mystic | 9874024432d4a4dc4017d0ebf9773eaea78b9aea747dfbe995938af4b572eb38

Analysis

max time kernel
147s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fd9e44b8df95e2fb188e6b032b029a961609f7baa7d332929166e71f86e8b84.exe
Size

938KB
MD5

e559bc5e8fecf95110c7a977c73e5bfc
SHA1

cf404a4cb36c334349f810fae25ca2276ecdd1cb
SHA256

3fd9e44b8df95e2fb188e6b032b029a961609f7baa7d332929166e71f86e8b84
SHA512

510d2ddefa82c77f0c6bf1bace04ce06d2c15688dac20597ef6f964670303faa305f53e15d655392cef6f1104d455b2d752fa2f56ef0d778ecdc5ae803197f8c
SSDEEP

24576:lyfjhihl0dK0Ht3tVBJ0CPaKekYkV6HmL3eZ:A1i+K4ZtVBJ0oaK376HmL

Score

10^/10

mystic redline tuxiu infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

tuxiu

77.91.124.82:19071

Attributes

auth_value
29610cdad07e7187eec70685a04b89fe

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral8/memory/4600-28-0x0000000000400000-0x000000000042C000-memory.dmp	mystic_family
behavioral8/memory/4600-29-0x0000000000400000-0x000000000042C000-memory.dmp	mystic_family
behavioral8/memory/4600-31-0x0000000000400000-0x000000000042C000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5402533.exe	family_redline
behavioral8/memory/4852-35-0x0000000000290000-0x00000000002C0000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

Processes:

x3337561.exex2248185.exex6982654.exeg4840220.exeh5402533.exe

pid process

988 x3337561.exe
1236 x2248185.exe
2640 x6982654.exe
5052 g4840220.exe
4852 h5402533.exe

pid	process
988	x3337561.exe
1236	x2248185.exe
2640	x6982654.exe
5052	g4840220.exe
4852	h5402533.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3fd9e44b8df95e2fb188e6b032b029a961609f7baa7d332929166e71f86e8b84.exex3337561.exex2248185.exex6982654.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3fd9e44b8df95e2fb188e6b032b029a961609f7baa7d332929166e71f86e8b84.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3337561.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2248185.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x6982654.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

g4840220.exe

description pid process target process

PID 5052 set thread context of 4600 5052 g4840220.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2428 5052 WerFault.exe g4840220.exe

description	pid	process	target process
PID 5052 set thread context of 4600	5052	g4840220.exe	AppLaunch.exe

pid	pid_target	process	target process
2428	5052	WerFault.exe	g4840220.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

3fd9e44b8df95e2fb188e6b032b029a961609f7baa7d332929166e71f86e8b84.exex3337561.exex2248185.exex6982654.exeg4840220.exe

description	pid	process	target process
PID 3580 wrote to memory of 988	3580	3fd9e44b8df95e2fb188e6b032b029a961609f7baa7d332929166e71f86e8b84.exe	x3337561.exe
PID 3580 wrote to memory of 988	3580	3fd9e44b8df95e2fb188e6b032b029a961609f7baa7d332929166e71f86e8b84.exe	x3337561.exe
PID 3580 wrote to memory of 988	3580	3fd9e44b8df95e2fb188e6b032b029a961609f7baa7d332929166e71f86e8b84.exe	x3337561.exe
PID 988 wrote to memory of 1236	988	x3337561.exe	x2248185.exe
PID 988 wrote to memory of 1236	988	x3337561.exe	x2248185.exe
PID 988 wrote to memory of 1236	988	x3337561.exe	x2248185.exe
PID 1236 wrote to memory of 2640	1236	x2248185.exe	x6982654.exe
PID 1236 wrote to memory of 2640	1236	x2248185.exe	x6982654.exe
PID 1236 wrote to memory of 2640	1236	x2248185.exe	x6982654.exe
PID 2640 wrote to memory of 5052	2640	x6982654.exe	g4840220.exe
PID 2640 wrote to memory of 5052	2640	x6982654.exe	g4840220.exe
PID 2640 wrote to memory of 5052	2640	x6982654.exe	g4840220.exe
PID 5052 wrote to memory of 4600	5052	g4840220.exe	AppLaunch.exe
PID 5052 wrote to memory of 4600	5052	g4840220.exe	AppLaunch.exe
PID 5052 wrote to memory of 4600	5052	g4840220.exe	AppLaunch.exe
PID 5052 wrote to memory of 4600	5052	g4840220.exe	AppLaunch.exe
PID 5052 wrote to memory of 4600	5052	g4840220.exe	AppLaunch.exe
PID 5052 wrote to memory of 4600	5052	g4840220.exe	AppLaunch.exe
PID 5052 wrote to memory of 4600	5052	g4840220.exe	AppLaunch.exe
PID 5052 wrote to memory of 4600	5052	g4840220.exe	AppLaunch.exe
PID 5052 wrote to memory of 4600	5052	g4840220.exe	AppLaunch.exe
PID 5052 wrote to memory of 4600	5052	g4840220.exe	AppLaunch.exe
PID 2640 wrote to memory of 4852	2640	x6982654.exe	h5402533.exe
PID 2640 wrote to memory of 4852	2640	x6982654.exe	h5402533.exe
PID 2640 wrote to memory of 4852	2640	x6982654.exe	h5402533.exe

C:\Users\Admin\AppData\Local\Temp\3fd9e44b8df95e2fb188e6b032b029a961609f7baa7d332929166e71f86e8b84.exe
"C:\Users\Admin\AppData\Local\Temp\3fd9e44b8df95e2fb188e6b032b029a961609f7baa7d332929166e71f86e8b84.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3337561.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3337561.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2248185.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2248185.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1236
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x6982654.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x6982654.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4840220.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4840220.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5052
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4600
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 552
        6⤵
        Program crash
        
        PID:2428
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5402533.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5402533.exe
        5⤵
        Executes dropped EXE
        
        PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5052 -ip 5052
1⤵
PID:644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3337561.exe

Filesize
836KB

MD5
01581c32dff9ed6b4633b9293622a97e

SHA1
579c4ff938b5814fec6627b2fdef2a9124cf08fe

SHA256
6fa924311103425ee80592933518ad5b406ad0e867735126e6d48da44e5bc587

SHA512
acba1360b7008220d7925cc20638eb49c9fe2c2304d81320dfbb0567eb5169c9d7a4849dcc4fa06bf577ff4b7386e43b39df770fb7ba881b1c7d89c48c52efc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2248185.exe

Filesize
571KB

MD5
0f2376add40068168ab09e19cd6dec6c

SHA1
0dd404487ebd2c5a042830a12bc82f8ebcd496b0

SHA256
554391374624779dd9f64b5f5828342c4edbee14be957098bc34eac8fb082dca

SHA512
3df6c827870b329446560cc68fe6272d72491ce0fe81dc4188d9cf8ecf5ce49a4f21d160680679ddefb3a8efcb7628a44c73b915ceece4db5d528620b753b6de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x6982654.exe

Filesize
394KB

MD5
6471272685724fde31be54e3e036e288

SHA1
a777ee955bb2f3a26b6262c3dd6ca8eb57008168

SHA256
a39f6531ac010fa51d77e26b0739297988c592349e2de207fead0e9deacb3c89

SHA512
9150ab137a82b8fe65bc178b9cd8d11ad2633c97e3ef3020c8c84bac214909d8b467509702608ea99bac6cd2f8b7af4b8c81757341dc5918559f65518d4aea84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4840220.exe

Filesize
365KB

MD5
777f226b0587861e634cec1ca1fb487e

SHA1
709855bcdc419a75b9a47d196a918a19130fc5a2

SHA256
8d50ea48ca318b4f0c88e207085489020a87cedd6b12f16feea83af849b9f883

SHA512
e11a953e32f244df6f3b7f2cba0c0d0eb1b2cca34103fbc40b33ec2ea3bbc00c2708556df2763205fb73daac910905f2263277dbaec0fb7df6fc83e58a1ffb31

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5402533.exe

Filesize
174KB

MD5
108091504d79a522f47bdf7ae100a0d7

SHA1
59dfaf24682ff298d1a485413dda41cd02d23ec2

SHA256
295c208946011cfeda2442e88ee1b43220d06447285e54cc95595f2fbff9d8a6

SHA512
772ec1f5b7ebf2b44113084f8917cd96c6086b7f9210c96f309c822510d890766411133e47bbdbcd5c703be1f8892de844ae086f15361a5d9e8c7f3015ffa96f

Download Submit
memory/4600-31-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4600-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4600-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4852-35-0x0000000000290000-0x00000000002C0000-memory.dmp

Filesize
192KB

Download
memory/4852-36-0x0000000004AB0000-0x0000000004AB6000-memory.dmp

Filesize
24KB

Download
memory/4852-37-0x000000000A5E0000-0x000000000ABF8000-memory.dmp

Filesize
6.1MB

Download
memory/4852-38-0x000000000A100000-0x000000000A20A000-memory.dmp

Filesize
1.0MB

Download
memory/4852-39-0x000000000A040000-0x000000000A052000-memory.dmp

Filesize
72KB

Download
memory/4852-40-0x000000000A0A0000-0x000000000A0DC000-memory.dmp

Filesize
240KB

Download
memory/4852-41-0x0000000002440000-0x000000000248C000-memory.dmp

Filesize
304KB

Download