mystic | aaa53ca479bc7bde87061c0fc7083bee87e7b9b876d10607e9cf7e4f74ddb0dd

General

Target

aaa53ca479bc7bde87061c0fc7083bee87e7b9b876d10607e9cf7e4f74ddb0dd.exe
Size

877KB
MD5

2c4aa73b3c16d326ae6918ebc419b69d
SHA1

efcdc1933a5526e5ffd25b37bf46b6132268698e
SHA256

aaa53ca479bc7bde87061c0fc7083bee87e7b9b876d10607e9cf7e4f74ddb0dd
SHA512

c4f78c510cc2a858fd7e3002bfd066abfcfdb8f070f086aab79cb74885e534a11d7a26146f7973109dd825a1d436a52f874592730fb8cdb8a6fe6ad64facbf87
SSDEEP

12288:0MrTy90tquIYW5HB2NtqCertQYISCkQJha998oKgvwADk1EMt2NP3tviJ/kCubB3:nyZuIY0H8YrGYIS7QY98ojq2vKMCuSW

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1pQ58Ad8.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2SW466kq.exe	family_redline
behavioral1/memory/2020-31-0x0000000000530000-0x000000000056E000-memory.dmp	family_redline

Detects executables packed with ConfuserEx Mod 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2SW466kq.exe	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2020-31-0x0000000000530000-0x000000000056E000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx

Executes dropped EXE 5 IoCs

Processes:

wj0sQ2vw.exevx9XB9Ai.exeDA5VB4vG.exe1pQ58Ad8.exe2SW466kq.exe

pid process

1836 wj0sQ2vw.exe
728 vx9XB9Ai.exe
2972 DA5VB4vG.exe
5048 1pQ58Ad8.exe
2020 2SW466kq.exe

pid	process
1836	wj0sQ2vw.exe
728	vx9XB9Ai.exe
2972	DA5VB4vG.exe
5048	1pQ58Ad8.exe
2020	2SW466kq.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

aaa53ca479bc7bde87061c0fc7083bee87e7b9b876d10607e9cf7e4f74ddb0dd.exewj0sQ2vw.exevx9XB9Ai.exeDA5VB4vG.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	aaa53ca479bc7bde87061c0fc7083bee87e7b9b876d10607e9cf7e4f74ddb0dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	wj0sQ2vw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	vx9XB9Ai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	DA5VB4vG.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

aaa53ca479bc7bde87061c0fc7083bee87e7b9b876d10607e9cf7e4f74ddb0dd.exewj0sQ2vw.exevx9XB9Ai.exeDA5VB4vG.exe

description	pid	process	target process
PID 4552 wrote to memory of 1836	4552	aaa53ca479bc7bde87061c0fc7083bee87e7b9b876d10607e9cf7e4f74ddb0dd.exe	wj0sQ2vw.exe
PID 4552 wrote to memory of 1836	4552	aaa53ca479bc7bde87061c0fc7083bee87e7b9b876d10607e9cf7e4f74ddb0dd.exe	wj0sQ2vw.exe
PID 4552 wrote to memory of 1836	4552	aaa53ca479bc7bde87061c0fc7083bee87e7b9b876d10607e9cf7e4f74ddb0dd.exe	wj0sQ2vw.exe
PID 1836 wrote to memory of 728	1836	wj0sQ2vw.exe	vx9XB9Ai.exe
PID 1836 wrote to memory of 728	1836	wj0sQ2vw.exe	vx9XB9Ai.exe
PID 1836 wrote to memory of 728	1836	wj0sQ2vw.exe	vx9XB9Ai.exe
PID 728 wrote to memory of 2972	728	vx9XB9Ai.exe	DA5VB4vG.exe
PID 728 wrote to memory of 2972	728	vx9XB9Ai.exe	DA5VB4vG.exe
PID 728 wrote to memory of 2972	728	vx9XB9Ai.exe	DA5VB4vG.exe
PID 2972 wrote to memory of 5048	2972	DA5VB4vG.exe	1pQ58Ad8.exe
PID 2972 wrote to memory of 5048	2972	DA5VB4vG.exe	1pQ58Ad8.exe
PID 2972 wrote to memory of 5048	2972	DA5VB4vG.exe	1pQ58Ad8.exe
PID 2972 wrote to memory of 2020	2972	DA5VB4vG.exe	2SW466kq.exe
PID 2972 wrote to memory of 2020	2972	DA5VB4vG.exe	2SW466kq.exe
PID 2972 wrote to memory of 2020	2972	DA5VB4vG.exe	2SW466kq.exe

C:\Users\Admin\AppData\Local\Temp\aaa53ca479bc7bde87061c0fc7083bee87e7b9b876d10607e9cf7e4f74ddb0dd.exe
"C:\Users\Admin\AppData\Local\Temp\aaa53ca479bc7bde87061c0fc7083bee87e7b9b876d10607e9cf7e4f74ddb0dd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4552

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wj0sQ2vw.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wj0sQ2vw.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1836

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vx9XB9Ai.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vx9XB9Ai.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:728

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DA5VB4vG.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DA5VB4vG.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2972

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1pQ58Ad8.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1pQ58Ad8.exe
5⤵
- Executes dropped EXE
PID:5048

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2SW466kq.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2SW466kq.exe
5⤵
- Executes dropped EXE
PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wj0sQ2vw.exe

Filesize
688KB

MD5
159c45dba00671a1baffbf1e4ff68bb9

SHA1
1b70ba6c1223fe26e5e4f08b701a6a660b2c2b37

SHA256
5201c48ab72d48754bd333d62681e20f35b8b47ccd0095768293cdd2c0bc9c2d

SHA512
c1f0899e9d7d6106f73088d64b837c59cf72cebf73ccf2af65f004cfd57f1ee63e21b413c2a09fd4754e3bb73d4cd07d9df40e2a57c44a9d87e3f3ac806ceebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vx9XB9Ai.exe

Filesize
514KB

MD5
76122b755eb4f54a004a66954edbaa0a

SHA1
5a06573d692270214ce1154160b827122cb692c4

SHA256
79f828e55b5b808e72e47e65875ce2514f2f418637b7527ef684520395a9bb71

SHA512
ce4237a92f7d7880141249087b91f5ece5819f25c58400903a36d25bcc6b06bf71cb5c14f5ba56eff63e76fe6b10c2672fbe1447f397e46bb498c61c73812f41

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DA5VB4vG.exe

Filesize
319KB

MD5
7e030a02975a6838a72aaf41477d880d

SHA1
210bded54145462c2924c723c96e4265db574db3

SHA256
e7d5241b67ce2b6bcc97690526095ff2f96c9e3beacd4137d7e7c49ac668577b

SHA512
c8b7ce5b5287e359d647d9cdc2e15e806b9deb03c7f5944ce97d3b49dd2f4c2c9bf3cc76e38d96cd83149f3463fa2a8ab2a5f1ed5d639f539824a0d9bb6879d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1pQ58Ad8.exe

Filesize
180KB

MD5
53e28e07671d832a65fbfe3aa38b6678

SHA1
6f9ea0ed8109030511c2c09c848f66bd0d16d1e1

SHA256
5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e

SHA512
053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2SW466kq.exe

Filesize
222KB

MD5
365e92e7e687662dfbaee22e2ab3201c

SHA1
fbbe54cae026184acd70507e4febbb81cd96f0d6

SHA256
ecf55ffd0f646e24fb043a12f0f105ba52763eb50ce8c8f547cd01ae0f6a6103

SHA512
189a7aed54629ef8238e26b7d78105d24fbc627945e5b78ed72d20163545b4ce6b9c37ab57c57287f13a817d16b30dcdb53947b789b2671907f1ebfe60f2c95b

Download Submit
memory/2020-31-0x0000000000530000-0x000000000056E000-memory.dmp

Filesize
248KB

Download
memory/2020-32-0x0000000007890000-0x0000000007E34000-memory.dmp

Filesize
5.6MB

Download
memory/2020-33-0x0000000007380000-0x0000000007412000-memory.dmp

Filesize
584KB

Download
memory/2020-34-0x0000000002730000-0x000000000273A000-memory.dmp

Filesize
40KB

Download
memory/2020-35-0x0000000008460000-0x0000000008A78000-memory.dmp

Filesize
6.1MB

Download
memory/2020-36-0x0000000007770000-0x000000000787A000-memory.dmp

Filesize
1.0MB

Download
memory/2020-37-0x0000000007530000-0x0000000007542000-memory.dmp

Filesize
72KB

Download
memory/2020-38-0x00000000076A0000-0x00000000076DC000-memory.dmp

Filesize
240KB

Download
memory/2020-39-0x00000000076E0000-0x000000000772C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads