mystic | 9444d50a246315a91a9da73f1e727980c103e297c2200ba065854cf98b44ed83

General

Target

66c61378ceb623f448b98ab97c956e80N.exe
Size

1.1MB
MD5

66c61378ceb623f448b98ab97c956e80
SHA1

321d6f5db4bfad9d7e94a4a70023f8f00fc21296
SHA256

9444d50a246315a91a9da73f1e727980c103e297c2200ba065854cf98b44ed83
SHA512

e6476f00cadb16e4236cadd4847ae17c780bd463e66abf8c05b16cec8cd46b0bfb44636d9006a177d5bdc96dc5fe3890f573e7415ecb9c18b35d4858f36369d1
SSDEEP

24576:wy9CV41lS+WRXKAmdrmgQmRi8cIficPh9ZIQk1m:3tG+i6Am1kmk8cWiA/Ij

Score

10^/10

mystic redline kukish discovery infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4200-28-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/4200-29-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/4200-31-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2HS395lh.exe	family_redline
behavioral1/memory/4128-35-0x0000000000920000-0x000000000095E000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

Processes:

Ax0JY8wR.exeKn8Fm8Nu.exeRz8Mw6sM.exe1rU55ap7.exe2HS395lh.exe

pid process

4760 Ax0JY8wR.exe
2728 Kn8Fm8Nu.exe
1408 Rz8Mw6sM.exe
2940 1rU55ap7.exe
4128 2HS395lh.exe

pid	process
4760	Ax0JY8wR.exe
2728	Kn8Fm8Nu.exe
1408	Rz8Mw6sM.exe
2940	1rU55ap7.exe
4128	2HS395lh.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

66c61378ceb623f448b98ab97c956e80N.exeAx0JY8wR.exeKn8Fm8Nu.exeRz8Mw6sM.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	66c61378ceb623f448b98ab97c956e80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Ax0JY8wR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Kn8Fm8Nu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Rz8Mw6sM.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1rU55ap7.exe

description pid process target process

PID 2940 set thread context of 4200 2940 1rU55ap7.exe AppLaunch.exe

description	pid	process	target process
PID 2940 set thread context of 4200	2940	1rU55ap7.exe	AppLaunch.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2HS395lh.exe66c61378ceb623f448b98ab97c956e80N.exeAx0JY8wR.exeKn8Fm8Nu.exeRz8Mw6sM.exe1rU55ap7.exeAppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2HS395lh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66c61378ceb623f448b98ab97c956e80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ax0JY8wR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kn8Fm8Nu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rz8Mw6sM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1rU55ap7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

66c61378ceb623f448b98ab97c956e80N.exeAx0JY8wR.exeKn8Fm8Nu.exeRz8Mw6sM.exe1rU55ap7.exe

description	pid	process	target process
PID 2856 wrote to memory of 4760	2856	66c61378ceb623f448b98ab97c956e80N.exe	Ax0JY8wR.exe
PID 2856 wrote to memory of 4760	2856	66c61378ceb623f448b98ab97c956e80N.exe	Ax0JY8wR.exe
PID 2856 wrote to memory of 4760	2856	66c61378ceb623f448b98ab97c956e80N.exe	Ax0JY8wR.exe
PID 4760 wrote to memory of 2728	4760	Ax0JY8wR.exe	Kn8Fm8Nu.exe
PID 4760 wrote to memory of 2728	4760	Ax0JY8wR.exe	Kn8Fm8Nu.exe
PID 4760 wrote to memory of 2728	4760	Ax0JY8wR.exe	Kn8Fm8Nu.exe
PID 2728 wrote to memory of 1408	2728	Kn8Fm8Nu.exe	Rz8Mw6sM.exe
PID 2728 wrote to memory of 1408	2728	Kn8Fm8Nu.exe	Rz8Mw6sM.exe
PID 2728 wrote to memory of 1408	2728	Kn8Fm8Nu.exe	Rz8Mw6sM.exe
PID 1408 wrote to memory of 2940	1408	Rz8Mw6sM.exe	1rU55ap7.exe
PID 1408 wrote to memory of 2940	1408	Rz8Mw6sM.exe	1rU55ap7.exe
PID 1408 wrote to memory of 2940	1408	Rz8Mw6sM.exe	1rU55ap7.exe
PID 2940 wrote to memory of 4744	2940	1rU55ap7.exe	AppLaunch.exe
PID 2940 wrote to memory of 4744	2940	1rU55ap7.exe	AppLaunch.exe
PID 2940 wrote to memory of 4744	2940	1rU55ap7.exe	AppLaunch.exe
PID 2940 wrote to memory of 4200	2940	1rU55ap7.exe	AppLaunch.exe
PID 2940 wrote to memory of 4200	2940	1rU55ap7.exe	AppLaunch.exe
PID 2940 wrote to memory of 4200	2940	1rU55ap7.exe	AppLaunch.exe
PID 2940 wrote to memory of 4200	2940	1rU55ap7.exe	AppLaunch.exe
PID 2940 wrote to memory of 4200	2940	1rU55ap7.exe	AppLaunch.exe
PID 2940 wrote to memory of 4200	2940	1rU55ap7.exe	AppLaunch.exe
PID 2940 wrote to memory of 4200	2940	1rU55ap7.exe	AppLaunch.exe
PID 2940 wrote to memory of 4200	2940	1rU55ap7.exe	AppLaunch.exe
PID 2940 wrote to memory of 4200	2940	1rU55ap7.exe	AppLaunch.exe
PID 2940 wrote to memory of 4200	2940	1rU55ap7.exe	AppLaunch.exe
PID 1408 wrote to memory of 4128	1408	Rz8Mw6sM.exe	2HS395lh.exe
PID 1408 wrote to memory of 4128	1408	Rz8Mw6sM.exe	2HS395lh.exe
PID 1408 wrote to memory of 4128	1408	Rz8Mw6sM.exe	2HS395lh.exe

C:\Users\Admin\AppData\Local\Temp\66c61378ceb623f448b98ab97c956e80N.exe
"C:\Users\Admin\AppData\Local\Temp\66c61378ceb623f448b98ab97c956e80N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ax0JY8wR.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ax0JY8wR.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4760

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kn8Fm8Nu.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kn8Fm8Nu.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Rz8Mw6sM.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Rz8Mw6sM.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1408

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rU55ap7.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rU55ap7.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:4744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
- System Location Discovery: System Language Discovery
PID:4200

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2HS395lh.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2HS395lh.exe
5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ax0JY8wR.exe

Filesize
898KB

MD5
84378356019a32cae39aecce00a02a5e

SHA1
25934505ef1854dd088952b681ce16076cdc90d2

SHA256
844bd13ad1dcc1d09a047ba20b5276557dfb28710e85be57e116b5e5a023c95a

SHA512
4b7b7e50322221617f8abf5d1d52670d0986523a92ef2f47ddefc24ef47c22d303c4fbe05905cc507473af8a05624e70b8256998f5717c18ee5a45df251fd569

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kn8Fm8Nu.exe

Filesize
620KB

MD5
8faccbd45e355fb5c770e78de7f25bf1

SHA1
5f7b8e1f9752483cf48fbbd5607bff2bf1904f66

SHA256
29029b0cff300b5a0b97f1cb9ff065a1ae7de512ff550c546aab41a893cba978

SHA512
b3e460d4bef04400007680772a627f106c26027f435d4abd54b29de1e102b79064933a15d61cb62d724720dcbde7274563c4826c30b393ed659d68e78157c9e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Rz8Mw6sM.exe

Filesize
425KB

MD5
330cafea3560bbeaeac34579ebd8bb9a

SHA1
8d277da174c673d39275fb10100ddb23e4f79631

SHA256
1be6459e27af14d9ef070b93b777c5e3084d34063a497fba19c46f4e667a9682

SHA512
8d4c98e2398f23f9b04db364699451ef3457e4232827f57d76f96f8d4f67c3ebee800b58069e9e85e6659c39d696d27b0ca3cf2413656d8f17e12951936b316e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rU55ap7.exe

Filesize
380KB

MD5
b48bc757d1d49091c97982caacc9dc6c

SHA1
94e506a549950db7e69d55419feb700f1a5b9a0c

SHA256
2ff8aaff31d5255dfe35cacab7705f24a8734bff91bb152b63b4564a88c1db86

SHA512
582ea908b152b71668787ddf972a9be35f519a7cd39a222050616a8ba351ef30384ccab4a4d08999a11d7d0db489ba570aaa350091fa933ac7c71621b3e16f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2HS395lh.exe

Filesize
223KB

MD5
c0adcc0d1c3e212e7128c9b0c9aa74e9

SHA1
3248620d5afd2e835a31f4e80daafbd8bdf22ab3

SHA256
ad121f6c710c2699c969441780b2e45dd52151ff192c302fdbd7c9e5c63758d7

SHA512
47e3027ce8fb078e5a455fb21e85e5b8b8b0cfda62c525eca8a83807e8a4f7e915c14b6e8a766f5e892d822a2e281c20b05017fac5f3f53c890689be646412d9

Download Submit
memory/4128-39-0x00000000088D0000-0x0000000008EE8000-memory.dmp

Filesize
6.1MB

Download
memory/4128-35-0x0000000000920000-0x000000000095E000-memory.dmp

Filesize
248KB

Download
memory/4128-36-0x0000000007D00000-0x00000000082A4000-memory.dmp

Filesize
5.6MB

Download
memory/4128-37-0x00000000077F0000-0x0000000007882000-memory.dmp

Filesize
584KB

Download
memory/4128-38-0x0000000002D60000-0x0000000002D6A000-memory.dmp

Filesize
40KB

Download
memory/4128-40-0x0000000007AF0000-0x0000000007BFA000-memory.dmp

Filesize
1.0MB

Download
memory/4128-41-0x0000000007A20000-0x0000000007A32000-memory.dmp

Filesize
72KB

Download
memory/4128-42-0x0000000007A80000-0x0000000007ABC000-memory.dmp

Filesize
240KB

Download
memory/4128-43-0x0000000007C00000-0x0000000007C4C000-memory.dmp

Filesize
304KB

Download
memory/4200-31-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4200-29-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4200-28-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads