mystic | 4b8426608d129065454fb59979cb7863e9b221d10a94bf05a1dddf8807d50656

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3bbfb34efdda08027f33e680ee6274325d4986f57ea83d34517fef7abd65b1c.exe
Size

843KB
MD5

46a6de119fb7256f7b36b70546344387
SHA1

804612a43e20322bf716a5216acb850eaad6e4a9
SHA256

f3bbfb34efdda08027f33e680ee6274325d4986f57ea83d34517fef7abd65b1c
SHA512

73c0537f973210d5a5e882ed55fb19a9af7cc0dc7af39bcb217d6fbc6a8f6cffc542d50c34b9a88a74846147d414a511d9ef3f4330cc819f140e2fa6f4be38d9
SSDEEP

24576:oyivJjEUyx3voeZA+GMGA9NSm/b7XAh5vE0f:v9tx3vtAnMdNas0

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral22/memory/808-21-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral22/memory/808-25-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral22/memory/808-23-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral22/memory/808-22-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral22/files/0x0007000000023427-27.dat	family_redline
behavioral22/memory/4236-29-0x00000000002B0000-0x00000000002EE000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
3692	Se5Ab9Fb.exe
3144	SM9dc2Wm.exe
668	1lN98Qa3.exe
4236	2Qi161ee.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f3bbfb34efdda08027f33e680ee6274325d4986f57ea83d34517fef7abd65b1c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Se5Ab9Fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	SM9dc2Wm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 668 set thread context of 808	668	1lN98Qa3.exe	102

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 3692	1920	f3bbfb34efdda08027f33e680ee6274325d4986f57ea83d34517fef7abd65b1c.exe	83
PID 1920 wrote to memory of 3692	1920	f3bbfb34efdda08027f33e680ee6274325d4986f57ea83d34517fef7abd65b1c.exe	83
PID 1920 wrote to memory of 3692	1920	f3bbfb34efdda08027f33e680ee6274325d4986f57ea83d34517fef7abd65b1c.exe	83
PID 3692 wrote to memory of 3144	3692	Se5Ab9Fb.exe	84
PID 3692 wrote to memory of 3144	3692	Se5Ab9Fb.exe	84
PID 3692 wrote to memory of 3144	3692	Se5Ab9Fb.exe	84
PID 3144 wrote to memory of 668	3144	SM9dc2Wm.exe	85
PID 3144 wrote to memory of 668	3144	SM9dc2Wm.exe	85
PID 3144 wrote to memory of 668	3144	SM9dc2Wm.exe	85
PID 668 wrote to memory of 808	668	1lN98Qa3.exe	102
PID 668 wrote to memory of 808	668	1lN98Qa3.exe	102
PID 668 wrote to memory of 808	668	1lN98Qa3.exe	102
PID 668 wrote to memory of 808	668	1lN98Qa3.exe	102
PID 668 wrote to memory of 808	668	1lN98Qa3.exe	102
PID 668 wrote to memory of 808	668	1lN98Qa3.exe	102
PID 668 wrote to memory of 808	668	1lN98Qa3.exe	102
PID 668 wrote to memory of 808	668	1lN98Qa3.exe	102
PID 668 wrote to memory of 808	668	1lN98Qa3.exe	102
PID 668 wrote to memory of 808	668	1lN98Qa3.exe	102
PID 3144 wrote to memory of 4236	3144	SM9dc2Wm.exe	103
PID 3144 wrote to memory of 4236	3144	SM9dc2Wm.exe	103
PID 3144 wrote to memory of 4236	3144	SM9dc2Wm.exe	103

C:\Users\Admin\AppData\Local\Temp\f3bbfb34efdda08027f33e680ee6274325d4986f57ea83d34517fef7abd65b1c.exe
"C:\Users\Admin\AppData\Local\Temp\f3bbfb34efdda08027f33e680ee6274325d4986f57ea83d34517fef7abd65b1c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Se5Ab9Fb.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Se5Ab9Fb.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SM9dc2Wm.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SM9dc2Wm.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3144
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1lN98Qa3.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1lN98Qa3.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:668
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:808
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Qi161ee.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Qi161ee.exe
      4⤵
      Executes dropped EXE
      PID:4236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Se5Ab9Fb.exe

Filesize
593KB

MD5
04d2f998e3c78e80cce8609f79ee899b

SHA1
72c1fd7e24402b1058bd78bc2d1f38fb8e1a02eb

SHA256
882c4f72dbbf94af8121e976f60da95b09ce0f67eb2f61b2cacacac0848d3b24

SHA512
a11d2e0e31f5ae64b6be6f8ff71d5981bf3946826144cf0071fa8312bb199a3c4d95c9c31f068d4efb5c98656c34763b8f05eb06f93de383301add61dd04b870

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SM9dc2Wm.exe

Filesize
398KB

MD5
ed74b7d2f38d02fe700050c99cb36a34

SHA1
9f70de79d4c634a25084fc9258f662f455c392ef

SHA256
8a67009aae3c7621d7596d8b67ce830d1f119d507f015725acd529d51e18bba6

SHA512
877f5247d1961be2cb112552e831a4a3bd3e707e3475cb85d240d16e4d080e9a45d96e798699b13c4b3d5a517cff904df1c607a40aa559abbaf16d5802eca291

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1lN98Qa3.exe

Filesize
320KB

MD5
23052ce48929f15c04d09f4a3f8da316

SHA1
ffc59e3138ddae8bd1efa5aab5b96bbe1a35cf16

SHA256
7354486fbe8b4cf1c2fa05276c7e1ebdd0b5bab9db10559976ef97c061682874

SHA512
16a174a591fa66dc676eba14cbc22db9e2178798b6afce8492f6a16456666ca9a2f674fb41d0e483ce7b3eb44a99c01ff3b81484470ef33793466e1df825e29a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Qi161ee.exe

Filesize
222KB

MD5
debf60abc8d2cb6b4857c27c94b729ad

SHA1
b73c9194588637d353904496d07de13f8ff45540

SHA256
6dc7b8ae9f8458ae2314f18860ae62c451a41359dd09f1347ae6da7cafd05aba

SHA512
f8eede70047a7219f335e6b0adef2c871113779c37618c27566d585e7902c82ecda06bed2a962b5f9e704a4fad2394fde158cd6abe0b856690616a0503e5c7b6

Download Submit
memory/808-21-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/808-25-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/808-23-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/808-22-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4236-29-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/4236-30-0x0000000007690000-0x0000000007C34000-memory.dmp

Filesize
5.6MB

Download
memory/4236-31-0x00000000071C0000-0x0000000007252000-memory.dmp

Filesize
584KB

Download
memory/4236-32-0x00000000047C0000-0x00000000047CA000-memory.dmp

Filesize
40KB

Download
memory/4236-33-0x0000000008260000-0x0000000008878000-memory.dmp

Filesize
6.1MB

Download
memory/4236-34-0x0000000007540000-0x000000000764A000-memory.dmp

Filesize
1.0MB

Download
memory/4236-35-0x00000000072B0000-0x00000000072C2000-memory.dmp

Filesize
72KB

Download
memory/4236-36-0x0000000007430000-0x000000000746C000-memory.dmp

Filesize
240KB

Download
memory/4236-37-0x00000000072E0000-0x000000000732C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads