mystic | 4f09e5659794eaea5955bcb72eafe75510d97aa047565312f4c4d37826f3d93a

General

Target

4f09e5659794eaea5955bcb72eafe75510d97aa047565312f4c4d37826f3d93aN.exe
Size

678KB
MD5

809e72b60c534a9e32aca15039d5c560
SHA1

914934908c05809566f284dd977813d667cb4590
SHA256

4f09e5659794eaea5955bcb72eafe75510d97aa047565312f4c4d37826f3d93a
SHA512

e37d266520692ec449859ef3eb67519a5fbb8ecc5a7361b2ce375f2a7fa7600343296edb16076f8b8094fd188cfe9a031b821f849d40a4178789e830dc686885
SSDEEP

12288:LMrQy909nEKRresal5ngE2BeVHs3lv0wOD1zruOR+jeVh2hOaBe9IU5Wh9YVl:HyUnEKR96xn2f3tx+1DIK72hbB+vr

Score

10^/10

mystic redline kinza discovery infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

C2

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3048-7-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/3048-8-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/3048-11-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/3048-9-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
Mystic family
mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2ix410tC.exe	family_redline
behavioral1/memory/5000-16-0x0000000000FB0000-0x0000000000FEE000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 2 IoCs

Processes:

1cF59Db8.exe2ix410tC.exe

pid process

4756 1cF59Db8.exe
5000 2ix410tC.exe

pid	process
4756	1cF59Db8.exe
5000	2ix410tC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4f09e5659794eaea5955bcb72eafe75510d97aa047565312f4c4d37826f3d93aN.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4f09e5659794eaea5955bcb72eafe75510d97aa047565312f4c4d37826f3d93aN.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1cF59Db8.exe

description pid process target process

PID 4756 set thread context of 3048 4756 1cF59Db8.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2068 3048 WerFault.exe AppLaunch.exe

description	pid	process	target process
PID 4756 set thread context of 3048	4756	1cF59Db8.exe	AppLaunch.exe

pid	pid_target	process	target process
2068	3048	WerFault.exe	AppLaunch.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

4f09e5659794eaea5955bcb72eafe75510d97aa047565312f4c4d37826f3d93aN.exe1cF59Db8.exeAppLaunch.exe2ix410tC.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4f09e5659794eaea5955bcb72eafe75510d97aa047565312f4c4d37826f3d93aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1cF59Db8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ix410tC.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

4f09e5659794eaea5955bcb72eafe75510d97aa047565312f4c4d37826f3d93aN.exe1cF59Db8.exe

description	pid	process	target process
PID 1228 wrote to memory of 4756	1228	4f09e5659794eaea5955bcb72eafe75510d97aa047565312f4c4d37826f3d93aN.exe	1cF59Db8.exe
PID 1228 wrote to memory of 4756	1228	4f09e5659794eaea5955bcb72eafe75510d97aa047565312f4c4d37826f3d93aN.exe	1cF59Db8.exe
PID 1228 wrote to memory of 4756	1228	4f09e5659794eaea5955bcb72eafe75510d97aa047565312f4c4d37826f3d93aN.exe	1cF59Db8.exe
PID 4756 wrote to memory of 3048	4756	1cF59Db8.exe	AppLaunch.exe
PID 4756 wrote to memory of 3048	4756	1cF59Db8.exe	AppLaunch.exe
PID 4756 wrote to memory of 3048	4756	1cF59Db8.exe	AppLaunch.exe
PID 4756 wrote to memory of 3048	4756	1cF59Db8.exe	AppLaunch.exe
PID 4756 wrote to memory of 3048	4756	1cF59Db8.exe	AppLaunch.exe
PID 4756 wrote to memory of 3048	4756	1cF59Db8.exe	AppLaunch.exe
PID 4756 wrote to memory of 3048	4756	1cF59Db8.exe	AppLaunch.exe
PID 4756 wrote to memory of 3048	4756	1cF59Db8.exe	AppLaunch.exe
PID 4756 wrote to memory of 3048	4756	1cF59Db8.exe	AppLaunch.exe
PID 4756 wrote to memory of 3048	4756	1cF59Db8.exe	AppLaunch.exe
PID 1228 wrote to memory of 5000	1228	4f09e5659794eaea5955bcb72eafe75510d97aa047565312f4c4d37826f3d93aN.exe	2ix410tC.exe
PID 1228 wrote to memory of 5000	1228	4f09e5659794eaea5955bcb72eafe75510d97aa047565312f4c4d37826f3d93aN.exe	2ix410tC.exe
PID 1228 wrote to memory of 5000	1228	4f09e5659794eaea5955bcb72eafe75510d97aa047565312f4c4d37826f3d93aN.exe	2ix410tC.exe

C:\Users\Admin\AppData\Local\Temp\4f09e5659794eaea5955bcb72eafe75510d97aa047565312f4c4d37826f3d93aN.exe
"C:\Users\Admin\AppData\Local\Temp\4f09e5659794eaea5955bcb72eafe75510d97aa047565312f4c4d37826f3d93aN.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cF59Db8.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cF59Db8.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3048
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 540
      4⤵
      Program crash
      PID:2068
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2ix410tC.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2ix410tC.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3048 -ip 3048
1⤵
PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cF59Db8.exe

Filesize
1.8MB

MD5
9e2dfae93300da40f441af5b783f580a

SHA1
b01a13d60ae482d65886534e64217a736f9a0f45

SHA256
5b1e847932e40e4097d7e5eb568a82ad39a4581482763cb395e470ce0344be23

SHA512
2eb3bd6cfd28b143a5cefdd851354520341553ce3ee953d759d819bd319afb3b00e56968062d22c4f3d11b7335d92ac40d54e5359f34c439b276a088b53e7ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2ix410tC.exe

Filesize
221KB

MD5
dc217dce419378409e174e845291c230

SHA1
19e22cf01328f1a372f0bcd6ed81d5646c59b89a

SHA256
f241941b9299d1e1a55e992c94be4c7fdec00623db55ac2c6b74a5a7517a63c8

SHA512
4018a1bf5cfa51c161fd61fada479a2933a858907b71474ad3fbe373892150783d82a98fb69e414ccde9db10a4ff9b8fbf81663dba94d48c3f5bea61c72f443e

Download Submit
memory/3048-7-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3048-8-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3048-11-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3048-9-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5000-17-0x0000000008380000-0x0000000008924000-memory.dmp

Filesize
5.6MB

Download
memory/5000-16-0x0000000000FB0000-0x0000000000FEE000-memory.dmp

Filesize
248KB

Download
memory/5000-15-0x0000000073EFE000-0x0000000073EFF000-memory.dmp

Filesize
4KB

Download
memory/5000-18-0x0000000007EB0000-0x0000000007F42000-memory.dmp

Filesize
584KB

Download
memory/5000-19-0x0000000005460000-0x000000000546A000-memory.dmp

Filesize
40KB

Download
memory/5000-20-0x0000000073EF0000-0x00000000746A0000-memory.dmp

Filesize
7.7MB

Download
memory/5000-21-0x0000000008F50000-0x0000000009568000-memory.dmp

Filesize
6.1MB

Download
memory/5000-22-0x0000000008250000-0x000000000835A000-memory.dmp

Filesize
1.0MB

Download
memory/5000-23-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

Filesize
72KB

Download
memory/5000-24-0x0000000008140000-0x000000000817C000-memory.dmp

Filesize
240KB

Download
memory/5000-25-0x0000000007FD0000-0x000000000801C000-memory.dmp

Filesize
304KB

Download
memory/5000-26-0x0000000073EFE000-0x0000000073EFF000-memory.dmp

Filesize
4KB

Download
memory/5000-27-0x0000000073EF0000-0x00000000746A0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads