mystic | 35fa914c6357cde578322016bb343396ee5cbe965e37dbbc27e58563c27f3d00

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88242c8054974baa356b72df09969ef7d9d50033497a8ec162fab5103a16aa22.exe
Size

1.5MB
MD5

0fe2284542243f32ff3335d14cb3a1c1
SHA1

d9bc23510c407ef9bb332b221ac74f34856d971d
SHA256

88242c8054974baa356b72df09969ef7d9d50033497a8ec162fab5103a16aa22
SHA512

e11a9ab4453e50b913d43a06ef7c37391169932e380354b6251dffd325c75a6c6cfe6324118e681e53c35f53938a8b7251fea0000cdc2cef5ee94a6efd5963fe
SSDEEP

24576:CyeiDORu08MXvlRVDaMlGhfPhgjsp5tBB/W/sbrEzk3Xse:pdD8u082rdtQJPhtp57B+sbwK

Score

10^/10

mystic redline kedru infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kedru

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral8/memory/4280-35-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral8/memory/4280-37-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral8/memory/4280-39-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Fj551Ah.exe	family_redline
behavioral8/memory/3252-42-0x0000000000900000-0x000000000093C000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

NI8gQ6WV.exexe1JA4kA.exetC3Xn1MV.exeLG8dA8SQ.exe1Az08BC2.exe2Fj551Ah.exe

pid process

3232 NI8gQ6WV.exe
1668 xe1JA4kA.exe
1176 tC3Xn1MV.exe
1500 LG8dA8SQ.exe
3308 1Az08BC2.exe
3252 2Fj551Ah.exe

pid	process
3232	NI8gQ6WV.exe
1668	xe1JA4kA.exe
1176	tC3Xn1MV.exe
1500	LG8dA8SQ.exe
3308	1Az08BC2.exe
3252	2Fj551Ah.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tC3Xn1MV.exeLG8dA8SQ.exe88242c8054974baa356b72df09969ef7d9d50033497a8ec162fab5103a16aa22.exeNI8gQ6WV.exexe1JA4kA.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	tC3Xn1MV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	LG8dA8SQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	88242c8054974baa356b72df09969ef7d9d50033497a8ec162fab5103a16aa22.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	NI8gQ6WV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	xe1JA4kA.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1Az08BC2.exe

description pid process target process

PID 3308 set thread context of 4280 3308 1Az08BC2.exe AppLaunch.exe

description	pid	process	target process
PID 3308 set thread context of 4280	3308	1Az08BC2.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

88242c8054974baa356b72df09969ef7d9d50033497a8ec162fab5103a16aa22.exeNI8gQ6WV.exexe1JA4kA.exetC3Xn1MV.exeLG8dA8SQ.exe1Az08BC2.exe

description	pid	process	target process
PID 3688 wrote to memory of 3232	3688	88242c8054974baa356b72df09969ef7d9d50033497a8ec162fab5103a16aa22.exe	NI8gQ6WV.exe
PID 3688 wrote to memory of 3232	3688	88242c8054974baa356b72df09969ef7d9d50033497a8ec162fab5103a16aa22.exe	NI8gQ6WV.exe
PID 3688 wrote to memory of 3232	3688	88242c8054974baa356b72df09969ef7d9d50033497a8ec162fab5103a16aa22.exe	NI8gQ6WV.exe
PID 3232 wrote to memory of 1668	3232	NI8gQ6WV.exe	xe1JA4kA.exe
PID 3232 wrote to memory of 1668	3232	NI8gQ6WV.exe	xe1JA4kA.exe
PID 3232 wrote to memory of 1668	3232	NI8gQ6WV.exe	xe1JA4kA.exe
PID 1668 wrote to memory of 1176	1668	xe1JA4kA.exe	tC3Xn1MV.exe
PID 1668 wrote to memory of 1176	1668	xe1JA4kA.exe	tC3Xn1MV.exe
PID 1668 wrote to memory of 1176	1668	xe1JA4kA.exe	tC3Xn1MV.exe
PID 1176 wrote to memory of 1500	1176	tC3Xn1MV.exe	LG8dA8SQ.exe
PID 1176 wrote to memory of 1500	1176	tC3Xn1MV.exe	LG8dA8SQ.exe
PID 1176 wrote to memory of 1500	1176	tC3Xn1MV.exe	LG8dA8SQ.exe
PID 1500 wrote to memory of 3308	1500	LG8dA8SQ.exe	1Az08BC2.exe
PID 1500 wrote to memory of 3308	1500	LG8dA8SQ.exe	1Az08BC2.exe
PID 1500 wrote to memory of 3308	1500	LG8dA8SQ.exe	1Az08BC2.exe
PID 3308 wrote to memory of 4280	3308	1Az08BC2.exe	AppLaunch.exe
PID 3308 wrote to memory of 4280	3308	1Az08BC2.exe	AppLaunch.exe
PID 3308 wrote to memory of 4280	3308	1Az08BC2.exe	AppLaunch.exe
PID 3308 wrote to memory of 4280	3308	1Az08BC2.exe	AppLaunch.exe
PID 3308 wrote to memory of 4280	3308	1Az08BC2.exe	AppLaunch.exe
PID 3308 wrote to memory of 4280	3308	1Az08BC2.exe	AppLaunch.exe
PID 3308 wrote to memory of 4280	3308	1Az08BC2.exe	AppLaunch.exe
PID 3308 wrote to memory of 4280	3308	1Az08BC2.exe	AppLaunch.exe
PID 3308 wrote to memory of 4280	3308	1Az08BC2.exe	AppLaunch.exe
PID 3308 wrote to memory of 4280	3308	1Az08BC2.exe	AppLaunch.exe
PID 1500 wrote to memory of 3252	1500	LG8dA8SQ.exe	2Fj551Ah.exe
PID 1500 wrote to memory of 3252	1500	LG8dA8SQ.exe	2Fj551Ah.exe
PID 1500 wrote to memory of 3252	1500	LG8dA8SQ.exe	2Fj551Ah.exe

C:\Users\Admin\AppData\Local\Temp\88242c8054974baa356b72df09969ef7d9d50033497a8ec162fab5103a16aa22.exe
"C:\Users\Admin\AppData\Local\Temp\88242c8054974baa356b72df09969ef7d9d50033497a8ec162fab5103a16aa22.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3688

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NI8gQ6WV.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NI8gQ6WV.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3232

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xe1JA4kA.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xe1JA4kA.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tC3Xn1MV.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tC3Xn1MV.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1176

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LG8dA8SQ.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LG8dA8SQ.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1500

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Az08BC2.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Az08BC2.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:4280

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Fj551Ah.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Fj551Ah.exe
6⤵
- Executes dropped EXE
PID:3252

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NI8gQ6WV.exe
Filesize
1.3MB

MD5
385eddc490abbb1403bdb0b088fc5a62

SHA1
0f43a06fe1da97a9e6dd23d242af0b54bdf037ee

SHA256
95345db80310af6d8adfb70f1305af90153f1e2d46dfe2cadd377c74c78de4fe

SHA512
a197aa3bf7879b8279272cdc281749b13ca6ec3fec76a86371568a27a8b5b3fa129f76fadfa52b49c746f16972a7db059245f4c71d91468b1077413a02bb5899

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xe1JA4kA.exe
Filesize
1.1MB

MD5
0eb5f52cdf04ac06a27d5677584933eb

SHA1
539c21b449bb442faad0ed6f2822eb4a32ec4b09

SHA256
614f8804c48d862b18aec7a141268d4f1060f3789a2e7b0c08ca301226901985

SHA512
e4f94d8315a212b0e7eb452a916621d2e155766f60c79518623d0b867b8b3ba570d22ee8185dcef228ddd37cd0b609c444772595927fc72c4159d6fbe3e55cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tC3Xn1MV.exe
Filesize
753KB

MD5
b4b866b9bc0ca3184ee225896e747640

SHA1
11dfdd4d8741ef706932dd8fbd2988fda783b15c

SHA256
d676553313491e8fa802aa37a6cd4db6383ca73dd050aba7ebd05b4cdf2968aa

SHA512
33579cc0a283d467b37b22a5777a71b045d5e2b11df295d409901b9813f4429174e625994a844124428bb59612924067d70730f5ac1d588bdead9d088e081809

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LG8dA8SQ.exe
Filesize
558KB

MD5
aab7b3919093711ca79bb8da97e5e146

SHA1
8dd90dda3e69682c41d771a0cfe64b050d3bece4

SHA256
a34840fe2fed16e4837a7226b63cf79d6c602750242e5c14e996b157fd082417

SHA512
6ede531f12b7e59426318e647de4b442c3fe727d7d923a1ddaed32ba8558180a38436bad83bd7eb7a24a0778497dd115b0a024d71b2835a9023a9ab71fe01ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Az08BC2.exe
Filesize
1.0MB

MD5
a52dc630ad952aea92d56525abe49463

SHA1
71fec2ba7b37ff2c11404d8d0dabf5780607e8f8

SHA256
dcf9c6f502f134ba8c70d11bfb1ba4f5549644df1bcb8f5956b509ef05b60a1f

SHA512
66aa1719e65c7649464377d1cbb632709f4e7eb6af914c966fcb495ad40a9a6fb500ad2f1376841e1c5d81362b25115011bcc602dbfa1df8ab511282b71538bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Fj551Ah.exe
Filesize
219KB

MD5
d9ad69bc8b28b6643c219e83403689e1

SHA1
5fdc6f2174bfc18bf55e493631fc7b663c0eb9bb

SHA256
8ac878096fe7104de6a2746d5c5d4f2486ad0a82e2ec231a5b559262caf84733

SHA512
a6e3366ca45f20f91802dda8a7512b9eda1488b0ae52b39e7088f074cd0f0267e6cf891bc7963ce44a31ee48cd985b0f0a7db741a4b7d121467c2251c52e7581

Download Submit
memory/3252-45-0x0000000002C70000-0x0000000002C7A000-memory.dmp

Filesize
40KB

Download
memory/3252-42-0x0000000000900000-0x000000000093C000-memory.dmp

Filesize
240KB

Download
memory/3252-43-0x0000000007BD0000-0x0000000008174000-memory.dmp

Filesize
5.6MB

Download
memory/3252-44-0x00000000076C0000-0x0000000007752000-memory.dmp

Filesize
584KB

Download
memory/3252-46-0x00000000087A0000-0x0000000008DB8000-memory.dmp

Filesize
6.1MB

Download
memory/3252-47-0x0000000008180000-0x000000000828A000-memory.dmp

Filesize
1.0MB

Download
memory/3252-48-0x00000000077B0000-0x00000000077C2000-memory.dmp

Filesize
72KB

Download
memory/3252-49-0x0000000007930000-0x000000000796C000-memory.dmp

Filesize
240KB

Download
memory/3252-50-0x00000000077E0000-0x000000000782C000-memory.dmp

Filesize
304KB

Download
memory/4280-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4280-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4280-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download