mystic | 64c2bc5867eec712b56dddbe36513c847e05a2b9cb8acd8bda6a9e9c9bc9870e

General

Target

1189ca5b97d02a10ca97072d26100cf0N.exe
Size

1.5MB
MD5

1189ca5b97d02a10ca97072d26100cf0
SHA1

6bd468f99a7fdb223d25b4e16a8fd333ef91b23b
SHA256

64c2bc5867eec712b56dddbe36513c847e05a2b9cb8acd8bda6a9e9c9bc9870e
SHA512

1186226d8f33a893c2f9f7acf03292bf75745c89e983953643bfce19a8d1973d3c405772bbccd6de4d4165adae4c2d29905d2316a6e162bb7b429087f33d6093
SSDEEP

24576:xy5dgGQxVoMnye+DjzGWIuwJTHEP/SDLxTyUs1/hi3YLzY3h4uzNwPvfJ0rp3QxT:k5dgGQzoMye+Ha/7Zky3x2dhzUCPJV

Score

10^/10

mystic redline kinza discovery infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

C2

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2996-28-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/2996-31-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/2996-29-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2qB487pK.exe	family_redline
behavioral1/memory/988-35-0x00000000001C0000-0x00000000001FE000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

Processes:

mb8XX4Zb.exeOR3lb5OI.exezH8AY6oS.exe1ld20ox0.exe2qB487pK.exe

pid process

4184 mb8XX4Zb.exe
3068 OR3lb5OI.exe
3128 zH8AY6oS.exe
1940 1ld20ox0.exe
988 2qB487pK.exe

pid	process
4184	mb8XX4Zb.exe
3068	OR3lb5OI.exe
3128	zH8AY6oS.exe
1940	1ld20ox0.exe
988	2qB487pK.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1189ca5b97d02a10ca97072d26100cf0N.exemb8XX4Zb.exeOR3lb5OI.exezH8AY6oS.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1189ca5b97d02a10ca97072d26100cf0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	mb8XX4Zb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	OR3lb5OI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zH8AY6oS.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1ld20ox0.exe

description pid process target process

PID 1940 set thread context of 2996 1940 1ld20ox0.exe AppLaunch.exe

description	pid	process	target process
PID 1940 set thread context of 2996	1940	1ld20ox0.exe	AppLaunch.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

AppLaunch.exe2qB487pK.exe1189ca5b97d02a10ca97072d26100cf0N.exemb8XX4Zb.exeOR3lb5OI.exezH8AY6oS.exe1ld20ox0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2qB487pK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1189ca5b97d02a10ca97072d26100cf0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mb8XX4Zb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OR3lb5OI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zH8AY6oS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ld20ox0.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

1189ca5b97d02a10ca97072d26100cf0N.exemb8XX4Zb.exeOR3lb5OI.exezH8AY6oS.exe1ld20ox0.exe

description	pid	process	target process
PID 2356 wrote to memory of 4184	2356	1189ca5b97d02a10ca97072d26100cf0N.exe	mb8XX4Zb.exe
PID 2356 wrote to memory of 4184	2356	1189ca5b97d02a10ca97072d26100cf0N.exe	mb8XX4Zb.exe
PID 2356 wrote to memory of 4184	2356	1189ca5b97d02a10ca97072d26100cf0N.exe	mb8XX4Zb.exe
PID 4184 wrote to memory of 3068	4184	mb8XX4Zb.exe	OR3lb5OI.exe
PID 4184 wrote to memory of 3068	4184	mb8XX4Zb.exe	OR3lb5OI.exe
PID 4184 wrote to memory of 3068	4184	mb8XX4Zb.exe	OR3lb5OI.exe
PID 3068 wrote to memory of 3128	3068	OR3lb5OI.exe	zH8AY6oS.exe
PID 3068 wrote to memory of 3128	3068	OR3lb5OI.exe	zH8AY6oS.exe
PID 3068 wrote to memory of 3128	3068	OR3lb5OI.exe	zH8AY6oS.exe
PID 3128 wrote to memory of 1940	3128	zH8AY6oS.exe	1ld20ox0.exe
PID 3128 wrote to memory of 1940	3128	zH8AY6oS.exe	1ld20ox0.exe
PID 3128 wrote to memory of 1940	3128	zH8AY6oS.exe	1ld20ox0.exe
PID 1940 wrote to memory of 2996	1940	1ld20ox0.exe	AppLaunch.exe
PID 1940 wrote to memory of 2996	1940	1ld20ox0.exe	AppLaunch.exe
PID 1940 wrote to memory of 2996	1940	1ld20ox0.exe	AppLaunch.exe
PID 1940 wrote to memory of 2996	1940	1ld20ox0.exe	AppLaunch.exe
PID 1940 wrote to memory of 2996	1940	1ld20ox0.exe	AppLaunch.exe
PID 1940 wrote to memory of 2996	1940	1ld20ox0.exe	AppLaunch.exe
PID 1940 wrote to memory of 2996	1940	1ld20ox0.exe	AppLaunch.exe
PID 1940 wrote to memory of 2996	1940	1ld20ox0.exe	AppLaunch.exe
PID 1940 wrote to memory of 2996	1940	1ld20ox0.exe	AppLaunch.exe
PID 1940 wrote to memory of 2996	1940	1ld20ox0.exe	AppLaunch.exe
PID 3128 wrote to memory of 988	3128	zH8AY6oS.exe	2qB487pK.exe
PID 3128 wrote to memory of 988	3128	zH8AY6oS.exe	2qB487pK.exe
PID 3128 wrote to memory of 988	3128	zH8AY6oS.exe	2qB487pK.exe

C:\Users\Admin\AppData\Local\Temp\1189ca5b97d02a10ca97072d26100cf0N.exe
"C:\Users\Admin\AppData\Local\Temp\1189ca5b97d02a10ca97072d26100cf0N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mb8XX4Zb.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mb8XX4Zb.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4184

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OR3lb5OI.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OR3lb5OI.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zH8AY6oS.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zH8AY6oS.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3128

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ld20ox0.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ld20ox0.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
- System Location Discovery: System Language Discovery
PID:2996

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2qB487pK.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2qB487pK.exe
5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mb8XX4Zb.exe

Filesize
1.4MB

MD5
550e16649ec650ba27f3829743434f84

SHA1
502bc533943829eab02bf046b387ef319cf24575

SHA256
49f35ca01a88e59e8335a7a0da3216a964f3cba8aa695ec907928248d8bd30d5

SHA512
df2d8b98f4e4198975b2dcfe38e05cdd3d32d9514382dfc901bb8175e5d3b783fcf6474bd6dc5bd525244beed444fa7079e334036a56e3db3dd6af084c20df17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OR3lb5OI.exe

Filesize
871KB

MD5
ef0b1c6a42ace3860dee7e94ec6c70f4

SHA1
45c9611271bf6d3dba92624bbcd0b85fdab9ff89

SHA256
6f594c659adbca8c4edc77862565b05a88b580d268c123b00979332428bbb0cd

SHA512
bb79447805eb4ce46a81701e9cba8259a8eac9683e486d4ff29beaaabb978b55a1660b3c23edb5c766b2017e2f96baf01b401234255a1a56482a101aa62ea573

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zH8AY6oS.exe

Filesize
675KB

MD5
9c6a1bfb6b0a99c72d013b9bf2316367

SHA1
1d3382233fb3db590a681043e412063874316846

SHA256
6a0a0d9d2111a08ad9abf6b4a4dc8339bf4ee479452149c40b9a2541ea766314

SHA512
ddb48a921114e84dd11bd43fb1e1daf8eeb78c3e6cf35239f6b3e67cccea95d24560f4dad1a9ece0090cc14b93b02a37018f74434d9ad9932135f14025181ca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ld20ox0.exe

Filesize
1.8MB

MD5
55d3507f18e2f4b729e2d39b42ed30f7

SHA1
1e0e1f566dc8332c78ab12e7bd3228530e3f9a7d

SHA256
7a64de4e9ba61ab53f06e9ca11804a1855928bf2062ce7002f7942075fc9feae

SHA512
a546e95c790e6f0c7945b6f063107ce796bffd7bb1e3151820e9e1d50aeb5818ac56af8696dbae0c4042c96795f5ac178a6bf97517b10a94e6f945606c885afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2qB487pK.exe

Filesize
221KB

MD5
8a6e80a498866cd3ad06f99e601be957

SHA1
4310cbf24705a63737d0f791fe4e5be1d4b463e3

SHA256
ccf35939f8ff2c546eff5650716276692860c13621abf2ebad1932801c2d5c3c

SHA512
d6a4f8960c591b4279ac3dae88bcf1635650e4aad5233200615b754d7f34031486e8696cc88763bc691544c809da042c1c4f8fb2543638c3c205f968df0d0ee9

Download Submit
memory/988-39-0x0000000008180000-0x0000000008798000-memory.dmp

Filesize
6.1MB

Download
memory/988-35-0x00000000001C0000-0x00000000001FE000-memory.dmp

Filesize
248KB

Download
memory/988-36-0x00000000075B0000-0x0000000007B54000-memory.dmp

Filesize
5.6MB

Download
memory/988-37-0x00000000070A0000-0x0000000007132000-memory.dmp

Filesize
584KB

Download
memory/988-38-0x00000000024A0000-0x00000000024AA000-memory.dmp

Filesize
40KB

Download
memory/988-40-0x00000000074A0000-0x00000000075AA000-memory.dmp

Filesize
1.0MB

Download
memory/988-41-0x00000000071A0000-0x00000000071B2000-memory.dmp

Filesize
72KB

Download
memory/988-42-0x0000000007320000-0x000000000735C000-memory.dmp

Filesize
240KB

Download
memory/988-43-0x00000000071D0000-0x000000000721C000-memory.dmp

Filesize
304KB

Download
memory/2996-29-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2996-31-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2996-28-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads