mystic | 35fa914c6357cde578322016bb343396ee5cbe965e37dbbc27e58563c27f3d00

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a35e73743d1c4e1fc0961c56137fb8d5b74b8a9eb7287318325f458bcc36a546.exe
Size

1.1MB
MD5

7db592e10da1185fdda4eb02563708fc
SHA1

8d2a3b604d8bbf44c44079249eaefe26b0098f24
SHA256

a35e73743d1c4e1fc0961c56137fb8d5b74b8a9eb7287318325f458bcc36a546
SHA512

379743136ec723ec66d5032089f5b4e647f95d008ef4124aeed1f4d14817456f76299358367f24d112e0c0fbd718fca3f3d2921afdfd10bbad10cbecbe1b739d
SSDEEP

24576:VyEGUV7+MTHaZJ0jnUzctOX6qmHHGIJKnCZtgNR75qy394mB7:w3ECMjaZqozKXhHm578yXB

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral13/memory/4376-35-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral13/memory/4376-38-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral13/memory/4376-36-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2SJ436cY.exe	family_redline
behavioral13/memory/4892-42-0x00000000008F0000-0x000000000092E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

pt0xA5gg.exexg3Qg7iV.exebZ0dl5at.exeXG4ZE3Ch.exe1gy38An0.exe2SJ436cY.exe

pid process

2532 pt0xA5gg.exe
3592 xg3Qg7iV.exe
1912 bZ0dl5at.exe
4416 XG4ZE3Ch.exe
2392 1gy38An0.exe
4892 2SJ436cY.exe

pid	process
2532	pt0xA5gg.exe
3592	xg3Qg7iV.exe
1912	bZ0dl5at.exe
4416	XG4ZE3Ch.exe
2392	1gy38An0.exe
4892	2SJ436cY.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

xg3Qg7iV.exebZ0dl5at.exeXG4ZE3Ch.exea35e73743d1c4e1fc0961c56137fb8d5b74b8a9eb7287318325f458bcc36a546.exept0xA5gg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	xg3Qg7iV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	bZ0dl5at.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	XG4ZE3Ch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a35e73743d1c4e1fc0961c56137fb8d5b74b8a9eb7287318325f458bcc36a546.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	pt0xA5gg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1gy38An0.exe

description pid process target process

PID 2392 set thread context of 4376 2392 1gy38An0.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3104 2392 WerFault.exe 1gy38An0.exe

description	pid	process	target process
PID 2392 set thread context of 4376	2392	1gy38An0.exe	AppLaunch.exe

pid	pid_target	process	target process
3104	2392	WerFault.exe	1gy38An0.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

a35e73743d1c4e1fc0961c56137fb8d5b74b8a9eb7287318325f458bcc36a546.exept0xA5gg.exexg3Qg7iV.exebZ0dl5at.exeXG4ZE3Ch.exe1gy38An0.exe

description	pid	process	target process
PID 3916 wrote to memory of 2532	3916	a35e73743d1c4e1fc0961c56137fb8d5b74b8a9eb7287318325f458bcc36a546.exe	pt0xA5gg.exe
PID 3916 wrote to memory of 2532	3916	a35e73743d1c4e1fc0961c56137fb8d5b74b8a9eb7287318325f458bcc36a546.exe	pt0xA5gg.exe
PID 3916 wrote to memory of 2532	3916	a35e73743d1c4e1fc0961c56137fb8d5b74b8a9eb7287318325f458bcc36a546.exe	pt0xA5gg.exe
PID 2532 wrote to memory of 3592	2532	pt0xA5gg.exe	xg3Qg7iV.exe
PID 2532 wrote to memory of 3592	2532	pt0xA5gg.exe	xg3Qg7iV.exe
PID 2532 wrote to memory of 3592	2532	pt0xA5gg.exe	xg3Qg7iV.exe
PID 3592 wrote to memory of 1912	3592	xg3Qg7iV.exe	bZ0dl5at.exe
PID 3592 wrote to memory of 1912	3592	xg3Qg7iV.exe	bZ0dl5at.exe
PID 3592 wrote to memory of 1912	3592	xg3Qg7iV.exe	bZ0dl5at.exe
PID 1912 wrote to memory of 4416	1912	bZ0dl5at.exe	XG4ZE3Ch.exe
PID 1912 wrote to memory of 4416	1912	bZ0dl5at.exe	XG4ZE3Ch.exe
PID 1912 wrote to memory of 4416	1912	bZ0dl5at.exe	XG4ZE3Ch.exe
PID 4416 wrote to memory of 2392	4416	XG4ZE3Ch.exe	1gy38An0.exe
PID 4416 wrote to memory of 2392	4416	XG4ZE3Ch.exe	1gy38An0.exe
PID 4416 wrote to memory of 2392	4416	XG4ZE3Ch.exe	1gy38An0.exe
PID 2392 wrote to memory of 4756	2392	1gy38An0.exe	AppLaunch.exe
PID 2392 wrote to memory of 4756	2392	1gy38An0.exe	AppLaunch.exe
PID 2392 wrote to memory of 4756	2392	1gy38An0.exe	AppLaunch.exe
PID 2392 wrote to memory of 4376	2392	1gy38An0.exe	AppLaunch.exe
PID 2392 wrote to memory of 4376	2392	1gy38An0.exe	AppLaunch.exe
PID 2392 wrote to memory of 4376	2392	1gy38An0.exe	AppLaunch.exe
PID 2392 wrote to memory of 4376	2392	1gy38An0.exe	AppLaunch.exe
PID 2392 wrote to memory of 4376	2392	1gy38An0.exe	AppLaunch.exe
PID 2392 wrote to memory of 4376	2392	1gy38An0.exe	AppLaunch.exe
PID 2392 wrote to memory of 4376	2392	1gy38An0.exe	AppLaunch.exe
PID 2392 wrote to memory of 4376	2392	1gy38An0.exe	AppLaunch.exe
PID 2392 wrote to memory of 4376	2392	1gy38An0.exe	AppLaunch.exe
PID 2392 wrote to memory of 4376	2392	1gy38An0.exe	AppLaunch.exe
PID 4416 wrote to memory of 4892	4416	XG4ZE3Ch.exe	2SJ436cY.exe
PID 4416 wrote to memory of 4892	4416	XG4ZE3Ch.exe	2SJ436cY.exe
PID 4416 wrote to memory of 4892	4416	XG4ZE3Ch.exe	2SJ436cY.exe

C:\Users\Admin\AppData\Local\Temp\a35e73743d1c4e1fc0961c56137fb8d5b74b8a9eb7287318325f458bcc36a546.exe
"C:\Users\Admin\AppData\Local\Temp\a35e73743d1c4e1fc0961c56137fb8d5b74b8a9eb7287318325f458bcc36a546.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3916

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pt0xA5gg.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pt0xA5gg.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2532

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xg3Qg7iV.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xg3Qg7iV.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3592

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bZ0dl5at.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bZ0dl5at.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1912

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\XG4ZE3Ch.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\XG4ZE3Ch.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4416

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gy38An0.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gy38An0.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:4756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 612
7⤵
- Program crash
PID:3104

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2SJ436cY.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2SJ436cY.exe
6⤵
- Executes dropped EXE
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2392 -ip 2392
1⤵
PID:3536

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pt0xA5gg.exe
Filesize
1001KB

MD5
3bcb31f40a40e1f6cae84c5bea0f4470

SHA1
1439d8e0f7733ffaada435198257d17e640c01c8

SHA256
ed23696f9dd547f54c9ecd3de7c34ca6a50a0fadd70b83d803f8ade444acae27

SHA512
26245199b012af52ef4aa765ce26f0db11a198fed06f4ee06ebb7e7f0e23c4bbe955329c327fb248269f23dc176831f951ecfee95a5efe88cb915699132c3a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xg3Qg7iV.exe
Filesize
812KB

MD5
3fc4f5128feba784657f0bb9174684f6

SHA1
a1d06ce2bb1aee90467afe37b2708ee3f91fff05

SHA256
be72aa2daa129607dfa5eebe89c8ddb1ba649f9f99e03ae724f4085be52da691

SHA512
9fd1f7d9f5311cee450d48bdcba2424482c34009bc1636ac6bdfefefccdc3218080217e4105cde5eb3fe2ddc77b8d288aa8b0a84057f5de0b246a5824039aa82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bZ0dl5at.exe
Filesize
578KB

MD5
d6836f91110230e07b0874f3cc8eac53

SHA1
4caa911e5f6233fa11fe1a7434ec2db844f60e9e

SHA256
beaf0e795c7a78cf487c625c73793bdf9dcc6650727f1c55af7584ea65a7e040

SHA512
278aeee5dc58d13aae64f20ff571b1817283957a84c7e0804f128e2c2f2644816d01f19ffa05b19113450ee2727cd75eaab2b5d487317fc12b7938554b5c1792

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\XG4ZE3Ch.exe
Filesize
382KB

MD5
f282e18e7b52a2e5f954efbd882e2460

SHA1
87c24a707dd7f6140e5bb89ef84e327b38c10a7c

SHA256
62f0d504b88191473b59e183309cf71de1e94ade592178403d6ddb0c2571f6da

SHA512
0b7abe61ee3d9b739b2ac7fe038e1b65cef246ffad6feb0856e49e59c0f42cb4df0ed2e8973afa83b74a3e612ade227a315e9a4154fb80ab0d94ace3cca54a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gy38An0.exe
Filesize
295KB

MD5
6037d6e4808ee1664d2cf30357fcd115

SHA1
2f9350cb1db4521e5e638c86d0f5fa090ccbef09

SHA256
13093d33e27095af57e49c7ee29c4b85da53c3286ee1175a4b29ab7545538a1f

SHA512
18e1bb1cc04b3f053d20d29cf19d388c8f75833399c6d46e785f813f3a3edd2bfc26895571862f364d6c4cbfdc558c1be615a0615b641a8c7806bc4056b263da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2SJ436cY.exe
Filesize
222KB

MD5
ddc418056cede0abd049b9f489adeee2

SHA1
5f3711db9bc61102322b5d859bd988416de2f845

SHA256
6c88a89541d23f2858e4ea4d8cc3b239d405306c35258d2aafbbcebfbd4e0b87

SHA512
e66d85f1821eb945339718a14f888e3d666b48300d98ed2ba30c0cd2e89f90d890340ae8aebc9d89594f80020fcec642a3aea16d6aec794bd28708deff4dd5f8

Download Submit
memory/4376-38-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4376-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4376-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4892-42-0x00000000008F0000-0x000000000092E000-memory.dmp

Filesize
248KB

Download
memory/4892-43-0x0000000007BA0000-0x0000000008144000-memory.dmp

Filesize
5.6MB

Download
memory/4892-44-0x0000000007690000-0x0000000007722000-memory.dmp

Filesize
584KB

Download
memory/4892-45-0x0000000004C80000-0x0000000004C8A000-memory.dmp

Filesize
40KB

Download
memory/4892-46-0x0000000008770000-0x0000000008D88000-memory.dmp

Filesize
6.1MB

Download
memory/4892-47-0x00000000079B0000-0x0000000007ABA000-memory.dmp

Filesize
1.0MB

Download
memory/4892-48-0x00000000078C0000-0x00000000078D2000-memory.dmp

Filesize
72KB

Download
memory/4892-49-0x0000000007920000-0x000000000795C000-memory.dmp

Filesize
240KB

Download
memory/4892-50-0x0000000007960000-0x00000000079AC000-memory.dmp

Filesize
304KB

Download