mystic | c2272ebee324cbdc678c5327049fce66a63deda172096f31d24172bd656cfe29

General

Target

virussign.com_74debba886333c60765a473dad988c30.exe
Size

1.1MB
MD5

74debba886333c60765a473dad988c30
SHA1

47d08c102e0e7a63b34082a479856c60e8db37c2
SHA256

c2272ebee324cbdc678c5327049fce66a63deda172096f31d24172bd656cfe29
SHA512

9287e4b0be6ab59ce5d6e3ab7c08ded7d35688bd41a4beddcdc559f7ea0379985668ff79b60b7c1f508aa788f513510dd79f385b1f3bd9af078e00fdb648eeaf
SSDEEP

24576:YyK6dZeEzafM1TJqKXRmMFKp8hvVAe+LCgtJOph0hCwE7:fK6dZeaJqKXRPFKsO7Ew

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4180-35-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/4180-38-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/4180-36-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2pZ552Kq.exe	family_redline
behavioral1/memory/2124-42-0x0000000000550000-0x000000000058E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

qk1vl8ci.exebf6Oq0cR.exerL6rY7ZF.exeoc9WB3uX.exe1eT47gy1.exe2pZ552Kq.exe

pid process

372 qk1vl8ci.exe
4056 bf6Oq0cR.exe
3848 rL6rY7ZF.exe
2020 oc9WB3uX.exe
532 1eT47gy1.exe
2124 2pZ552Kq.exe

pid	process
372	qk1vl8ci.exe
4056	bf6Oq0cR.exe
3848	rL6rY7ZF.exe
2020	oc9WB3uX.exe
532	1eT47gy1.exe
2124	2pZ552Kq.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

virussign.com_74debba886333c60765a473dad988c30.exeqk1vl8ci.exebf6Oq0cR.exerL6rY7ZF.exeoc9WB3uX.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	virussign.com_74debba886333c60765a473dad988c30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	qk1vl8ci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	bf6Oq0cR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	rL6rY7ZF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	oc9WB3uX.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1eT47gy1.exe

description pid process target process

PID 532 set thread context of 4180 532 1eT47gy1.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3820 532 WerFault.exe 1eT47gy1.exe

description	pid	process	target process
PID 532 set thread context of 4180	532	1eT47gy1.exe	AppLaunch.exe

pid	pid_target	process	target process
3820	532	WerFault.exe	1eT47gy1.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

virussign.com_74debba886333c60765a473dad988c30.exeqk1vl8ci.exebf6Oq0cR.exerL6rY7ZF.exeoc9WB3uX.exe1eT47gy1.exe

description	pid	process	target process
PID 5100 wrote to memory of 372	5100	virussign.com_74debba886333c60765a473dad988c30.exe	qk1vl8ci.exe
PID 5100 wrote to memory of 372	5100	virussign.com_74debba886333c60765a473dad988c30.exe	qk1vl8ci.exe
PID 5100 wrote to memory of 372	5100	virussign.com_74debba886333c60765a473dad988c30.exe	qk1vl8ci.exe
PID 372 wrote to memory of 4056	372	qk1vl8ci.exe	bf6Oq0cR.exe
PID 372 wrote to memory of 4056	372	qk1vl8ci.exe	bf6Oq0cR.exe
PID 372 wrote to memory of 4056	372	qk1vl8ci.exe	bf6Oq0cR.exe
PID 4056 wrote to memory of 3848	4056	bf6Oq0cR.exe	rL6rY7ZF.exe
PID 4056 wrote to memory of 3848	4056	bf6Oq0cR.exe	rL6rY7ZF.exe
PID 4056 wrote to memory of 3848	4056	bf6Oq0cR.exe	rL6rY7ZF.exe
PID 3848 wrote to memory of 2020	3848	rL6rY7ZF.exe	oc9WB3uX.exe
PID 3848 wrote to memory of 2020	3848	rL6rY7ZF.exe	oc9WB3uX.exe
PID 3848 wrote to memory of 2020	3848	rL6rY7ZF.exe	oc9WB3uX.exe
PID 2020 wrote to memory of 532	2020	oc9WB3uX.exe	1eT47gy1.exe
PID 2020 wrote to memory of 532	2020	oc9WB3uX.exe	1eT47gy1.exe
PID 2020 wrote to memory of 532	2020	oc9WB3uX.exe	1eT47gy1.exe
PID 532 wrote to memory of 4180	532	1eT47gy1.exe	AppLaunch.exe
PID 532 wrote to memory of 4180	532	1eT47gy1.exe	AppLaunch.exe
PID 532 wrote to memory of 4180	532	1eT47gy1.exe	AppLaunch.exe
PID 532 wrote to memory of 4180	532	1eT47gy1.exe	AppLaunch.exe
PID 532 wrote to memory of 4180	532	1eT47gy1.exe	AppLaunch.exe
PID 532 wrote to memory of 4180	532	1eT47gy1.exe	AppLaunch.exe
PID 532 wrote to memory of 4180	532	1eT47gy1.exe	AppLaunch.exe
PID 532 wrote to memory of 4180	532	1eT47gy1.exe	AppLaunch.exe
PID 532 wrote to memory of 4180	532	1eT47gy1.exe	AppLaunch.exe
PID 532 wrote to memory of 4180	532	1eT47gy1.exe	AppLaunch.exe
PID 2020 wrote to memory of 2124	2020	oc9WB3uX.exe	2pZ552Kq.exe
PID 2020 wrote to memory of 2124	2020	oc9WB3uX.exe	2pZ552Kq.exe
PID 2020 wrote to memory of 2124	2020	oc9WB3uX.exe	2pZ552Kq.exe

C:\Users\Admin\AppData\Local\Temp\virussign.com_74debba886333c60765a473dad988c30.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.com_74debba886333c60765a473dad988c30.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5100

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk1vl8ci.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk1vl8ci.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:372

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Oq0cR.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Oq0cR.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4056

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL6rY7ZF.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL6rY7ZF.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3848

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oc9WB3uX.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oc9WB3uX.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1eT47gy1.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1eT47gy1.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 532 -s 148
7⤵
- Program crash
PID:3820

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2pZ552Kq.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2pZ552Kq.exe
6⤵
- Executes dropped EXE
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 532 -ip 532
1⤵
PID:3800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qk1vl8ci.exe

Filesize
1009KB

MD5
2feef96c5d8c7b667466ba04151a5331

SHA1
2785ff120cc9940608b1662cbf8b0858b1e416a6

SHA256
cfbb3f38b05f2c8ed211f57d972a25dda626d19a176bdfdf18f66d98a7464d17

SHA512
99dfee8ac2196c87f423ad4aac70de8d3098a007118a2fe979669bdbbd94bc28396602e366841273c041d06f0c673a6aa39c3adaa498c807c9031830553bbc1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Oq0cR.exe

Filesize
819KB

MD5
ca425a079aa35ba86eaadaeefbd0967d

SHA1
df6b3d2880992bfba46d32e619624fc3e50714ca

SHA256
7b65a5925de0b7498bd2adf44e0be443467ccb165ae3b12cb922997b25a143e5

SHA512
c6baa95720a70763bd2c8a2e224cc14f90f64c102a74390ef1bead1fde5f5d4c42069a3f09269c0c0ace1b9b0901770562b89772bb71e32badb7678367c6f386

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL6rY7ZF.exe

Filesize
584KB

MD5
35d6b6cf4f9646758aa6b741991806f5

SHA1
54e8a06737d010236327512cbb9261b0a03e74e1

SHA256
127dc378a12c379cb2a81ef2bd8a7e230666573337c02a6be2c2de730a3b3cfa

SHA512
78acca7c3b25c9c9303b519e659bc0f730a8c9ebe2bb2d2c8a30838f3803e37b5a329b013569cd57e9436e7f149333fb1b0bed449d53c3f0fc9412018046e508

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oc9WB3uX.exe

Filesize
383KB

MD5
6b62173f636b079fa584488a834d3135

SHA1
fdd1c7ea5b54471496140ba944f001421304b269

SHA256
cc7ca532ecf7ab0b0119d1a7788faa5aa19a2514fcde7384cedf87d6c5e9aa8e

SHA512
7b31b438a20d15d404044b4dd5def52fc8e6ddaf9a952c1543377e9191b54d190ad617ded51ec5b41428f12088a8133e5d1c651813851dfbe3f5e4498172e4bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1eT47gy1.exe

Filesize
298KB

MD5
7031d0b97d831ad30cc5fe946f41ebb7

SHA1
d6ed94eea7afb7ca25dcf44e767ff72e12c38973

SHA256
a25fd36e3f98abd3de0dfa3a3e8e237aa0fe0294f741ae3723958893d78cb2e8

SHA512
cc1d4df09beae451d7e63b82469f7101a712bd07cd3f05e942e9f538130481d20e84b309080481201dd2a0b36eb75a8c444d1b3891a650133b96ef96f5ebf18a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2pZ552Kq.exe

Filesize
222KB

MD5
498e641310870763f03a5058d4215537

SHA1
f75af5c92c54fee7eb5f75607094f31c53000704

SHA256
f36eccbdefc4187dcafa490b531fbc8beb513d81c37957d889810ca524779d6f

SHA512
921d383e92a4cbd42e8c43cee0eddbe07ea3c0bc5aa6f527248d5a2b58fd79e0904a8d9d45be8d4d5b9b7812dbaf9e771931eacc465a498b22ee7fdaee88954f

Download Submit
memory/2124-42-0x0000000000550000-0x000000000058E000-memory.dmp

Filesize
248KB

Download
memory/2124-43-0x0000000007780000-0x0000000007D24000-memory.dmp

Filesize
5.6MB

Download
memory/2124-44-0x00000000072D0000-0x0000000007362000-memory.dmp

Filesize
584KB

Download
memory/2124-45-0x0000000004890000-0x000000000489A000-memory.dmp

Filesize
40KB

Download
memory/2124-46-0x0000000008350000-0x0000000008968000-memory.dmp

Filesize
6.1MB

Download
memory/2124-47-0x00000000075E0000-0x00000000076EA000-memory.dmp

Filesize
1.0MB

Download
memory/2124-48-0x0000000007510000-0x0000000007522000-memory.dmp

Filesize
72KB

Download
memory/2124-49-0x0000000007570000-0x00000000075AC000-memory.dmp

Filesize
240KB

Download
memory/2124-50-0x00000000076F0000-0x000000000773C000-memory.dmp

Filesize
304KB

Download
memory/4180-38-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4180-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4180-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads