mystic | 65446b14c97c3a91857a5abdc890a7aeba14cb2c164399b37e01ac5f8ecbb53e

General

Target

2a71c069ced4a4f8e33edffc52ee4c40N.exe
Size

593KB
MD5

2a71c069ced4a4f8e33edffc52ee4c40
SHA1

4d027de41adaf8e98178bd6001733f7d82c9753b
SHA256

65446b14c97c3a91857a5abdc890a7aeba14cb2c164399b37e01ac5f8ecbb53e
SHA512

c8bcfa3ad11692a8f20ba4a210f5ba9fbc82c47c250d93b1309ed70b6ab982387d33f3c44b4889d57f5c28c2b3a895cbc841cb9bc05c04582a66e8bdde4165d2
SSDEEP

12288:SMrsy90E6N6sy1YZLArW96Kwbtt8LAuUNl26fh:yyptNY+6vwbttZuUNl9

Score

10^/10

mystic redline kukish discovery infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/684-14-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/684-18-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/684-16-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/684-15-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00070000000233aa-20.dat	family_redline
behavioral1/memory/4504-22-0x0000000000D50000-0x0000000000D8E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
1724	Xz9eP1qu.exe
1168	1No07jH5.exe
4504	2hj865Fr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2a71c069ced4a4f8e33edffc52ee4c40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Xz9eP1qu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1168 set thread context of 684	1168	1No07jH5.exe	101

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4608	684	WerFault.exe	101

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2hj865Fr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a71c069ced4a4f8e33edffc52ee4c40N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Xz9eP1qu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1No07jH5.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3880 wrote to memory of 1724	3880	2a71c069ced4a4f8e33edffc52ee4c40N.exe	84
PID 3880 wrote to memory of 1724	3880	2a71c069ced4a4f8e33edffc52ee4c40N.exe	84
PID 3880 wrote to memory of 1724	3880	2a71c069ced4a4f8e33edffc52ee4c40N.exe	84
PID 1724 wrote to memory of 1168	1724	Xz9eP1qu.exe	86
PID 1724 wrote to memory of 1168	1724	Xz9eP1qu.exe	86
PID 1724 wrote to memory of 1168	1724	Xz9eP1qu.exe	86
PID 1168 wrote to memory of 684	1168	1No07jH5.exe	101
PID 1168 wrote to memory of 684	1168	1No07jH5.exe	101
PID 1168 wrote to memory of 684	1168	1No07jH5.exe	101
PID 1168 wrote to memory of 684	1168	1No07jH5.exe	101
PID 1168 wrote to memory of 684	1168	1No07jH5.exe	101
PID 1168 wrote to memory of 684	1168	1No07jH5.exe	101
PID 1168 wrote to memory of 684	1168	1No07jH5.exe	101
PID 1168 wrote to memory of 684	1168	1No07jH5.exe	101
PID 1168 wrote to memory of 684	1168	1No07jH5.exe	101
PID 1168 wrote to memory of 684	1168	1No07jH5.exe	101
PID 1724 wrote to memory of 4504	1724	Xz9eP1qu.exe	103
PID 1724 wrote to memory of 4504	1724	Xz9eP1qu.exe	103
PID 1724 wrote to memory of 4504	1724	Xz9eP1qu.exe	103

C:\Users\Admin\AppData\Local\Temp\2a71c069ced4a4f8e33edffc52ee4c40N.exe
"C:\Users\Admin\AppData\Local\Temp\2a71c069ced4a4f8e33edffc52ee4c40N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3880
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xz9eP1qu.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xz9eP1qu.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1No07jH5.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1No07jH5.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:684
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 540
        5⤵
        Program crash
        
        PID:4608
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2hj865Fr.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2hj865Fr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 684 -ip 684
1⤵
PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xz9eP1qu.exe

Filesize
398KB

MD5
71508547d2f673a564d856fb9e000823

SHA1
8542a093e636d10fc64f3b463d881d21ef8a2cbc

SHA256
ae834cb6d0d921cdfffb00f75ae6ae803f11d95b6b8f799f380b58fc942c4e9e

SHA512
27f557a3ac7a9113caf3d56234f41fb709a0734b3931287cffbcd6f4c729d01769db636924aae0d3f863663d3650f72e2dc971bcf39dc80a2d2102759c7c41ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1No07jH5.exe

Filesize
320KB

MD5
f14c010d66f013baab9fc5b6c4e0e35b

SHA1
d0db74098c01e21a7aa0636d6903004371d12189

SHA256
9a4186a06966f65335ebcad9956eb9526b7c8f9498ccbc3f1ef0315b05072771

SHA512
362f793cfe4cea498d7f66fe2854f3e9281703eb6c5d3df02e86724e14b8b59cdbe0b042a6580e9cad2fc7b5f8a782e492e26af0741a2bff7c853bfa1618cef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2hj865Fr.exe

Filesize
222KB

MD5
163ce65e5b33b7ef1130a9f5b4b8ed48

SHA1
bb4ad3872941a8aea1c341bceb28ffe761c96f8e

SHA256
994e1349b21eedd115a880375eb19e0422589070f964dc25e70f2fe00fdc6008

SHA512
ddc2ad813e90b97e67a8e346f807ce361d805ad5de6ede1ea677caf98d7fcb73ea16d596d4980aac8714c840ebeced700efb0e921157321694c5eab27abd4a3f

Download Submit
memory/684-14-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/684-18-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/684-16-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/684-15-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4504-23-0x00000000080C0000-0x0000000008664000-memory.dmp

Filesize
5.6MB

Download
memory/4504-22-0x0000000000D50000-0x0000000000D8E000-memory.dmp

Filesize
248KB

Download
memory/4504-24-0x0000000007C10000-0x0000000007CA2000-memory.dmp

Filesize
584KB

Download
memory/4504-25-0x00000000051E0000-0x00000000051EA000-memory.dmp

Filesize
40KB

Download
memory/4504-26-0x0000000008C90000-0x00000000092A8000-memory.dmp

Filesize
6.1MB

Download
memory/4504-27-0x0000000007F20000-0x000000000802A000-memory.dmp

Filesize
1.0MB

Download
memory/4504-28-0x0000000007E50000-0x0000000007E62000-memory.dmp

Filesize
72KB

Download
memory/4504-29-0x0000000007EB0000-0x0000000007EEC000-memory.dmp

Filesize
240KB

Download
memory/4504-30-0x0000000008030000-0x000000000807C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads