mystic | 4b8426608d129065454fb59979cb7863e9b221d10a94bf05a1dddf8807d50656

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e17fa1b4c1940b188c7cdca6098ad239644d59ae3ac75405c11faf08a0699c2e.exe
Size

819KB
MD5

cdb92ed4f80ad1af3433a407fa466fa1
SHA1

175e95f65a3419b18ec55532268662d26b4e72eb
SHA256

e17fa1b4c1940b188c7cdca6098ad239644d59ae3ac75405c11faf08a0699c2e
SHA512

00b10eabe8780be719a647988cad690bc5796b7d57f20964849753a6da230a6ae63c655bb1f4da288caa54f540110d3dbedcbf360c2b7a31d3880930c200d2ec
SSDEEP

24576:syGB/OVfuMjv3yMFmTrIti5gqZKN4jYI:b6OVD9oTe2gqQNiY

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral20/memory/864-21-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral20/memory/864-22-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral20/memory/864-25-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral20/memory/864-23-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral20/files/0x0007000000023455-26.dat	family_redline
behavioral20/memory/2356-29-0x0000000000840000-0x000000000087E000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
2732	Rm7EP0Ay.exe
1208	ll7mc0TW.exe
1056	1dy17Ol5.exe
2356	2jA995CP.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e17fa1b4c1940b188c7cdca6098ad239644d59ae3ac75405c11faf08a0699c2e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Rm7EP0Ay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ll7mc0TW.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1056 set thread context of 864	1056	1dy17Ol5.exe	97

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3908	1056	WerFault.exe	84

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2732	3040	e17fa1b4c1940b188c7cdca6098ad239644d59ae3ac75405c11faf08a0699c2e.exe	82
PID 3040 wrote to memory of 2732	3040	e17fa1b4c1940b188c7cdca6098ad239644d59ae3ac75405c11faf08a0699c2e.exe	82
PID 3040 wrote to memory of 2732	3040	e17fa1b4c1940b188c7cdca6098ad239644d59ae3ac75405c11faf08a0699c2e.exe	82
PID 2732 wrote to memory of 1208	2732	Rm7EP0Ay.exe	83
PID 2732 wrote to memory of 1208	2732	Rm7EP0Ay.exe	83
PID 2732 wrote to memory of 1208	2732	Rm7EP0Ay.exe	83
PID 1208 wrote to memory of 1056	1208	ll7mc0TW.exe	84
PID 1208 wrote to memory of 1056	1208	ll7mc0TW.exe	84
PID 1208 wrote to memory of 1056	1208	ll7mc0TW.exe	84
PID 1056 wrote to memory of 864	1056	1dy17Ol5.exe	97
PID 1056 wrote to memory of 864	1056	1dy17Ol5.exe	97
PID 1056 wrote to memory of 864	1056	1dy17Ol5.exe	97
PID 1056 wrote to memory of 864	1056	1dy17Ol5.exe	97
PID 1056 wrote to memory of 864	1056	1dy17Ol5.exe	97
PID 1056 wrote to memory of 864	1056	1dy17Ol5.exe	97
PID 1056 wrote to memory of 864	1056	1dy17Ol5.exe	97
PID 1056 wrote to memory of 864	1056	1dy17Ol5.exe	97
PID 1056 wrote to memory of 864	1056	1dy17Ol5.exe	97
PID 1056 wrote to memory of 864	1056	1dy17Ol5.exe	97
PID 1208 wrote to memory of 2356	1208	ll7mc0TW.exe	101
PID 1208 wrote to memory of 2356	1208	ll7mc0TW.exe	101
PID 1208 wrote to memory of 2356	1208	ll7mc0TW.exe	101

C:\Users\Admin\AppData\Local\Temp\e17fa1b4c1940b188c7cdca6098ad239644d59ae3ac75405c11faf08a0699c2e.exe
"C:\Users\Admin\AppData\Local\Temp\e17fa1b4c1940b188c7cdca6098ad239644d59ae3ac75405c11faf08a0699c2e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rm7EP0Ay.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rm7EP0Ay.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ll7mc0TW.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ll7mc0TW.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1208
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1dy17Ol5.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1dy17Ol5.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1056
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:864
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 556
        5⤵
        Program crash
        
        PID:3908
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2jA995CP.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2jA995CP.exe
      4⤵
      Executes dropped EXE
      PID:2356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1056 -ip 1056
1⤵
PID:516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rm7EP0Ay.exe

Filesize
584KB

MD5
0263d4e41fbb4a723528c286275053c3

SHA1
6813970544159675b2310f602f9e7b5510cf3833

SHA256
37b6882042f0c7ef99e38485f469c476afc09b8bfcfc338bb7b25a51b09f6daa

SHA512
55074b82d24706a8ad57f7fe1279bd7b65f5d7f0790ab738f36ec2edce6d567bdce9219ba0894713601059c9cc72075af71390f2abd5cf545a1bb8a9d6660782

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ll7mc0TW.exe

Filesize
383KB

MD5
107e8943cd467a554ca53583052d60b3

SHA1
44ca8b8d860ab04af0a2a515808fcdc7abfc7c83

SHA256
98b06c140d2ccc1f5b033611d263d2d744c89ae7398539a08f2189772523a778

SHA512
6a812c4b484ab8dbacdf408541477af6a7732fb9ce1f8ebbda9a238994edf56cf9a4f19aae6b2b50d4ab3fe8eb2529674521a852ff7fd09a143ad44ae1f3b5f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1dy17Ol5.exe

Filesize
298KB

MD5
d5b82c62d22c42db4d9e0f748442b2a1

SHA1
3efb5f9a27cf424e2de783db79d6dfa26204489d

SHA256
2e82a58fe10d31b8da6f746789dd03d9d3eade1acb40b0c628d6d3b768b519bf

SHA512
4d8b7fc9355a5e45c512e10b1d7cf018a8432a4d78143001e964189f92507888cebbbd1f20e89078f5b0b1211a41904635165bdd7bd98850206a1b3fe98087d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2jA995CP.exe

Filesize
222KB

MD5
ad6394b9b9cf9418c2e3a4314b8d8650

SHA1
ef9352deb7a0ec5e96a95b84c2622da6bf86890f

SHA256
24725f7b4de42aa50ae6a8dc757cc01362c454736cb724bf926eb0e68638c92a

SHA512
7a6efea906c80505b2906ff8c8cf7e540a6bd813d12130635b8ce26e96b2fc63e9fbcc52671a409ef2c5167d11ab817c6c67fc3e37d95b083d65819fd74f0843

Download Submit
memory/864-21-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/864-22-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/864-25-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/864-23-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2356-29-0x0000000000840000-0x000000000087E000-memory.dmp

Filesize
248KB

Download
memory/2356-30-0x0000000007C60000-0x0000000008204000-memory.dmp

Filesize
5.6MB

Download
memory/2356-31-0x0000000007750000-0x00000000077E2000-memory.dmp

Filesize
584KB

Download
memory/2356-32-0x0000000002BE0000-0x0000000002BEA000-memory.dmp

Filesize
40KB

Download
memory/2356-33-0x0000000008830000-0x0000000008E48000-memory.dmp

Filesize
6.1MB

Download
memory/2356-35-0x0000000007940000-0x0000000007952000-memory.dmp

Filesize
72KB

Download
memory/2356-34-0x0000000007A10000-0x0000000007B1A000-memory.dmp

Filesize
1.0MB

Download
memory/2356-36-0x00000000079A0000-0x00000000079DC000-memory.dmp

Filesize
240KB

Download
memory/2356-37-0x0000000007B20000-0x0000000007B6C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads