mystic | 73b2c0167abf80d5aad9557dd5cc4d450d392f6a49980aa7346ec037f66ac075

General

Target

728d52c83aca0cb5de26056ec75dd870N.exe
Size

1.4MB
MD5

728d52c83aca0cb5de26056ec75dd870
SHA1

affc0728335f530fcac7f1b8dff3919cd1ec827a
SHA256

73b2c0167abf80d5aad9557dd5cc4d450d392f6a49980aa7346ec037f66ac075
SHA512

bf1201a598ab45ef14ef2b33d09d1fd4521d999ce179d0ae2965d4c1d7f55f61814eb4dc5d10ef47c5919c4ec0e51378264f7eda2a3c13b545449a2bea526e6a
SSDEEP

24576:wytD5/pwQvlVQnE2Bm2wCHv6fJ1+7IHp5WTyUDYaIxJuEn:37hwQNEvm2wovuJoIHp8Tya1Ixd

Score

10^/10

mystic redline kinza discovery infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

C2

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/220-21-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/220-26-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/220-23-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/220-22-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00070000000234b6-27.dat	family_redline
behavioral1/memory/3448-29-0x0000000000EC0000-0x0000000000EFE000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
3860	mu5oM2kM.exe
2316	Fz1Gt3zx.exe
544	1lA45Qu0.exe
3448	2yX505hX.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	728d52c83aca0cb5de26056ec75dd870N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	mu5oM2kM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Fz1Gt3zx.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 544 set thread context of 220	544	1lA45Qu0.exe	90

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fz1Gt3zx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1lA45Qu0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2yX505hX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	728d52c83aca0cb5de26056ec75dd870N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mu5oM2kM.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 3860	232	728d52c83aca0cb5de26056ec75dd870N.exe	84
PID 232 wrote to memory of 3860	232	728d52c83aca0cb5de26056ec75dd870N.exe	84
PID 232 wrote to memory of 3860	232	728d52c83aca0cb5de26056ec75dd870N.exe	84
PID 3860 wrote to memory of 2316	3860	mu5oM2kM.exe	85
PID 3860 wrote to memory of 2316	3860	mu5oM2kM.exe	85
PID 3860 wrote to memory of 2316	3860	mu5oM2kM.exe	85
PID 2316 wrote to memory of 544	2316	Fz1Gt3zx.exe	86
PID 2316 wrote to memory of 544	2316	Fz1Gt3zx.exe	86
PID 2316 wrote to memory of 544	2316	Fz1Gt3zx.exe	86
PID 544 wrote to memory of 220	544	1lA45Qu0.exe	90
PID 544 wrote to memory of 220	544	1lA45Qu0.exe	90
PID 544 wrote to memory of 220	544	1lA45Qu0.exe	90
PID 544 wrote to memory of 220	544	1lA45Qu0.exe	90
PID 544 wrote to memory of 220	544	1lA45Qu0.exe	90
PID 544 wrote to memory of 220	544	1lA45Qu0.exe	90
PID 544 wrote to memory of 220	544	1lA45Qu0.exe	90
PID 544 wrote to memory of 220	544	1lA45Qu0.exe	90
PID 544 wrote to memory of 220	544	1lA45Qu0.exe	90
PID 544 wrote to memory of 220	544	1lA45Qu0.exe	90
PID 2316 wrote to memory of 3448	2316	Fz1Gt3zx.exe	91
PID 2316 wrote to memory of 3448	2316	Fz1Gt3zx.exe	91
PID 2316 wrote to memory of 3448	2316	Fz1Gt3zx.exe	91

C:\Users\Admin\AppData\Local\Temp\728d52c83aca0cb5de26056ec75dd870N.exe
"C:\Users\Admin\AppData\Local\Temp\728d52c83aca0cb5de26056ec75dd870N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:232
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mu5oM2kM.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mu5oM2kM.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3860
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fz1Gt3zx.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fz1Gt3zx.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1lA45Qu0.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1lA45Qu0.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:544
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:220
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2yX505hX.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2yX505hX.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mu5oM2kM.exe

Filesize
871KB

MD5
78bef4b2b297fa68600cec5608857ff9

SHA1
0e6d288faa1ff61e291c916bd733283141713480

SHA256
0c803b583a467580f6d725153b9f070346b900e00fa982f66ad2f92436d1545c

SHA512
f492fa4ba2ec6d667a1ace2676fb483fb19f9b00855ded6ea0423eee8022046e9593827e0ea8f57d16672c4f014ae322e82d22ef9c04cc07555af7ee93b740e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fz1Gt3zx.exe

Filesize
675KB

MD5
76ebac37b2cbd250b2a2092853786663

SHA1
ebc064c3988db74312a03a82d42b0241326ff920

SHA256
014a0079c64444c90312255cc5cb8a369c3c2bda22b112243084f140860472b6

SHA512
14d49280beba130b39149c526549ae2bbe9ff34eaa169bf4b4678b786a19ebac27e5f5a8e05968a42a824dfc6800b8323f4a54f9e4c6df3f8376276e6b63e3b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1lA45Qu0.exe

Filesize
1.8MB

MD5
29ea8a3ca0de717dec6202e8ecc9e779

SHA1
b6ec887ce34eba44e99dfce8135e828b18695dd3

SHA256
01be9b47be1486221b8d371a79e103cafcbb4514cb3225cb3681def715650b8c

SHA512
e7c431f45aeb75aa4dfe6ee4e1e567ff2134f270773f458d2c6c695fb3039111d1203a6bfb66eef8e5e87e357c862597fb6d584d3c8e049555122670c43de6df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2yX505hX.exe

Filesize
221KB

MD5
3da0d451b69de9872e2b71bc4cffd1ec

SHA1
61f723ac0759e4ea69b583699865f8ac8ef5c305

SHA256
273c31ed6f3826020b0f565b67994109a55773252757944b5d812899b0e16ddd

SHA512
8a82f4724902bd3f59c210b4bda5018a3339cc980c52bb4c76ca2c580517349001039e3a9af6ebf0ba12bc4cf2a76df5e2d07f78ede8e84a3c9ba3786103ada4

Download Submit
memory/220-21-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/220-26-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/220-23-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/220-22-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3448-29-0x0000000000EC0000-0x0000000000EFE000-memory.dmp

Filesize
248KB

Download
memory/3448-30-0x00000000081B0000-0x0000000008754000-memory.dmp

Filesize
5.6MB

Download
memory/3448-31-0x0000000007CA0000-0x0000000007D32000-memory.dmp

Filesize
584KB

Download
memory/3448-32-0x00000000030C0000-0x00000000030CA000-memory.dmp

Filesize
40KB

Download
memory/3448-33-0x0000000008D80000-0x0000000009398000-memory.dmp

Filesize
6.1MB

Download
memory/3448-34-0x0000000008760000-0x000000000886A000-memory.dmp

Filesize
1.0MB

Download
memory/3448-35-0x0000000007DC0000-0x0000000007DD2000-memory.dmp

Filesize
72KB

Download
memory/3448-36-0x0000000008020000-0x000000000805C000-memory.dmp

Filesize
240KB

Download
memory/3448-37-0x0000000008060000-0x00000000080AC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads