mystic | 02ffbd0660d93ebad3c9373817783cb5b27f2c54995219e3c8ef699386fb454c

General

Target

02ffbd0660d93ebad3c9373817783cb5b27f2c54995219e3c8ef699386fb454c_NeikiAnalytics.exe
Size

1.3MB
MD5

aa3fac99fe10b1913607e8642620e5e0
SHA1

e807e8de797197cb1a108db0a27e6f5b076fe826
SHA256

02ffbd0660d93ebad3c9373817783cb5b27f2c54995219e3c8ef699386fb454c
SHA512

6fe759e878bf0dd8b3a6fc92cc7020b2ffece699a917a199ecaf9969426d6722b6742a3dd2135c499400df7644950958d7a676ec028d9bb593248ce59d28b555
SSDEEP

24576:MyfH1Hr7FJB1v40MJFLRMhYQdE+jLb6127tK22kOCmKFPG1c/V:7JnFaZJv4Pljd5KOOCXPw

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

C2

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral1/memory/4228-21-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral1/memory/4228-22-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral1/memory/4228-24-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000002367f-25.dat	family_redline
behavioral1/memory/4468-28-0x0000000000730000-0x000000000076E000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
4680	uZ5wN5rd.exe
384	EB9OH1GN.exe
3788	1Yh76Tc6.exe
4468	2Ez461hM.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	02ffbd0660d93ebad3c9373817783cb5b27f2c54995219e3c8ef699386fb454c_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	uZ5wN5rd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	EB9OH1GN.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3788 set thread context of 4228	3788	1Yh76Tc6.exe	93

Program crash 1 IoCs

pid	pid_target	Process	procid_target
788	3788	WerFault.exe	92

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 4680	4564	02ffbd0660d93ebad3c9373817783cb5b27f2c54995219e3c8ef699386fb454c_NeikiAnalytics.exe	90
PID 4564 wrote to memory of 4680	4564	02ffbd0660d93ebad3c9373817783cb5b27f2c54995219e3c8ef699386fb454c_NeikiAnalytics.exe	90
PID 4564 wrote to memory of 4680	4564	02ffbd0660d93ebad3c9373817783cb5b27f2c54995219e3c8ef699386fb454c_NeikiAnalytics.exe	90
PID 4680 wrote to memory of 384	4680	uZ5wN5rd.exe	91
PID 4680 wrote to memory of 384	4680	uZ5wN5rd.exe	91
PID 4680 wrote to memory of 384	4680	uZ5wN5rd.exe	91
PID 384 wrote to memory of 3788	384	EB9OH1GN.exe	92
PID 384 wrote to memory of 3788	384	EB9OH1GN.exe	92
PID 384 wrote to memory of 3788	384	EB9OH1GN.exe	92
PID 3788 wrote to memory of 4228	3788	1Yh76Tc6.exe	93
PID 3788 wrote to memory of 4228	3788	1Yh76Tc6.exe	93
PID 3788 wrote to memory of 4228	3788	1Yh76Tc6.exe	93
PID 3788 wrote to memory of 4228	3788	1Yh76Tc6.exe	93
PID 3788 wrote to memory of 4228	3788	1Yh76Tc6.exe	93
PID 3788 wrote to memory of 4228	3788	1Yh76Tc6.exe	93
PID 3788 wrote to memory of 4228	3788	1Yh76Tc6.exe	93
PID 3788 wrote to memory of 4228	3788	1Yh76Tc6.exe	93
PID 3788 wrote to memory of 4228	3788	1Yh76Tc6.exe	93
PID 3788 wrote to memory of 4228	3788	1Yh76Tc6.exe	93
PID 384 wrote to memory of 4468	384	EB9OH1GN.exe	100
PID 384 wrote to memory of 4468	384	EB9OH1GN.exe	100
PID 384 wrote to memory of 4468	384	EB9OH1GN.exe	100

C:\Users\Admin\AppData\Local\Temp\02ffbd0660d93ebad3c9373817783cb5b27f2c54995219e3c8ef699386fb454c_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\02ffbd0660d93ebad3c9373817783cb5b27f2c54995219e3c8ef699386fb454c_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uZ5wN5rd.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uZ5wN5rd.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\EB9OH1GN.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\EB9OH1GN.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:384
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Yh76Tc6.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Yh76Tc6.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3788
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:4228
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 576
        5⤵
        Program crash
        
        PID:788
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Ez461hM.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Ez461hM.exe
      4⤵
      Executes dropped EXE
      PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3788 -ip 3788
1⤵
PID:3076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1444,i,3549704109630749084,1975543916261970610,262144 --variations-seed-version --mojo-platform-channel-handle=1064 /prefetch:8
1⤵
PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uZ5wN5rd.exe

Filesize
821KB

MD5
63da7aef270377f0bbcf1df9ab46ce7f

SHA1
77be71e53577278d85fa9372901976396ce45af4

SHA256
527f79a183950464a38f56fc0b64e02a8adb0c62d720d55f4526e9cef993b21d

SHA512
64f6a6a46b3b5123698a3a36af0232df929125bba6101dbbf022879bda2625cbd51647ef9cdd691ceae8b334926ddc218ea89cbc9e657f7bd850fa28ac45bd12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\EB9OH1GN.exe

Filesize
649KB

MD5
994f4d02b89a901b914132c7a495a752

SHA1
7b28b6bf88d3581c56ca61554b2ba2c0576735a9

SHA256
4d201d0845980d1ca8faf591f0045f2f08782ba67539fdd1cfca3f6a5df86af5

SHA512
61f85b39c7625e97d532625f3025d731129647e0b69cc7921597c2653781affbea28d957b176f6431e5e986bf38bbe6ff0fe34d1e61293ea1a6cc43deda3c56e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Yh76Tc6.exe

Filesize
1.7MB

MD5
144dc3c0a5275a93ff86f00b5c61b9ec

SHA1
784168ab3c4711737656ca13dc4cb59ca267fa45

SHA256
179649325e561f83a53c5cba99cd8f1f589064c8d0f2029fb8e06f61ae986787

SHA512
9af6a9870077621eb046d6fed0fac88eba35edd4cd5e60f49c46018ab633d5cc77ddb9a93886178544198099a4e3b20726a32729ec9d1cf89524b4a579afb783

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Ez461hM.exe

Filesize
230KB

MD5
b4fcf4a35a3b751216060844fa10979e

SHA1
819e03996383b1150b31ed8570b789f4402faa94

SHA256
6a67aefd1dbe396b3b443899fcc3511b59ecfb4b8adfea72eed23f15d0426876

SHA512
1f204d032cd68930f8d5fc0de9d9af43097b4aabb97fc604e77790b2d264eca34a26cd3a02922e1092bb4ff69ea7b52deb05be9dfe211c32e0cfb8a0690f5fdb

Download Submit
memory/4228-21-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4228-22-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4228-24-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4468-29-0x0000000007A90000-0x0000000008034000-memory.dmp

Filesize
5.6MB

Download
memory/4468-28-0x0000000000730000-0x000000000076E000-memory.dmp

Filesize
248KB

Download
memory/4468-30-0x00000000074E0000-0x0000000007572000-memory.dmp

Filesize
584KB

Download
memory/4468-31-0x0000000000E50000-0x0000000000E5A000-memory.dmp

Filesize
40KB

Download
memory/4468-32-0x0000000008660000-0x0000000008C78000-memory.dmp

Filesize
6.1MB

Download
memory/4468-33-0x0000000007860000-0x000000000796A000-memory.dmp

Filesize
1.0MB

Download
memory/4468-34-0x00000000076E0000-0x00000000076F2000-memory.dmp

Filesize
72KB

Download
memory/4468-35-0x0000000007750000-0x000000000778C000-memory.dmp

Filesize
240KB

Download
memory/4468-36-0x0000000007790000-0x00000000077DC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads