Overview

overview

10

Static

static

3

Mystic Release.rar

windows7-x64

3

Mystic Release.rar

windows10-2004-x64

3

Mystic Rel...ok.dll

windows7-x64

1

Mystic Rel...ok.dll

windows10-2004-x64

1

Mystic Rel....2.exe

windows7-x64

10

Mystic Rel....2.exe

windows10-2004-x64

10

Mystic Rel...ts.dll

windows7-x64

1

Mystic Rel...ts.dll

windows10-2004-x64

1

Mystic Rel...ch.dll

windows7-x64

1

Mystic Rel...ch.dll

windows10-2004-x64

1

Mystic Rel...ns.txt

windows7-x64

1

Mystic Rel...ns.txt

windows10-2004-x64

1

Mystic Rel...se.txt

windows7-x64

1

Mystic Rel...se.txt

windows10-2004-x64

1

Mystic Rel...ts.txt

windows7-x64

1

Mystic Rel...ts.txt

windows10-2004-x64

1

Resubmissions

25/06/2024, 13:49

240625-q4sxgstcpc 10

Sharing

Copy URL Twitter E-mail

General

  • Target

    Mystic Release.rar

  • Size

    37.9MB

  • Sample

    240625-q4sxgstcpc

  • MD5

    29012d69065e9e345e589db37368d8e3

  • SHA1

    5a83d9ae2478486eb0d1278c0da7d615ecd3cf64

  • SHA256

    b8e050bfd5ac58c6f0c0fe2ca1cef4e4e9c1fb8099c73c84269cc6290240765e

  • SHA512

    64f6a98195b1f34183f0dbe5a3d9c384805a1978d52a10ad9b4ca32a452cca35682b4ade91cb8d9666e16577f2e464b09345a1a46e8d8530e79d3a5e580db9f1

  • SSDEEP

    786432:tioOWnPIMBvKW9RJjI1dC8OYRvc76kxhcVt/vRP:taW/RPJE1dC36oh6tF

Score
10/10
xwormexecutionpersistencepyinstallerratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

91.92.241.69:5555

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Windows Runtime.exe

Targets

    • Target

      Mystic Release.rar

    • Size

      37.9MB

    • MD5

      29012d69065e9e345e589db37368d8e3

    • SHA1

      5a83d9ae2478486eb0d1278c0da7d615ecd3cf64

    • SHA256

      b8e050bfd5ac58c6f0c0fe2ca1cef4e4e9c1fb8099c73c84269cc6290240765e

    • SHA512

      64f6a98195b1f34183f0dbe5a3d9c384805a1978d52a10ad9b4ca32a452cca35682b4ade91cb8d9666e16577f2e464b09345a1a46e8d8530e79d3a5e580db9f1

    • SSDEEP

      786432:tioOWnPIMBvKW9RJjI1dC8OYRvc76kxhcVt/vRP:taW/RPJE1dC36oh6tF

    Score
    3/10
    behavioral1behavioral2

    • Target

      Mystic Release/ByfronHook.dll

    • Size

      21KB

    • MD5

      4e3e92823caeac1203beaa5a35d6dafc

    • SHA1

      893b591d46c39e817052cd05ec969fea74da4233

    • SHA256

      3811858da4b1f5e7f40d1237d7189ddca3989fa0d7b07e87c538f92975b893d2

    • SHA512

      0490e800f1e5c9b38b6c9b56616290f3a7214179e6d993214e3dd742d44d1d669fe5073b5a121c588c05f3e7c0ec576798236ee94e1a9b37e1d980d1969c9d33

    • SSDEEP

      384:pPLl4JbDL8XQZW8LN/4pvuBUyHVz0Ad29DtSLKZR2CF/9+8ADu/TyZdEPLe:pPh4yQZW8LNuAUyJl29DtSLKZR2m9+8m

    Score
    1/10
    behavioral3behavioral4

    • Target

      Mystic Release/Mystic Release V1.2.exe

    • Size

      37.9MB

    • MD5

      fea2be7470193a2b6bf68c20842f7d0e

    • SHA1

      6589d8e9044d26431557485b08446a32cac0bd80

    • SHA256

      e75771b5ce0a5e1c33c43f79f1d8e9ab7777cd7d9fb653a7ec0a49c73bf7e6f5

    • SHA512

      7011f4b88d7a0d208362741ace6b605eb00e4bf1d371180576ce467c4e54583af6e7fde1d2b6de5af7307a25024b3e689370fb40d88e546b9860d3cc1f1a76a6

    • SSDEEP

      786432:Y4J4XwKnww+bf4q8QzL3JBpaZ1PFUQJLkatHUpnQ96Bg2Mm78YIOJG:Z4XwA+D4q8aDiPFfNk8Ha+6Mm78FOJG

    Score
    10/10
    xwormexecutionpersistencepyinstallerrattrojanspywarestealer

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral5behavioral6

    • Target

      Mystic Release/assets.dll

    • Size

      171KB

    • MD5

      bcc0b07de0a24f9701fc97d154ecd660

    • SHA1

      cb5ba3b790cee940b4d18ff78e5a6cd71bdad47d

    • SHA256

      672cb16128dea50e21fd2d98889e2d6a2264b654304a3f4248ebdf4c546f734a

    • SHA512

      18959767986401bc877d30416e550c55e97c158f674b8f76dc9af117494e65e11d6000521f72be93c193ebd38f84d1b9578386c24911fda97507277f06ebd8e4

    • SSDEEP

      3072:rN505WN505WN505WN505WN505WN505WN505WN505WN505m:rNJNJNJNJNJNJNJNJNB

    Score
    1/10
    behavioral7behavioral8

    • Target

      Mystic Release/bin/autoattach.dll

    • Size

      171KB

    • MD5

      bcc0b07de0a24f9701fc97d154ecd660

    • SHA1

      cb5ba3b790cee940b4d18ff78e5a6cd71bdad47d

    • SHA256

      672cb16128dea50e21fd2d98889e2d6a2264b654304a3f4248ebdf4c546f734a

    • SHA512

      18959767986401bc877d30416e550c55e97c158f674b8f76dc9af117494e65e11d6000521f72be93c193ebd38f84d1b9578386c24911fda97507277f06ebd8e4

    • SSDEEP

      3072:rN505WN505WN505WN505WN505WN505WN505WN505WN505m:rNJNJNJNJNJNJNJNJNB

    Score
    1/10
    behavioral10behavioral9

    • Target

      Mystic Release/instructions.txt

    • Size

      351B

    • MD5

      418e01138e5c206bea3b84a2b3e5cf5c

    • SHA1

      8bec619a5e2b4b42997b0e08832c65707a499972

    • SHA256

      889009d51cbe3d08d76fb507d066c5be8e29aca553a7e6b45727dcbdfe02f63a

    • SHA512

      6bf6eba89df8466531ec89edf903ab0159189eddbb8c2b111b622521fb0077e2c8addf21f57d7adcc3c717e39978b05556b7b5ad7341c7e8ace2db10ef232992

    Score
    1/10
    behavioral11behavioral12

    • Target

      Mystic Release/license.txt

    • Size

      6KB

    • MD5

      0b09566254b011d989decf0e23a902eb

    • SHA1

      3ae5cd6be73daf418b8deee9c865cf78225838c9

    • SHA256

      a19d58aaab15c4d0019e569d1c073d1b5286fdd37dbeee7a58a7d1ae76045ae1

    • SHA512

      4e22e58f925879306261e5993039e1d84d87f8fecc0f9fdad534da55b6fd22be77e622a4077d8d521f7734e5535f66853d581155987e2f3607e2d386938c218b

    • SSDEEP

      192:uEwjuKsgA4+XYdXjA+okS63vZBCSUziJm:eNs8+QRVxBRU1

    Score
    1/10
    behavioral13behavioral14

    • Target

      Mystic Release/workspace/Saved Scripts.txt

    • Size

      26B

    • MD5

      9aab6209b47a96431718754d4bac5bea

    • SHA1

      671ae2fdf7f41befc2b7fb53a3902cd2d2f35b7f

    • SHA256

      d2d792f0d9bdb064f665174877454ea83f32aa0a571d223c062fb2107352481b

    • SHA512

      860afec17d9e2c88df27042ad0b027c9021ce08b737d7cae39585d3398fd6ee551f81fe0f145aed90a30bec15a07d1e0731cce9c5b5db7141a6cedd42a3a1bd1

    Score
    1/10
    behavioral15behavioral16

MITRE ATT&CK Enterprise v15

Tasks