mystic | 9874024432d4a4dc4017d0ebf9773eaea78b9aea747dfbe995938af4b572eb38

Analysis

max time kernel
146s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e839edc16582f1c2d53d777f08720f69ec875a29be62c7adf21eaa0b7b302b0.exe
Size

1.5MB
MD5

d2112cdc189a119c9bd4e3cf5a8f5a7c
SHA1

e71798987b95e1e59bebb835653dfe6cdb6ee122
SHA256

6e839edc16582f1c2d53d777f08720f69ec875a29be62c7adf21eaa0b7b302b0
SHA512

966fb8bc4211c540eecddcba68b9bac4be7977ef1525a657289bb0bc8234b1e94933ed8d9a8a2e0bd54fbfd370ff9d1222f1bca0931522a2c8193c7a3ccf7122
SSDEEP

24576:QyticKpXK7wbmja4ZFH5Nz9OTdB+7AF4lDK76GeZWsrF115xJ49JEvOcFU/+:XtiGkbSZFH5FkTu7XELCD15xyHEGcF

Score

10^/10

mystic redline kedru infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kedru

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral11/memory/3096-35-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral11/memory/3096-36-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral11/memory/3096-38-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZZ316xY.exe	family_redline
behavioral11/memory/2644-42-0x0000000000E10000-0x0000000000E4C000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

BW0Rk5fY.exehh7ff3lX.exeru3tu8sp.exeFM8Ef9UM.exe1wl76zD0.exe2ZZ316xY.exe

pid process

4152 BW0Rk5fY.exe
3544 hh7ff3lX.exe
692 ru3tu8sp.exe
3604 FM8Ef9UM.exe
4848 1wl76zD0.exe
2644 2ZZ316xY.exe

pid	process
4152	BW0Rk5fY.exe
3544	hh7ff3lX.exe
692	ru3tu8sp.exe
3604	FM8Ef9UM.exe
4848	1wl76zD0.exe
2644	2ZZ316xY.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

hh7ff3lX.exeru3tu8sp.exeFM8Ef9UM.exe6e839edc16582f1c2d53d777f08720f69ec875a29be62c7adf21eaa0b7b302b0.exeBW0Rk5fY.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	hh7ff3lX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ru3tu8sp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	FM8Ef9UM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6e839edc16582f1c2d53d777f08720f69ec875a29be62c7adf21eaa0b7b302b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	BW0Rk5fY.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1wl76zD0.exe

description pid process target process

PID 4848 set thread context of 3096 4848 1wl76zD0.exe AppLaunch.exe

description	pid	process	target process
PID 4848 set thread context of 3096	4848	1wl76zD0.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

6e839edc16582f1c2d53d777f08720f69ec875a29be62c7adf21eaa0b7b302b0.exeBW0Rk5fY.exehh7ff3lX.exeru3tu8sp.exeFM8Ef9UM.exe1wl76zD0.exe

description	pid	process	target process
PID 3220 wrote to memory of 4152	3220	6e839edc16582f1c2d53d777f08720f69ec875a29be62c7adf21eaa0b7b302b0.exe	BW0Rk5fY.exe
PID 3220 wrote to memory of 4152	3220	6e839edc16582f1c2d53d777f08720f69ec875a29be62c7adf21eaa0b7b302b0.exe	BW0Rk5fY.exe
PID 3220 wrote to memory of 4152	3220	6e839edc16582f1c2d53d777f08720f69ec875a29be62c7adf21eaa0b7b302b0.exe	BW0Rk5fY.exe
PID 4152 wrote to memory of 3544	4152	BW0Rk5fY.exe	hh7ff3lX.exe
PID 4152 wrote to memory of 3544	4152	BW0Rk5fY.exe	hh7ff3lX.exe
PID 4152 wrote to memory of 3544	4152	BW0Rk5fY.exe	hh7ff3lX.exe
PID 3544 wrote to memory of 692	3544	hh7ff3lX.exe	ru3tu8sp.exe
PID 3544 wrote to memory of 692	3544	hh7ff3lX.exe	ru3tu8sp.exe
PID 3544 wrote to memory of 692	3544	hh7ff3lX.exe	ru3tu8sp.exe
PID 692 wrote to memory of 3604	692	ru3tu8sp.exe	FM8Ef9UM.exe
PID 692 wrote to memory of 3604	692	ru3tu8sp.exe	FM8Ef9UM.exe
PID 692 wrote to memory of 3604	692	ru3tu8sp.exe	FM8Ef9UM.exe
PID 3604 wrote to memory of 4848	3604	FM8Ef9UM.exe	1wl76zD0.exe
PID 3604 wrote to memory of 4848	3604	FM8Ef9UM.exe	1wl76zD0.exe
PID 3604 wrote to memory of 4848	3604	FM8Ef9UM.exe	1wl76zD0.exe
PID 4848 wrote to memory of 3096	4848	1wl76zD0.exe	AppLaunch.exe
PID 4848 wrote to memory of 3096	4848	1wl76zD0.exe	AppLaunch.exe
PID 4848 wrote to memory of 3096	4848	1wl76zD0.exe	AppLaunch.exe
PID 4848 wrote to memory of 3096	4848	1wl76zD0.exe	AppLaunch.exe
PID 4848 wrote to memory of 3096	4848	1wl76zD0.exe	AppLaunch.exe
PID 4848 wrote to memory of 3096	4848	1wl76zD0.exe	AppLaunch.exe
PID 4848 wrote to memory of 3096	4848	1wl76zD0.exe	AppLaunch.exe
PID 4848 wrote to memory of 3096	4848	1wl76zD0.exe	AppLaunch.exe
PID 4848 wrote to memory of 3096	4848	1wl76zD0.exe	AppLaunch.exe
PID 4848 wrote to memory of 3096	4848	1wl76zD0.exe	AppLaunch.exe
PID 3604 wrote to memory of 2644	3604	FM8Ef9UM.exe	2ZZ316xY.exe
PID 3604 wrote to memory of 2644	3604	FM8Ef9UM.exe	2ZZ316xY.exe
PID 3604 wrote to memory of 2644	3604	FM8Ef9UM.exe	2ZZ316xY.exe

C:\Users\Admin\AppData\Local\Temp\6e839edc16582f1c2d53d777f08720f69ec875a29be62c7adf21eaa0b7b302b0.exe
"C:\Users\Admin\AppData\Local\Temp\6e839edc16582f1c2d53d777f08720f69ec875a29be62c7adf21eaa0b7b302b0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BW0Rk5fY.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BW0Rk5fY.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4152
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hh7ff3lX.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hh7ff3lX.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3544
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ru3tu8sp.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ru3tu8sp.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:692
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FM8Ef9UM.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FM8Ef9UM.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3604
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wl76zD0.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wl76zD0.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3096
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZZ316xY.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZZ316xY.exe
        6⤵
        Executes dropped EXE
        
        PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BW0Rk5fY.exe

Filesize
1.3MB

MD5
4e2fd2cf972dfe9a188250efc5685978

SHA1
421bda5b30739ca4399a9604fdf663660a8a9001

SHA256
93bd200c6e6dab485b22c608b033767aef36f62ab03a9a1de07e9be8dbd2b0fd

SHA512
261866d14aebea4d02ddec0cdde4ca91f432f38f4b397505813fbe1bdf9d23cdcab496a041687ced3e73667d4f4fb8d07bd3db9c628407515ea8c5a4301c45e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hh7ff3lX.exe

Filesize
1.1MB

MD5
11168fad35c2f4f5aa43f3716867f800

SHA1
ead3272f10a39e1797402a9e0d6436cc4627503d

SHA256
e00c69f5eb2f4921cbc0b0b3e45e8842070977ef3abe31e1548a6b2c4ba34f00

SHA512
599af17e6b9a940dbfdddfb62962fb3603f8e780d05bb6d57c03bef701e9dc3b15cb93b5ef0889c722b6443a565c2229de3ad4fe66dbe16a405c4b3c3dca5d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ru3tu8sp.exe

Filesize
753KB

MD5
4ba954b35149b0678fce0f391e1f0705

SHA1
8e32ff5055f9bf33adad410ce05694f4efd03c15

SHA256
7464c432da4d8e7eaf492c18c49a749abe035faffc4f04f4552e8a04fb52eb09

SHA512
4b93006f8dac5d25a8f37a15ac400984b74c7a7d55a16ce85d80c509a360a652b237e328d8057072cc422a6b3008e634e6ceda2eb599b3df61361a12f750d719

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FM8Ef9UM.exe

Filesize
558KB

MD5
350f212746bbeaf863e0063865e72d36

SHA1
833454e4723fa2b275d049c1db1b43891b52ef0d

SHA256
bf805f52508519f138c3df4deb0bccd40261bb9614208ff7eb774fafb0fd6932

SHA512
210cfa2506706885cc7d8e1a7c95c7846ccd7d950ea92b289cc1249231eceb0b9176d5ba5a8d21825c4af7fc2ca665d95436a9733105238de63b62b52bee4e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wl76zD0.exe

Filesize
1.0MB

MD5
523d76045f22339917aefe41ae41704f

SHA1
c54275d9530f379b9abc267e2a9a6f9505aaa8cb

SHA256
a86f5864d693e97e75af0819271ca3ef71e7a63992ba9a63d0b21a6f2ccc15de

SHA512
cc8ef724f9eb2c9ff4c18a116d233e9380be69772536887cf95500aa2311f79d482cd176ef1b954079f181275485d9ea550bad0885b1f82e14ca05f9ca5a8d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZZ316xY.exe

Filesize
219KB

MD5
146f2e7de71760385abff3da409fa82a

SHA1
428b9ea9a89f33aaa18da75b2bc65e634b1e9276

SHA256
59c7f2bd4c0f06819b9b46ff73323405f1b098a54a502cd348bfd9a9f6b3604d

SHA512
2beff7dd19908475b18b2ed1e6615adf575fb498d70bb17b48683004928eb349f685de7df21d1d56bcd0b77787e59924b66b0d11dca87b41f1b7987ea96084f0

Download Submit
memory/2644-42-0x0000000000E10000-0x0000000000E4C000-memory.dmp

Filesize
240KB

Download
memory/2644-43-0x0000000008090000-0x0000000008634000-memory.dmp

Filesize
5.6MB

Download
memory/2644-44-0x0000000007BD0000-0x0000000007C62000-memory.dmp

Filesize
584KB

Download
memory/2644-45-0x00000000051A0000-0x00000000051AA000-memory.dmp

Filesize
40KB

Download
memory/2644-46-0x0000000008C60000-0x0000000009278000-memory.dmp

Filesize
6.1MB

Download
memory/2644-47-0x0000000007EB0000-0x0000000007FBA000-memory.dmp

Filesize
1.0MB

Download
memory/2644-48-0x0000000007DD0000-0x0000000007DE2000-memory.dmp

Filesize
72KB

Download
memory/2644-49-0x0000000007E30000-0x0000000007E6C000-memory.dmp

Filesize
240KB

Download
memory/2644-50-0x0000000007FC0000-0x000000000800C000-memory.dmp

Filesize
304KB

Download
memory/3096-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3096-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3096-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download