mystic | 3686e746ce7172063ac3b749b5f98a3e86e422dca03472a5feba9871dd65bb5d

General

Target

3686e746ce7172063ac3b749b5f98a3e86e422dca03472a5feba9871dd65bb5d.exe
Size

548KB
MD5

df3a1a0c571e06dbf9e9f228872b9825
SHA1

b3915508ea8ef4392bb50317a6686e26a47b7f21
SHA256

3686e746ce7172063ac3b749b5f98a3e86e422dca03472a5feba9871dd65bb5d
SHA512

0582b9d2c0ba09dee5357d4ddb7d15ee7d2178a1165a4168a6a874703e8c5b8f521450d66eb66b74fe2a8f5e0bf25007cfc65f9d6559c65bcf07d940db0e5df4
SSDEEP

12288:HMr9y90qXlWAXlb9ssmU4aAJBHrKYk7czBg+Nc:+yHWcssZ4aAJBLKX7cNg+Nc

Score

10^/10

mystic redline virad discovery infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

virad

C2

77.91.124.82:19071

Attributes

auth_value
434dd63619ca8bbf10125913fb40ca28

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c74-12.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
Mystic family
mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023c75-15.dat	family_redline
behavioral1/memory/5096-18-0x0000000000920000-0x0000000000950000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
2088	y7683518.exe
3156	m8603086.exe
5096	n7038263.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3686e746ce7172063ac3b749b5f98a3e86e422dca03472a5feba9871dd65bb5d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y7683518.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3686e746ce7172063ac3b749b5f98a3e86e422dca03472a5feba9871dd65bb5d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y7683518.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	m8603086.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	n7038263.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2088	2788	3686e746ce7172063ac3b749b5f98a3e86e422dca03472a5feba9871dd65bb5d.exe	83
PID 2788 wrote to memory of 2088	2788	3686e746ce7172063ac3b749b5f98a3e86e422dca03472a5feba9871dd65bb5d.exe	83
PID 2788 wrote to memory of 2088	2788	3686e746ce7172063ac3b749b5f98a3e86e422dca03472a5feba9871dd65bb5d.exe	83
PID 2088 wrote to memory of 3156	2088	y7683518.exe	84
PID 2088 wrote to memory of 3156	2088	y7683518.exe	84
PID 2088 wrote to memory of 3156	2088	y7683518.exe	84
PID 2088 wrote to memory of 5096	2088	y7683518.exe	85
PID 2088 wrote to memory of 5096	2088	y7683518.exe	85
PID 2088 wrote to memory of 5096	2088	y7683518.exe	85

C:\Users\Admin\AppData\Local\Temp\3686e746ce7172063ac3b749b5f98a3e86e422dca03472a5feba9871dd65bb5d.exe
"C:\Users\Admin\AppData\Local\Temp\3686e746ce7172063ac3b749b5f98a3e86e422dca03472a5feba9871dd65bb5d.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7683518.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7683518.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m8603086.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m8603086.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3156
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n7038263.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n7038263.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7683518.exe

Filesize
271KB

MD5
77d4759acd7711175212257e2228306d

SHA1
3d2dc15d2d48f96cdcea686ea957eb5c4ff23efd

SHA256
d6a4d556cc6618f5ab5e016082c6286e99dd68a781afd0ba0e842797b2113e60

SHA512
ce72e457995a7a1f4791fde3f896273cf2ba746d39946a503c12c29357cfd1a50b4ed9495566e3311efb9f0dae2fd16ca80b82aebe49f12b03c7996f475015ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m8603086.exe

Filesize
140KB

MD5
02b3e551ccf7d521a0fb657cc4d10b5b

SHA1
45f210e99002cd003ccdb9a3ed76f0d2cc7f6d69

SHA256
a5b05391ecf3aba661c2b5fda2ad2aaec6498e94d0f0cd67170c45569106ca84

SHA512
727778b87d47bf6349c7503f62973532397b9e148cdb6ad9357d81c1aeabee17b7c2658860db1e1aa3fd6fea854802b88c9f248d821482d4f3e2eef846b4b28a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n7038263.exe

Filesize
174KB

MD5
a7d3cb3678d80ee4088d15b7311d2a37

SHA1
ce71d880bfaddec579477237718c29f8161d3789

SHA256
d3ff00112d91a6f5bbb1907f5424f6013049321a1200744754d313441b8bc468

SHA512
983169237f6787153c929b32651f1ae4751030b7fa5aae73ebbab37b1efb8b368157ae96bb769ae1613279ef6a9bf815be71b872df690b32706efe8e3719ba3c

Download Submit
memory/5096-17-0x00000000744CE000-0x00000000744CF000-memory.dmp

Filesize
4KB

Download
memory/5096-18-0x0000000000920000-0x0000000000950000-memory.dmp

Filesize
192KB

Download
memory/5096-19-0x0000000002B30000-0x0000000002B36000-memory.dmp

Filesize
24KB

Download
memory/5096-20-0x0000000005890000-0x0000000005EA8000-memory.dmp

Filesize
6.1MB

Download
memory/5096-21-0x0000000005380000-0x000000000548A000-memory.dmp

Filesize
1.0MB

Download
memory/5096-22-0x00000000052B0000-0x00000000052C2000-memory.dmp

Filesize
72KB

Download
memory/5096-23-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/5096-24-0x0000000005310000-0x000000000534C000-memory.dmp

Filesize
240KB

Download
memory/5096-25-0x0000000005490000-0x00000000054DC000-memory.dmp

Filesize
304KB

Download
memory/5096-26-0x00000000744CE000-0x00000000744CF000-memory.dmp

Filesize
4KB

Download
memory/5096-27-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads