PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1364 -ip 1364
1⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4628 -ip 4628
1⤵
PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Je03YS9.exe

Filesize
295KB

MD5
0529c686977164266fff181fe5624365

SHA1
8a93fbc6e534c48da1e7e13918bbfa33e1d7ded4

SHA256
01b70ff1f32a06a5257c26adb2ac368f8249fee48ce32ea55d19b5ca8cfc1523

SHA512
152fe9d0fd9b1b7df9f68f6089fea360cfc9246f33dcba772649d484ec31ceb4c174a17629638a978be772d3e6cc35d559d4e7d087c0c77d7900bfc6c0b841cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2GU496eR.exe

Filesize
222KB

MD5
1304c12cc2e666e92459f841f2926155

SHA1
4bb156a852c19dda9b8eed9ef9f4d5637d0d5d18

SHA256
b033b5fbe1b0c129ad84a9e42cda574b88e0ed22d896c25c19ce6ab9fbf855c0

SHA512
8542eab775db888a8e28c24a25e1176f8836bc514cddd955afd8c3a659c12b3de5b5399a590a82400a60b4a5000920dfd443ae36674d2434468664b59abd6b7c

Download Submit
memory/2924-21-0x0000000008B20000-0x0000000009138000-memory.dmp

Filesize
6.1MB

Download
memory/2924-20-0x0000000005010000-0x000000000501A000-memory.dmp

Filesize
40KB

Download
memory/2924-27-0x0000000073C20000-0x00000000743D0000-memory.dmp

Filesize
7.7MB

Download
memory/2924-26-0x0000000073C2E000-0x0000000073C2F000-memory.dmp

Filesize
4KB

Download
memory/2924-15-0x0000000073C2E000-0x0000000073C2F000-memory.dmp

Filesize
4KB

Download
memory/2924-16-0x0000000000C50000-0x0000000000C8E000-memory.dmp

Filesize
248KB

Download
memory/2924-17-0x0000000007F50000-0x00000000084F4000-memory.dmp

Filesize
5.6MB

Download
memory/2924-18-0x0000000007A40000-0x0000000007AD2000-memory.dmp

Filesize
584KB

Download
memory/2924-19-0x0000000073C20000-0x00000000743D0000-memory.dmp

Filesize
7.7MB

Download
memory/2924-25-0x0000000007CC0000-0x0000000007D0C000-memory.dmp

Filesize
304KB

Download
memory/2924-24-0x0000000007C80000-0x0000000007CBC000-memory.dmp

Filesize
240KB

Download
memory/2924-22-0x0000000007DD0000-0x0000000007EDA000-memory.dmp

Filesize
1.0MB

Download
memory/2924-23-0x0000000007BF0000-0x0000000007C02000-memory.dmp

Filesize
72KB

Download
memory/4628-7-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4628-11-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4628-9-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4628-8-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads