mystic | dd599a6bab1a1dabfa1fca35b3aa571004102301666e21fec5316076b068ab55

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c98c961b6fafcd423b7f00c273b1de0344bce9a806fb75483a3ed9f8f686a467.exe
Size

1005KB
MD5

2f7a5b2d59577659c9f080663409717c
SHA1

a98855facd4097093341b6e4f1a896661cf9cbd0
SHA256

c98c961b6fafcd423b7f00c273b1de0344bce9a806fb75483a3ed9f8f686a467
SHA512

ad2c86f149cb756c89a3325526845dfa1b3be20bc5fbc7a2db5bfef1c7910fec36fb1eefb72fbf5fdcfe85e8decac2eb4e02423f8ec9cf6e1db5922ece1b1f72
SSDEEP

24576:7y4fy2UEUYhiAFoXAvwOCP+sy0aX3DcsbrkBoV:u4fy2XUYhiAFpvwvGsy0aX37Hv

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral19/memory/4216-28-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral19/memory/4216-31-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral19/memory/4216-29-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral19/files/0x0007000000023423-33.dat	family_redline
behavioral19/memory/1540-35-0x0000000000D90000-0x0000000000DCE000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
4012	dB9IQ0Gk.exe
4108	Rt8fE6in.exe
1580	PQ0EJ6ve.exe
1888	1Vw19RJ5.exe
1540	2WE744aS.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c98c961b6fafcd423b7f00c273b1de0344bce9a806fb75483a3ed9f8f686a467.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	dB9IQ0Gk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Rt8fE6in.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	PQ0EJ6ve.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1888 set thread context of 4216	1888	1Vw19RJ5.exe	90

Program crash 1 IoCs

pid	pid_target	Process	procid_target
660	1888	WerFault.exe	87

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 4012	1952	c98c961b6fafcd423b7f00c273b1de0344bce9a806fb75483a3ed9f8f686a467.exe	83
PID 1952 wrote to memory of 4012	1952	c98c961b6fafcd423b7f00c273b1de0344bce9a806fb75483a3ed9f8f686a467.exe	83
PID 1952 wrote to memory of 4012	1952	c98c961b6fafcd423b7f00c273b1de0344bce9a806fb75483a3ed9f8f686a467.exe	83
PID 4012 wrote to memory of 4108	4012	dB9IQ0Gk.exe	84
PID 4012 wrote to memory of 4108	4012	dB9IQ0Gk.exe	84
PID 4012 wrote to memory of 4108	4012	dB9IQ0Gk.exe	84
PID 4108 wrote to memory of 1580	4108	Rt8fE6in.exe	86
PID 4108 wrote to memory of 1580	4108	Rt8fE6in.exe	86
PID 4108 wrote to memory of 1580	4108	Rt8fE6in.exe	86
PID 1580 wrote to memory of 1888	1580	PQ0EJ6ve.exe	87
PID 1580 wrote to memory of 1888	1580	PQ0EJ6ve.exe	87
PID 1580 wrote to memory of 1888	1580	PQ0EJ6ve.exe	87
PID 1888 wrote to memory of 4216	1888	1Vw19RJ5.exe	90
PID 1888 wrote to memory of 4216	1888	1Vw19RJ5.exe	90
PID 1888 wrote to memory of 4216	1888	1Vw19RJ5.exe	90
PID 1888 wrote to memory of 4216	1888	1Vw19RJ5.exe	90
PID 1888 wrote to memory of 4216	1888	1Vw19RJ5.exe	90
PID 1888 wrote to memory of 4216	1888	1Vw19RJ5.exe	90
PID 1888 wrote to memory of 4216	1888	1Vw19RJ5.exe	90
PID 1888 wrote to memory of 4216	1888	1Vw19RJ5.exe	90
PID 1888 wrote to memory of 4216	1888	1Vw19RJ5.exe	90
PID 1888 wrote to memory of 4216	1888	1Vw19RJ5.exe	90
PID 1580 wrote to memory of 1540	1580	PQ0EJ6ve.exe	95
PID 1580 wrote to memory of 1540	1580	PQ0EJ6ve.exe	95
PID 1580 wrote to memory of 1540	1580	PQ0EJ6ve.exe	95

C:\Users\Admin\AppData\Local\Temp\c98c961b6fafcd423b7f00c273b1de0344bce9a806fb75483a3ed9f8f686a467.exe
"C:\Users\Admin\AppData\Local\Temp\c98c961b6fafcd423b7f00c273b1de0344bce9a806fb75483a3ed9f8f686a467.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dB9IQ0Gk.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dB9IQ0Gk.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Rt8fE6in.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Rt8fE6in.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4108
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\PQ0EJ6ve.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\PQ0EJ6ve.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1580
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Vw19RJ5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Vw19RJ5.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1888
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4216
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 584
        6⤵
        Program crash
        
        PID:660
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2WE744aS.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2WE744aS.exe
        5⤵
        Executes dropped EXE
        
        PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1888 -ip 1888
1⤵
PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dB9IQ0Gk.exe

Filesize
816KB

MD5
e61438bf50fa379d8f0e046af18e98de

SHA1
6546df9342b8311d4dfbf5a5d220a506b12823ad

SHA256
33f15d26878b06fdf0eae71e0903ab0ef0ba65dd66f0c6466770d3084b7bc53e

SHA512
7548e28433e42d01ad3698b40e8deac2f3d709173f15ab1c65bfb4fec415c09db4f7a3d178a5947e663ef9beb8680f7c26e7700a0dbcf247c71b02b3b3eb9110

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Rt8fE6in.exe

Filesize
582KB

MD5
365bf18802322014427f5a2f557f1fb4

SHA1
a17ee175fec5cf3583e8ff1830b9da866814eed6

SHA256
0b7ac73bf5d443f858cad012b2ea27f732aaf1ff76817c5c9f73e335e7448b10

SHA512
3c7272839c2e7e4bd161176a961a97455761307b688ba2c88c9275b6e64ab6fef7bd73ab9ffa12b0d78a397d4456ab605ee5ee632db4698fdf526b080ed00e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\PQ0EJ6ve.exe

Filesize
382KB

MD5
4c260492495ca9100ad564320bc16fc2

SHA1
1f2d944942167abe9d3209a5f152440c706d13c5

SHA256
a1ec767e15c9691a097496a736e1ec0257f9db125eaed09c15424e6148c649ac

SHA512
0c86b2a0d3b8408706bb350a6ebb0c7ce68f070afbb945cb46338b4b7a870b0f1a047382872b82e5e0c1efba6ab71d8d96ba09192ac54fba0ad8f4f237b9aa0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Vw19RJ5.exe

Filesize
295KB

MD5
fd1675920d36bebbb571ca205273f3ac

SHA1
9122391deaba2d3614223e1418dc4bb39347060d

SHA256
33173d0102492800edf2517658cbc4eddef70f29fab6e34b85996aa6695c944b

SHA512
a65dfe7d1a906f2173b06cb7085f19705ce0c41918fc6919d27e90751bd8fc13ba61e15801833d25c2a6bb574d3403ad34cc85ed40140aa2aa81ae3823f553aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2WE744aS.exe

Filesize
222KB

MD5
fc0ef98d09009bade85c3b93f1b8ced3

SHA1
158800921fb50653b704f64e9bced77a68750a88

SHA256
d34176d2073da06707441675693cf06174b8fa04fd45a1806b09f588cb60e6b3

SHA512
057cbca8e3711f413a0d3e1cfca3f6fc646f471912381c83067329c6a285acbdd23d093218f0c82a8673dce5e18b66702d9ccea0887d73d2f51f28c725a4a9db

Download Submit
memory/1540-39-0x0000000008C50000-0x0000000009268000-memory.dmp

Filesize
6.1MB

Download
memory/1540-35-0x0000000000D90000-0x0000000000DCE000-memory.dmp

Filesize
248KB

Download
memory/1540-36-0x0000000008080000-0x0000000008624000-memory.dmp

Filesize
5.6MB

Download
memory/1540-37-0x0000000007B70000-0x0000000007C02000-memory.dmp

Filesize
584KB

Download
memory/1540-38-0x0000000002FD0000-0x0000000002FDA000-memory.dmp

Filesize
40KB

Download
memory/1540-40-0x0000000008630000-0x000000000873A000-memory.dmp

Filesize
1.0MB

Download
memory/1540-41-0x0000000007C40000-0x0000000007C52000-memory.dmp

Filesize
72KB

Download
memory/1540-42-0x0000000007CE0000-0x0000000007D1C000-memory.dmp

Filesize
240KB

Download
memory/1540-43-0x0000000007C70000-0x0000000007CBC000-memory.dmp

Filesize
304KB

Download
memory/4216-29-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4216-31-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4216-28-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads