mystic | dcf4e78aa4f4a43375e6c66a708f11e84986bd1f7bacc1564324e028fcba76f4

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d12b0975bf0eb912d5ace8ceb5f38f447f87b501a227b5fd3273e9392afb0c82.exe
Size

1.4MB
MD5

d124366ab9ab93de3da5489c9ea6b92d
SHA1

cd39f187e6df38d35d54e3015e8d4a75bcee4ecb
SHA256

d12b0975bf0eb912d5ace8ceb5f38f447f87b501a227b5fd3273e9392afb0c82
SHA512

dbfe9497d6b5bd6fef782e3d42e4b4927fb0007c3def129bc96efbe9e065dbce5043dcd72f11c178ee2bc92c93792ed9d705e8984f511a9a475c9c78dad278d9
SSDEEP

24576:FyYD7grTJKqXHTw/ruN4HY5+siC6DjwwuDs0jba+rR:g27grXXoruN4HY5qC6fY

Score

10^/10

mystic redline kedru infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kedru

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral17/memory/1888-24-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral17/memory/1888-22-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral17/memory/1888-21-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral17/files/0x0007000000023443-26.dat	family_redline
behavioral17/memory/1544-28-0x0000000000360000-0x000000000039C000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
1184	by9uy1Kp.exe
2568	du4KX6Mc.exe
2116	1Ol30Wo6.exe
1544	2iL175Ul.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	by9uy1Kp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	du4KX6Mc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d12b0975bf0eb912d5ace8ceb5f38f447f87b501a227b5fd3273e9392afb0c82.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2116 set thread context of 1888	2116	1Ol30Wo6.exe	87

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 1184	1516	d12b0975bf0eb912d5ace8ceb5f38f447f87b501a227b5fd3273e9392afb0c82.exe	83
PID 1516 wrote to memory of 1184	1516	d12b0975bf0eb912d5ace8ceb5f38f447f87b501a227b5fd3273e9392afb0c82.exe	83
PID 1516 wrote to memory of 1184	1516	d12b0975bf0eb912d5ace8ceb5f38f447f87b501a227b5fd3273e9392afb0c82.exe	83
PID 1184 wrote to memory of 2568	1184	by9uy1Kp.exe	84
PID 1184 wrote to memory of 2568	1184	by9uy1Kp.exe	84
PID 1184 wrote to memory of 2568	1184	by9uy1Kp.exe	84
PID 2568 wrote to memory of 2116	2568	du4KX6Mc.exe	85
PID 2568 wrote to memory of 2116	2568	du4KX6Mc.exe	85
PID 2568 wrote to memory of 2116	2568	du4KX6Mc.exe	85
PID 2116 wrote to memory of 1888	2116	1Ol30Wo6.exe	87
PID 2116 wrote to memory of 1888	2116	1Ol30Wo6.exe	87
PID 2116 wrote to memory of 1888	2116	1Ol30Wo6.exe	87
PID 2116 wrote to memory of 1888	2116	1Ol30Wo6.exe	87
PID 2116 wrote to memory of 1888	2116	1Ol30Wo6.exe	87
PID 2116 wrote to memory of 1888	2116	1Ol30Wo6.exe	87
PID 2116 wrote to memory of 1888	2116	1Ol30Wo6.exe	87
PID 2116 wrote to memory of 1888	2116	1Ol30Wo6.exe	87
PID 2116 wrote to memory of 1888	2116	1Ol30Wo6.exe	87
PID 2116 wrote to memory of 1888	2116	1Ol30Wo6.exe	87
PID 2568 wrote to memory of 1544	2568	du4KX6Mc.exe	89
PID 2568 wrote to memory of 1544	2568	du4KX6Mc.exe	89
PID 2568 wrote to memory of 1544	2568	du4KX6Mc.exe	89

C:\Users\Admin\AppData\Local\Temp\d12b0975bf0eb912d5ace8ceb5f38f447f87b501a227b5fd3273e9392afb0c82.exe
"C:\Users\Admin\AppData\Local\Temp\d12b0975bf0eb912d5ace8ceb5f38f447f87b501a227b5fd3273e9392afb0c82.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\by9uy1Kp.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\by9uy1Kp.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\du4KX6Mc.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\du4KX6Mc.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Ol30Wo6.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Ol30Wo6.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2116
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:1888
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2iL175Ul.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2iL175Ul.exe
      4⤵
      Executes dropped EXE
      PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\by9uy1Kp.exe

Filesize
883KB

MD5
cacff1bfd5a58b755bfb91d01081e313

SHA1
14d4cda5c48bbeda9f70f1972755eb4491a659e5

SHA256
285d1f8fc6ac0268b89ed02efdb2ca003c1b42cf7b9044f0e42d607ea427ff01

SHA512
f44b399f3ac7feae9081d7f904b1015509d4eb69d897b121b91426f30dc0347f9d3a07c83379f85e8b95d66e324ed115b8e144609a61896a0185ca20eef28747

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\du4KX6Mc.exe

Filesize
688KB

MD5
6e05410183bca3ea452bf9be21c2283b

SHA1
daf1178aca56501466db03205df0d9f97447c595

SHA256
dbf088733a32df648074ace70313270001b2a6ce9e8104d07290d3ec1f9cad1d

SHA512
cd02f6615f81a9ab73ee592054ead21decc837b70ab19cda9d7613f1406e0e6f958c30aff814d63adb0f10e3067b6ba2ccc53cc8dd44f112afadc4fb79d15ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Ol30Wo6.exe

Filesize
1.8MB

MD5
289a8a1fcea2aab512525952079144a2

SHA1
2f218631b4b73038054f4a1f79b722b9690cbd20

SHA256
cd97bca94e07999d1619f6e2b76a56a2dd4baaa42a65e8963f745e060d8563ea

SHA512
41b4da4f6f73eaece06522c08525ed3cfa0207326b2e3e6c472ab6f1383e7b4cf290a967965f1646d5a4891f955056814776041f6ade7b051a7a3b6e3c2c4880

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2iL175Ul.exe

Filesize
219KB

MD5
7efee2e95ca7583bfa875c6e0fa08977

SHA1
70f55fd47841deeffed18eb14d65c7b76cf0ae26

SHA256
7788a401ca11a36b420b6e77e3aba65289f71f2ab7e8cf2b2ba39c3277cb9b70

SHA512
c896b5d873ff9ce6a7f662408e67fdfa024c0ef951c380795818042289e4e0f61d840d613a3f81824a807dc879d4c9a20d427a5b4d505295a1975373aa2d2343

Download Submit
memory/1544-34-0x0000000007320000-0x0000000007332000-memory.dmp

Filesize
72KB

Download
memory/1544-28-0x0000000000360000-0x000000000039C000-memory.dmp

Filesize
240KB

Download
memory/1544-29-0x00000000075B0000-0x0000000007B54000-memory.dmp

Filesize
5.6MB

Download
memory/1544-30-0x00000000070E0000-0x0000000007172000-memory.dmp

Filesize
584KB

Download
memory/1544-31-0x0000000002700000-0x000000000270A000-memory.dmp

Filesize
40KB

Download
memory/1544-32-0x0000000008180000-0x0000000008798000-memory.dmp

Filesize
6.1MB

Download
memory/1544-35-0x0000000007380000-0x00000000073BC000-memory.dmp

Filesize
240KB

Download
memory/1544-33-0x00000000073F0000-0x00000000074FA000-memory.dmp

Filesize
1.0MB

Download
memory/1544-36-0x0000000007500000-0x000000000754C000-memory.dmp

Filesize
304KB

Download
memory/1888-22-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads