mystic | e19f54b03f54fd3d106f72335cf721bc5f692c823069bd689ca6a6334ed31d92

General

Target

98568e60dd6aaa4e3bbfbf94d2b5aab06949a6ed4abae6a532d96b142408ea61.exe
Size

1017KB
MD5

9ff109638c5a001829bdb07be04ad4a9
SHA1

c51ce1cbf7a0fac879e50965467dce23fbdcc28c
SHA256

98568e60dd6aaa4e3bbfbf94d2b5aab06949a6ed4abae6a532d96b142408ea61
SHA512

830a960e75269d0fbaaecee7173a6b1ea154e4c461e25deef9bf9670ab823b694f39b6b8637d5181fecd0ac58db992586fb39d9ff6a65c19af1a969cc0bcad50
SSDEEP

12288:kMrZy90VVFI/tCVY0IcQb3GwzFkp/9D0Fdv5S4eGc4K6jinwaG7C7FK7OW3uwT/o:lykef0rQiXplOrLV4WfODwUZ+j/VE

Score

10^/10

mystic redline kukish discovery infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000800000002341b-33.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000002341c-36.dat	family_redline
behavioral1/memory/3688-38-0x0000000000430000-0x000000000046E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
2596	jt4gF6GV.exe
2024	CC3aL7HC.exe
4212	cx5YO6Gz.exe
5004	uJ4FF0es.exe
3028	1BL35UB1.exe
3688	2or474CW.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	98568e60dd6aaa4e3bbfbf94d2b5aab06949a6ed4abae6a532d96b142408ea61.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	jt4gF6GV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	CC3aL7HC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	cx5YO6Gz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	uJ4FF0es.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uJ4FF0es.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1BL35UB1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2or474CW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98568e60dd6aaa4e3bbfbf94d2b5aab06949a6ed4abae6a532d96b142408ea61.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jt4gF6GV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CC3aL7HC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cx5YO6Gz.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2596	2860	98568e60dd6aaa4e3bbfbf94d2b5aab06949a6ed4abae6a532d96b142408ea61.exe	84
PID 2860 wrote to memory of 2596	2860	98568e60dd6aaa4e3bbfbf94d2b5aab06949a6ed4abae6a532d96b142408ea61.exe	84
PID 2860 wrote to memory of 2596	2860	98568e60dd6aaa4e3bbfbf94d2b5aab06949a6ed4abae6a532d96b142408ea61.exe	84
PID 2596 wrote to memory of 2024	2596	jt4gF6GV.exe	85
PID 2596 wrote to memory of 2024	2596	jt4gF6GV.exe	85
PID 2596 wrote to memory of 2024	2596	jt4gF6GV.exe	85
PID 2024 wrote to memory of 4212	2024	CC3aL7HC.exe	87
PID 2024 wrote to memory of 4212	2024	CC3aL7HC.exe	87
PID 2024 wrote to memory of 4212	2024	CC3aL7HC.exe	87
PID 4212 wrote to memory of 5004	4212	cx5YO6Gz.exe	88
PID 4212 wrote to memory of 5004	4212	cx5YO6Gz.exe	88
PID 4212 wrote to memory of 5004	4212	cx5YO6Gz.exe	88
PID 5004 wrote to memory of 3028	5004	uJ4FF0es.exe	89
PID 5004 wrote to memory of 3028	5004	uJ4FF0es.exe	89
PID 5004 wrote to memory of 3028	5004	uJ4FF0es.exe	89
PID 5004 wrote to memory of 3688	5004	uJ4FF0es.exe	90
PID 5004 wrote to memory of 3688	5004	uJ4FF0es.exe	90
PID 5004 wrote to memory of 3688	5004	uJ4FF0es.exe	90

C:\Users\Admin\AppData\Local\Temp\98568e60dd6aaa4e3bbfbf94d2b5aab06949a6ed4abae6a532d96b142408ea61.exe
"C:\Users\Admin\AppData\Local\Temp\98568e60dd6aaa4e3bbfbf94d2b5aab06949a6ed4abae6a532d96b142408ea61.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jt4gF6GV.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jt4gF6GV.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CC3aL7HC.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CC3aL7HC.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cx5YO6Gz.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cx5YO6Gz.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4212
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uJ4FF0es.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uJ4FF0es.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5004
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1BL35UB1.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1BL35UB1.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3028
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2or474CW.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2or474CW.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jt4gF6GV.exe

Filesize
878KB

MD5
84a83e99461c974cdd4191c058b2fb52

SHA1
b7ba4529a4e97bcc7df25daf964c1ae355660c3f

SHA256
0fb3d08c6969a1767dfb6835b1391b2a89674cddfecabee0efa2303fe67a2593

SHA512
14df46c860410ef82e695ba000f9c2773d365f750f20e485358a6ea1149d69f4edf15e30df4a5aa6c3394cff63b6e624fb1aa941cad2d67751ea591d844054d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CC3aL7HC.exe

Filesize
688KB

MD5
df5126cce7146ff0286c2b53e1905f4f

SHA1
75f6dd27839d663b7fc7677401bf6b85e4d9bddf

SHA256
548b55faec19a498f18edb8a4f4c1df4e84ec0e0066605654854743fa589be5c

SHA512
5b3376872a84ee46932c8e65f735da1c8fd2ae83d46d0c889469018c129a754d86e47b5274b150458b8e95fe238602b0f3825dfa24a45f0140c992689588aa48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cx5YO6Gz.exe

Filesize
514KB

MD5
a926459ef04092b3f1d8e843c84ae210

SHA1
05071655653e904924025003cc68509e7fe57765

SHA256
b6961287b5963468dd10a4fab9d61d28ed2857c214971824be99a56f413f2f77

SHA512
aec09f6f27bb7f2a3cfd6b9b5648f1ea76979d148c627441f584a95704b41eaabc4df19c0200170cf6a1d7e7ce73bd8fe7de1d432ce852a8f7a3677da6a7910f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uJ4FF0es.exe

Filesize
319KB

MD5
63d4f960c02c831909e209800630fde4

SHA1
234d3976864dd8b984ed206409aa9c01b1e3138f

SHA256
ee75e1a7b7db75800b66c4811f850e5165dc7fe52467348cbfb5121e334f9baa

SHA512
42ee50315b63f9cc763202dbc77b5879a3d40c990c7cad45a3f7e83574f5aeccda9c7580eaae751c121dd0c722d77c113b6627ac98841835398e4f72fb3c34ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1BL35UB1.exe

Filesize
180KB

MD5
53e28e07671d832a65fbfe3aa38b6678

SHA1
6f9ea0ed8109030511c2c09c848f66bd0d16d1e1

SHA256
5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e

SHA512
053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2or474CW.exe

Filesize
222KB

MD5
6292135b6431667ac0afa054209a3d01

SHA1
3e12f946a70343b45235f97af56968eb261f41df

SHA256
b5ec896240bd4599f7045552af292dc66a8e081df6dc09fee3adee971f4131e2

SHA512
d192fc9c5daef843ec752ca2a61e77c43e0a4ba1f6806fc630af99855dd5462d5853bfa24202fe072379a68f86085c774eac186b482d5442f58c4f2e4c050562

Download Submit
memory/3688-38-0x0000000000430000-0x000000000046E000-memory.dmp

Filesize
248KB

Download
memory/3688-39-0x0000000007760000-0x0000000007D04000-memory.dmp

Filesize
5.6MB

Download
memory/3688-40-0x0000000007250000-0x00000000072E2000-memory.dmp

Filesize
584KB

Download
memory/3688-41-0x0000000002660000-0x000000000266A000-memory.dmp

Filesize
40KB

Download
memory/3688-42-0x0000000008330000-0x0000000008948000-memory.dmp

Filesize
6.1MB

Download
memory/3688-43-0x00000000075E0000-0x00000000076EA000-memory.dmp

Filesize
1.0MB

Download
memory/3688-44-0x00000000073E0000-0x00000000073F2000-memory.dmp

Filesize
72KB

Download
memory/3688-45-0x0000000007460000-0x000000000749C000-memory.dmp

Filesize
240KB

Download
memory/3688-46-0x00000000074A0000-0x00000000074EC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads