mystic | be3323c3b2bd6ba736703199d528de6bf1396e8a7c6b9b58e4ca31fda43b00e0

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bfb35349386611e3f965528901140a62ac938c2c926d82e7c9f31d498ae60b4.exe
Size

1.5MB
MD5

6c897a3879043ccbab5e695cfe6a5bd1
SHA1

35d1b8b5097a9fea72de3b14e54c7ab911b798d2
SHA256

6bfb35349386611e3f965528901140a62ac938c2c926d82e7c9f31d498ae60b4
SHA512

b849cf54fac1c49774904d68f9df27c271d9124857c2486684eef308a7731602aa8f6166b1c58c4cf47698da71fdcbf470123a4a731db60b1fc11d475181924b
SSDEEP

24576:3yOLPlyv/2XMP7A9V02yvQKDU/spDChnT2Rokh/1WIvUHpGy3NiPXTBNSvh:COLPlVXMPmpyvBDU/4ehqR11vcEPXTB4

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

mystic

http://5.42.92.211/

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral8/memory/2164-35-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral8/memory/2164-36-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral8/memory/2164-38-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral8/files/0x0007000000023429-40.dat	family_redline
behavioral8/memory/2136-42-0x0000000000A50000-0x0000000000A8E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
1308	ce1Bj0gD.exe
3344	Jk4xd5ZC.exe
3356	XO3ob9WL.exe
3772	Zw9kw2xJ.exe
508	1YJ21dl7.exe
2136	2mp181fb.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6bfb35349386611e3f965528901140a62ac938c2c926d82e7c9f31d498ae60b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ce1Bj0gD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Jk4xd5ZC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	XO3ob9WL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Zw9kw2xJ.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 508 set thread context of 2164	508	1YJ21dl7.exe	91

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4376	508	WerFault.exe	89

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3300 wrote to memory of 1308	3300	6bfb35349386611e3f965528901140a62ac938c2c926d82e7c9f31d498ae60b4.exe	82
PID 3300 wrote to memory of 1308	3300	6bfb35349386611e3f965528901140a62ac938c2c926d82e7c9f31d498ae60b4.exe	82
PID 3300 wrote to memory of 1308	3300	6bfb35349386611e3f965528901140a62ac938c2c926d82e7c9f31d498ae60b4.exe	82
PID 1308 wrote to memory of 3344	1308	ce1Bj0gD.exe	83
PID 1308 wrote to memory of 3344	1308	ce1Bj0gD.exe	83
PID 1308 wrote to memory of 3344	1308	ce1Bj0gD.exe	83
PID 3344 wrote to memory of 3356	3344	Jk4xd5ZC.exe	85
PID 3344 wrote to memory of 3356	3344	Jk4xd5ZC.exe	85
PID 3344 wrote to memory of 3356	3344	Jk4xd5ZC.exe	85
PID 3356 wrote to memory of 3772	3356	XO3ob9WL.exe	87
PID 3356 wrote to memory of 3772	3356	XO3ob9WL.exe	87
PID 3356 wrote to memory of 3772	3356	XO3ob9WL.exe	87
PID 3772 wrote to memory of 508	3772	Zw9kw2xJ.exe	89
PID 3772 wrote to memory of 508	3772	Zw9kw2xJ.exe	89
PID 3772 wrote to memory of 508	3772	Zw9kw2xJ.exe	89
PID 508 wrote to memory of 2164	508	1YJ21dl7.exe	91
PID 508 wrote to memory of 2164	508	1YJ21dl7.exe	91
PID 508 wrote to memory of 2164	508	1YJ21dl7.exe	91
PID 508 wrote to memory of 2164	508	1YJ21dl7.exe	91
PID 508 wrote to memory of 2164	508	1YJ21dl7.exe	91
PID 508 wrote to memory of 2164	508	1YJ21dl7.exe	91
PID 508 wrote to memory of 2164	508	1YJ21dl7.exe	91
PID 508 wrote to memory of 2164	508	1YJ21dl7.exe	91
PID 508 wrote to memory of 2164	508	1YJ21dl7.exe	91
PID 508 wrote to memory of 2164	508	1YJ21dl7.exe	91
PID 3772 wrote to memory of 2136	3772	Zw9kw2xJ.exe	95
PID 3772 wrote to memory of 2136	3772	Zw9kw2xJ.exe	95
PID 3772 wrote to memory of 2136	3772	Zw9kw2xJ.exe	95

C:\Users\Admin\AppData\Local\Temp\6bfb35349386611e3f965528901140a62ac938c2c926d82e7c9f31d498ae60b4.exe
"C:\Users\Admin\AppData\Local\Temp\6bfb35349386611e3f965528901140a62ac938c2c926d82e7c9f31d498ae60b4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3300
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce1Bj0gD.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce1Bj0gD.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Jk4xd5ZC.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Jk4xd5ZC.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3344
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\XO3ob9WL.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\XO3ob9WL.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3356
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zw9kw2xJ.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zw9kw2xJ.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3772
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1YJ21dl7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1YJ21dl7.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:508
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 136
        7⤵
        Program crash
        
        PID:4376
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2mp181fb.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2mp181fb.exe
        6⤵
        Executes dropped EXE
        
        PID:2136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 508 -ip 508
1⤵
PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce1Bj0gD.exe

Filesize
1.3MB

MD5
32c24fc796294197e3c95b00123a16bc

SHA1
569fd9205fad4613a4db4fe59a19c0aa2bfaab57

SHA256
aa28c87adbc4405f5f65f7c30725aabe75dc3ac5d0878e6e013f38b1d1924bdf

SHA512
f4afd6a27a663bb2e8df8c197243d2493fb6e53be42a85315243a12efc53d6772c92718a082361e49ca4e989514bd221f2cdbf060fbc7e879fe559dbed0c8bf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Jk4xd5ZC.exe

Filesize
1.1MB

MD5
b2f1c0c8e05bfdaf3bc466f4b92d0b43

SHA1
3b9ff70840f34f11462fb69b3c98962c3f7b98ff

SHA256
bdc1a6e23872abc2dec549e0a6966630185abb72a6ee4afbd2e7cf2f69c5d735

SHA512
0c44c8836254ef239bdcf59de306b0da2149e404c447cc9a231c03166ceae56b6c520934312ab19588a2375e88d72644260bf5d4c7da8c5738f059ff12444ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\XO3ob9WL.exe

Filesize
758KB

MD5
5c24b6ac38ff31ac426b0c3ce699d737

SHA1
50fc82ebd9b0b09aab86ee23b5fc12730a6c06d6

SHA256
983c0280db5d78ee48668a4d2b243aec778d54dce53dde9207f41685053b5e5d

SHA512
54bedd90d990d9008c71997d78fd842145a8cdb7a9ff1641f9c6c22e1fb2db6986836ca643b25f45d5eb737063900f5cc8aff0355163f49621d3967717c2ba1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zw9kw2xJ.exe

Filesize
562KB

MD5
b25eea05b72553c6d62b26b1f612d08b

SHA1
38c26b582e49b71e65e98518145acf270f35f2d3

SHA256
f9b0155c9f35c5ecd34ff22291cc8646a63a68df98b024ca0353900926572d5c

SHA512
c8042fb41df06c52558e677b249310d00b8c344ad89374b2858219df9e9f92ebcf8448ee6bb140de28c8aa99c68e834cf75e26eaf39ed772c1734e058a9e4289

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1YJ21dl7.exe

Filesize
1.1MB

MD5
de0eb50ae8edabe04b12e19313478d94

SHA1
1ced95841bb6d4fa854a576b4352a204531ce5c2

SHA256
f0fecbaff766cf8160143551cd1cfdc893054d7badff08004ba2e39bb09dcb6f

SHA512
bd33267e564a2904c5cbe2041e68389826de75529b15e6ae5d66615d50780a050beb4b50136d18747e63f6a761720b2cb6a2ee11b983b8ed50153582e661e289

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2mp181fb.exe

Filesize
221KB

MD5
d72ba0a719236b585c2136e1b3e86de4

SHA1
ba358d332386201d5e529fa27ebf300c5fd8823c

SHA256
9fb77677ec63c763fd6b013e234705505dc542bd1c8b40fa6472cf037be1155c

SHA512
7e8bc6ba466a3386e428b008d806967c0a35f67354be892f46e66d4d1abf8e089b9d280cfc64a001680542fd9c2486b2c98a5a9ec228b5f51ad478bac7229ead

Download Submit
memory/2136-42-0x0000000000A50000-0x0000000000A8E000-memory.dmp

Filesize
248KB

Download
memory/2136-43-0x0000000007D00000-0x00000000082A4000-memory.dmp

Filesize
5.6MB

Download
memory/2136-44-0x0000000007830000-0x00000000078C2000-memory.dmp

Filesize
584KB

Download
memory/2136-45-0x0000000004DF0000-0x0000000004DFA000-memory.dmp

Filesize
40KB

Download
memory/2136-47-0x00000000082B0000-0x00000000083BA000-memory.dmp

Filesize
1.0MB

Download
memory/2136-46-0x00000000088D0000-0x0000000008EE8000-memory.dmp

Filesize
6.1MB

Download
memory/2136-48-0x0000000007B60000-0x0000000007B72000-memory.dmp

Filesize
72KB

Download
memory/2136-49-0x0000000007BC0000-0x0000000007BFC000-memory.dmp

Filesize
240KB

Download
memory/2136-50-0x0000000007C00000-0x0000000007C4C000-memory.dmp

Filesize
304KB

Download
memory/2164-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads