mystic | 665c2dfbc8db51a7b74bee189fa0e4a2ce4dba6e15900cb5e69dae361321c0e8

General

Target

86a4936c8ee34875d49ce4a923fe7b60N.exe
Size

1.0MB
MD5

86a4936c8ee34875d49ce4a923fe7b60
SHA1

fbb5d1506efadc552b73e5b91a203586ef9aed24
SHA256

665c2dfbc8db51a7b74bee189fa0e4a2ce4dba6e15900cb5e69dae361321c0e8
SHA512

826791adc594cc3dd720e368cf68131f91a970ef220cdb58c72bcc5fe54416c2df3930c3ee8c0db393529506577263fa0ec7322708a4922b56c74812ef8aac51
SSDEEP

24576:cyjqV8n8PLWkBhhNuf0L8dI3AAy4Lt2iv+kBhsaCVQu1cqC:LjJ8zWkif0LJ3y4k6BhsBVQ5q

Score

10^/10

mystic redline kukish discovery infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral1/memory/5056-28-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/5056-29-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/5056-31-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000002346b-33.dat	family_redline
behavioral1/memory/1336-35-0x0000000000050000-0x000000000008E000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
3552	Pj9hC4Ih.exe
2200	Qy5rV0Wq.exe
1572	wJ5Np6pT.exe
4052	1on85Xz1.exe
1336	2qc058WH.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	wJ5Np6pT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	86a4936c8ee34875d49ce4a923fe7b60N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Pj9hC4Ih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Qy5rV0Wq.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4052 set thread context of 5056	4052	1on85Xz1.exe	89

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2qc058WH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	86a4936c8ee34875d49ce4a923fe7b60N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pj9hC4Ih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qy5rV0Wq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wJ5Np6pT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1on85Xz1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 3552	3932	86a4936c8ee34875d49ce4a923fe7b60N.exe	84
PID 3932 wrote to memory of 3552	3932	86a4936c8ee34875d49ce4a923fe7b60N.exe	84
PID 3932 wrote to memory of 3552	3932	86a4936c8ee34875d49ce4a923fe7b60N.exe	84
PID 3552 wrote to memory of 2200	3552	Pj9hC4Ih.exe	85
PID 3552 wrote to memory of 2200	3552	Pj9hC4Ih.exe	85
PID 3552 wrote to memory of 2200	3552	Pj9hC4Ih.exe	85
PID 2200 wrote to memory of 1572	2200	Qy5rV0Wq.exe	86
PID 2200 wrote to memory of 1572	2200	Qy5rV0Wq.exe	86
PID 2200 wrote to memory of 1572	2200	Qy5rV0Wq.exe	86
PID 1572 wrote to memory of 4052	1572	wJ5Np6pT.exe	87
PID 1572 wrote to memory of 4052	1572	wJ5Np6pT.exe	87
PID 1572 wrote to memory of 4052	1572	wJ5Np6pT.exe	87
PID 4052 wrote to memory of 5056	4052	1on85Xz1.exe	89
PID 4052 wrote to memory of 5056	4052	1on85Xz1.exe	89
PID 4052 wrote to memory of 5056	4052	1on85Xz1.exe	89
PID 4052 wrote to memory of 5056	4052	1on85Xz1.exe	89
PID 4052 wrote to memory of 5056	4052	1on85Xz1.exe	89
PID 4052 wrote to memory of 5056	4052	1on85Xz1.exe	89
PID 4052 wrote to memory of 5056	4052	1on85Xz1.exe	89
PID 4052 wrote to memory of 5056	4052	1on85Xz1.exe	89
PID 4052 wrote to memory of 5056	4052	1on85Xz1.exe	89
PID 4052 wrote to memory of 5056	4052	1on85Xz1.exe	89
PID 1572 wrote to memory of 1336	1572	wJ5Np6pT.exe	90
PID 1572 wrote to memory of 1336	1572	wJ5Np6pT.exe	90
PID 1572 wrote to memory of 1336	1572	wJ5Np6pT.exe	90

C:\Users\Admin\AppData\Local\Temp\86a4936c8ee34875d49ce4a923fe7b60N.exe
"C:\Users\Admin\AppData\Local\Temp\86a4936c8ee34875d49ce4a923fe7b60N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pj9hC4Ih.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pj9hC4Ih.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3552
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Qy5rV0Wq.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Qy5rV0Wq.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wJ5Np6pT.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wJ5Np6pT.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1572
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1on85Xz1.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1on85Xz1.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4052
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5056
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2qc058WH.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2qc058WH.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pj9hC4Ih.exe

Filesize
848KB

MD5
32fc1060ca30836439ca396f2d195835

SHA1
c2b208cdf608e77ec5d7d1b56fbdc6501dd39ac9

SHA256
de9293ab467735ab0e456fe1376dfd94b75ab0cdab28a109f40bc8a79044b8af

SHA512
64a613129e0cd8d58f9362865e98083f92b0f090d005be2b83fe33140216ea1877db7a6dd5760f5534c9774fa47ac7f6401780346e1ba08e50001563f5ca19ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Qy5rV0Wq.exe

Filesize
596KB

MD5
1ac36acd434ebc0dd414bcb9c405ada7

SHA1
ef8c832be8b0711e5926ab48d3ed4b134ca3f115

SHA256
a501da163b032b1297b87344486f59d18e8e972dbedbb5e25e03c50e52d94edf

SHA512
eaa665935d22725e6dad385b327bc4ce0b976d9095d08c50111e6dc434ea4ef0d71903614ce753f5a99a7a1bdc83ad55a4328af6cf398b1be136f59e0afb982b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wJ5Np6pT.exe

Filesize
401KB

MD5
92c31c81c11464b3e438e3fb8db5d1f7

SHA1
a5b1ad0cc842e434b1052dae7149bbb2f06a51c0

SHA256
b30893113701ea5a3f84dac51cfcee9aad8ab7b5a06a4c85fbe1f4202632346b

SHA512
e0b930f26b4f72fab16d2c1e489e0a29df93968c86f06fde469b676a0c54aca6581c01914045d74d1f91a11e4ac43cfef1876733db171b66d66f58548186e051

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1on85Xz1.exe

Filesize
328KB

MD5
a26c4bb6089599f74fd093ecf66899ab

SHA1
d6f716a8959f22b4f311630153cbc04e5b2151d1

SHA256
bc1652e56ad55ca037253a987789348b7d40e70147920a69df1906fc7506bb6e

SHA512
9b3666da87a90fafbb391f0f97c0647497ec03d958367d8b2b78aef8887802438e87e4fae67d351c688b2eb8daa01039cb1d88b009403eb8ff727d0c7517c0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2qc058WH.exe

Filesize
222KB

MD5
a502b0d082189b0afd792d142b730696

SHA1
ea9bb0b121fc7ea5f9018f518cbeffd1b4aee786

SHA256
9811fcf8ae8a0591b6273d122bf0b0a23499b244834aaebd3e3a919a1d8651d9

SHA512
49296ffd7141139aa4465899d5d827691415550e2922b1890cfb0c1d7ea748bbd47321d98e7351b7374cf742cf1a6c32c28d69673345babd1359adf71d2441c4

Download Submit
memory/1336-39-0x0000000007FA0000-0x00000000085B8000-memory.dmp

Filesize
6.1MB

Download
memory/1336-35-0x0000000000050000-0x000000000008E000-memory.dmp

Filesize
248KB

Download
memory/1336-36-0x00000000073D0000-0x0000000007974000-memory.dmp

Filesize
5.6MB

Download
memory/1336-37-0x0000000006E20000-0x0000000006EB2000-memory.dmp

Filesize
584KB

Download
memory/1336-38-0x0000000002340000-0x000000000234A000-memory.dmp

Filesize
40KB

Download
memory/1336-40-0x0000000007160000-0x000000000726A000-memory.dmp

Filesize
1.0MB

Download
memory/1336-41-0x0000000006FF0000-0x0000000007002000-memory.dmp

Filesize
72KB

Download
memory/1336-42-0x0000000007090000-0x00000000070CC000-memory.dmp

Filesize
240KB

Download
memory/1336-43-0x00000000070D0000-0x000000000711C000-memory.dmp

Filesize
304KB

Download
memory/5056-29-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5056-31-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5056-28-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads