mystic | 3bad5318d1eadf9f6d544fc5ed49c1e737fb2db130f60b70bab6f26392c87c30

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e5a6d1212e96cbec9340713347cf31edfd53309be8f47f64e346582b70d4ac7.exe
Size

1.4MB
MD5

7837fbac380dc8a10ad779861b8ee3db
SHA1

bf713fc0637bcce4923f8ff4beaf7aa59e3505fd
SHA256

0e5a6d1212e96cbec9340713347cf31edfd53309be8f47f64e346582b70d4ac7
SHA512

b5d95777ce044dddd1c58635130f8fa80ad0ea7f70fa22c5e28e0109c1b531f6f26598bc7518f1bd498439bb8dfbaf248b6eb4f54d6f83bf8b382f8325eadef9
SSDEEP

24576:GyY5vgwLFrmztJHfpp84qup6DeEFO/gZ3Ufui4SyDUkPUYvnbAQsvcl:VYFpRrmLZqup6K2OohHkyDUkPhPbAb

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3696-28-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral2/memory/3696-33-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral2/memory/3696-31-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2jl963qn.exe	family_redline
behavioral2/memory/2820-35-0x0000000000F50000-0x0000000000F8E000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

Processes:

Rx7uR3cc.exehb8IT6ep.exeZQ7pG5Oh.exe1yv19qn4.exe2jl963qn.exe

pid process

3948 Rx7uR3cc.exe
3964 hb8IT6ep.exe
1600 ZQ7pG5Oh.exe
3500 1yv19qn4.exe
2820 2jl963qn.exe

pid	process
3948	Rx7uR3cc.exe
3964	hb8IT6ep.exe
1600	ZQ7pG5Oh.exe
3500	1yv19qn4.exe
2820	2jl963qn.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Rx7uR3cc.exehb8IT6ep.exeZQ7pG5Oh.exe0e5a6d1212e96cbec9340713347cf31edfd53309be8f47f64e346582b70d4ac7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Rx7uR3cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	hb8IT6ep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ZQ7pG5Oh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0e5a6d1212e96cbec9340713347cf31edfd53309be8f47f64e346582b70d4ac7.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1yv19qn4.exe

description pid process target process

PID 3500 set thread context of 3696 3500 1yv19qn4.exe AppLaunch.exe

description	pid	process	target process
PID 3500 set thread context of 3696	3500	1yv19qn4.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

0e5a6d1212e96cbec9340713347cf31edfd53309be8f47f64e346582b70d4ac7.exeRx7uR3cc.exehb8IT6ep.exeZQ7pG5Oh.exe1yv19qn4.exe

description	pid	process	target process
PID 3100 wrote to memory of 3948	3100	0e5a6d1212e96cbec9340713347cf31edfd53309be8f47f64e346582b70d4ac7.exe	Rx7uR3cc.exe
PID 3100 wrote to memory of 3948	3100	0e5a6d1212e96cbec9340713347cf31edfd53309be8f47f64e346582b70d4ac7.exe	Rx7uR3cc.exe
PID 3100 wrote to memory of 3948	3100	0e5a6d1212e96cbec9340713347cf31edfd53309be8f47f64e346582b70d4ac7.exe	Rx7uR3cc.exe
PID 3948 wrote to memory of 3964	3948	Rx7uR3cc.exe	hb8IT6ep.exe
PID 3948 wrote to memory of 3964	3948	Rx7uR3cc.exe	hb8IT6ep.exe
PID 3948 wrote to memory of 3964	3948	Rx7uR3cc.exe	hb8IT6ep.exe
PID 3964 wrote to memory of 1600	3964	hb8IT6ep.exe	ZQ7pG5Oh.exe
PID 3964 wrote to memory of 1600	3964	hb8IT6ep.exe	ZQ7pG5Oh.exe
PID 3964 wrote to memory of 1600	3964	hb8IT6ep.exe	ZQ7pG5Oh.exe
PID 1600 wrote to memory of 3500	1600	ZQ7pG5Oh.exe	1yv19qn4.exe
PID 1600 wrote to memory of 3500	1600	ZQ7pG5Oh.exe	1yv19qn4.exe
PID 1600 wrote to memory of 3500	1600	ZQ7pG5Oh.exe	1yv19qn4.exe
PID 3500 wrote to memory of 3696	3500	1yv19qn4.exe	AppLaunch.exe
PID 3500 wrote to memory of 3696	3500	1yv19qn4.exe	AppLaunch.exe
PID 3500 wrote to memory of 3696	3500	1yv19qn4.exe	AppLaunch.exe
PID 3500 wrote to memory of 3696	3500	1yv19qn4.exe	AppLaunch.exe
PID 3500 wrote to memory of 3696	3500	1yv19qn4.exe	AppLaunch.exe
PID 3500 wrote to memory of 3696	3500	1yv19qn4.exe	AppLaunch.exe
PID 3500 wrote to memory of 3696	3500	1yv19qn4.exe	AppLaunch.exe
PID 3500 wrote to memory of 3696	3500	1yv19qn4.exe	AppLaunch.exe
PID 3500 wrote to memory of 3696	3500	1yv19qn4.exe	AppLaunch.exe
PID 3500 wrote to memory of 3696	3500	1yv19qn4.exe	AppLaunch.exe
PID 1600 wrote to memory of 2820	1600	ZQ7pG5Oh.exe	2jl963qn.exe
PID 1600 wrote to memory of 2820	1600	ZQ7pG5Oh.exe	2jl963qn.exe
PID 1600 wrote to memory of 2820	1600	ZQ7pG5Oh.exe	2jl963qn.exe

C:\Users\Admin\AppData\Local\Temp\0e5a6d1212e96cbec9340713347cf31edfd53309be8f47f64e346582b70d4ac7.exe
"C:\Users\Admin\AppData\Local\Temp\0e5a6d1212e96cbec9340713347cf31edfd53309be8f47f64e346582b70d4ac7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3100

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rx7uR3cc.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rx7uR3cc.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3948

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hb8IT6ep.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hb8IT6ep.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3964

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZQ7pG5Oh.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZQ7pG5Oh.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1600

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1yv19qn4.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1yv19qn4.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:3696

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2jl963qn.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2jl963qn.exe
5⤵
- Executes dropped EXE
PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rx7uR3cc.exe

Filesize
1.2MB

MD5
476397827e784f4cf869773bab5e8a57

SHA1
e45d68eab78dbf4b9447260e9b5cf92f2b490d94

SHA256
c8c7dcca3891aa04ec22235f165a40e10827b94c5cdda5e3e7981a1f51f30561

SHA512
6ec27175f067b564e2c2a9301de4ad2a0efec3d921a6ea72f1304bf046b1ab37cd0519ea5f9e389c6187a444a3177bae3902ba37db9e025e96330e4e98686c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hb8IT6ep.exe

Filesize
782KB

MD5
f487171ab6c39aeb08bf7073169175f6

SHA1
a4fe318472430d296ebba7ebe739c10b7a62c53c

SHA256
184f5e7dd7d26b2ad3ff480ff2771c43270b7acb43b38e40abc08268f2e848a1

SHA512
0e1d2d72a69e52b35cb1ede088fc2f7d00af5ca8eb4320558e97f6c8fbd198e28a807cd86ef25bd399fcc5f351312dc1b3dee9b832cad31eb71736fdd25848fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZQ7pG5Oh.exe

Filesize
581KB

MD5
0ff76c991c34591b66de4cb18cce10be

SHA1
368f6834cd3261b76809b7bb74cb4fb8493d3259

SHA256
4bc522d938044c7b03725d4307c526c6ee68bb4e0243fab0faa786879642a2a3

SHA512
469ebab4492bd7ce565e0e1f35156b5f5714ac937ae5c5573afb1871704e640df34df180bc7b762fc39f463150e8f5e6fac03a7652ec4a2555d100abcd2054b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1yv19qn4.exe

Filesize
1.1MB

MD5
6ef68ec5b2d91cbc9c66fa0553e527ec

SHA1
8d8ab02a5f2433cf12ba62336e4d774f2bbf21d2

SHA256
8ffa8c6bcf0b38b229ac57e8a8eacfad2d27bd2b6ec971af827609bfb919495f

SHA512
1a02ccdf3d1be279169bc25eb2a4452be337389b78050811ea4367ca624d5d169c7c7e157a73fe3be13378412e8d94606f41c157b5892cc76c4344ee85d204a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2jl963qn.exe

Filesize
222KB

MD5
f058a866e46daa97dda816f3197057b6

SHA1
35c9af4fd575bbdfb90992b1f4245f65f12a831d

SHA256
b614e76b3df1dfd727cc6d9d81c7ce72f978faa7000eb56110ab4d3df3bdd530

SHA512
a5bb2b130928856a5add0cf45ef2ff2db24016bea7218d6b958e757258e23f760434956943d8b6c03c26af404fdbd24425898470c5f99e302516fcb10ab65853

Download Submit
memory/2820-39-0x0000000008FB0000-0x00000000095C8000-memory.dmp

Filesize
6.1MB

Download
memory/2820-35-0x0000000000F50000-0x0000000000F8E000-memory.dmp

Filesize
248KB

Download
memory/2820-36-0x00000000083E0000-0x0000000008984000-memory.dmp

Filesize
5.6MB

Download
memory/2820-37-0x0000000007ED0000-0x0000000007F62000-memory.dmp

Filesize
584KB

Download
memory/2820-38-0x00000000053D0000-0x00000000053DA000-memory.dmp

Filesize
40KB

Download
memory/2820-40-0x0000000008230000-0x000000000833A000-memory.dmp

Filesize
1.0MB

Download
memory/2820-41-0x0000000007EA0000-0x0000000007EB2000-memory.dmp

Filesize
72KB

Download
memory/2820-42-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/2820-43-0x0000000008120000-0x000000000816C000-memory.dmp

Filesize
304KB

Download
memory/3696-33-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3696-31-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3696-28-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download