mystic | ebed7638ed1683139872218c9acfcf40e689f609f9d79dfdd60af3faa53897a6

General

Target

ebed7638ed1683139872218c9acfcf40e689f609f9d79dfdd60af3faa53897a6N.exe
Size

1.4MB
MD5

d33b7d13c5fb379d2a3817ecaa8bef20
SHA1

cc4d43a964b2cd8b196791936a38eb39195fb5b5
SHA256

ebed7638ed1683139872218c9acfcf40e689f609f9d79dfdd60af3faa53897a6
SHA512

7b8513247feb0adecacd6210024141cac7a12d382cdaa93ab1e778c29f9f4904f11d0a86761dbd621053decc6feb0939f8cbaeffefa8621f2a2b7831c9eb55bb
SSDEEP

24576:3yOvZtvSMg4248k6TPs8GcVE0ZketvxXnwbrtd5CYXaiFUVfCT0lfTI:CMtvSMg4L/6TPsh0me3gbr/kYqrVq4

Score

10^/10

mystic redline kinza discovery infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

C2

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4144-21-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/4144-25-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/4144-23-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/4144-22-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
Mystic family
mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ix410tC.exe	family_redline
behavioral1/memory/1080-29-0x0000000000AE0000-0x0000000000B1E000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 4 IoCs

Processes:

YP3Nl4dB.exeEr9Yg5DU.exe1cF59Db8.exe2ix410tC.exe

pid process

4792 YP3Nl4dB.exe
212 Er9Yg5DU.exe
5068 1cF59Db8.exe
1080 2ix410tC.exe

pid	process
4792	YP3Nl4dB.exe
212	Er9Yg5DU.exe
5068	1cF59Db8.exe
1080	2ix410tC.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ebed7638ed1683139872218c9acfcf40e689f609f9d79dfdd60af3faa53897a6N.exeYP3Nl4dB.exeEr9Yg5DU.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ebed7638ed1683139872218c9acfcf40e689f609f9d79dfdd60af3faa53897a6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	YP3Nl4dB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Er9Yg5DU.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1cF59Db8.exe

description pid process target process

PID 5068 set thread context of 4144 5068 1cF59Db8.exe AppLaunch.exe

description	pid	process	target process
PID 5068 set thread context of 4144	5068	1cF59Db8.exe	AppLaunch.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2ix410tC.exeebed7638ed1683139872218c9acfcf40e689f609f9d79dfdd60af3faa53897a6N.exeYP3Nl4dB.exeEr9Yg5DU.exe1cF59Db8.exeAppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ix410tC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebed7638ed1683139872218c9acfcf40e689f609f9d79dfdd60af3faa53897a6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YP3Nl4dB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Er9Yg5DU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1cF59Db8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

ebed7638ed1683139872218c9acfcf40e689f609f9d79dfdd60af3faa53897a6N.exeYP3Nl4dB.exeEr9Yg5DU.exe1cF59Db8.exe

description	pid	process	target process
PID 3600 wrote to memory of 4792	3600	ebed7638ed1683139872218c9acfcf40e689f609f9d79dfdd60af3faa53897a6N.exe	YP3Nl4dB.exe
PID 3600 wrote to memory of 4792	3600	ebed7638ed1683139872218c9acfcf40e689f609f9d79dfdd60af3faa53897a6N.exe	YP3Nl4dB.exe
PID 3600 wrote to memory of 4792	3600	ebed7638ed1683139872218c9acfcf40e689f609f9d79dfdd60af3faa53897a6N.exe	YP3Nl4dB.exe
PID 4792 wrote to memory of 212	4792	YP3Nl4dB.exe	Er9Yg5DU.exe
PID 4792 wrote to memory of 212	4792	YP3Nl4dB.exe	Er9Yg5DU.exe
PID 4792 wrote to memory of 212	4792	YP3Nl4dB.exe	Er9Yg5DU.exe
PID 212 wrote to memory of 5068	212	Er9Yg5DU.exe	1cF59Db8.exe
PID 212 wrote to memory of 5068	212	Er9Yg5DU.exe	1cF59Db8.exe
PID 212 wrote to memory of 5068	212	Er9Yg5DU.exe	1cF59Db8.exe
PID 5068 wrote to memory of 4144	5068	1cF59Db8.exe	AppLaunch.exe
PID 5068 wrote to memory of 4144	5068	1cF59Db8.exe	AppLaunch.exe
PID 5068 wrote to memory of 4144	5068	1cF59Db8.exe	AppLaunch.exe
PID 5068 wrote to memory of 4144	5068	1cF59Db8.exe	AppLaunch.exe
PID 5068 wrote to memory of 4144	5068	1cF59Db8.exe	AppLaunch.exe
PID 5068 wrote to memory of 4144	5068	1cF59Db8.exe	AppLaunch.exe
PID 5068 wrote to memory of 4144	5068	1cF59Db8.exe	AppLaunch.exe
PID 5068 wrote to memory of 4144	5068	1cF59Db8.exe	AppLaunch.exe
PID 5068 wrote to memory of 4144	5068	1cF59Db8.exe	AppLaunch.exe
PID 5068 wrote to memory of 4144	5068	1cF59Db8.exe	AppLaunch.exe
PID 212 wrote to memory of 1080	212	Er9Yg5DU.exe	2ix410tC.exe
PID 212 wrote to memory of 1080	212	Er9Yg5DU.exe	2ix410tC.exe
PID 212 wrote to memory of 1080	212	Er9Yg5DU.exe	2ix410tC.exe

C:\Users\Admin\AppData\Local\Temp\ebed7638ed1683139872218c9acfcf40e689f609f9d79dfdd60af3faa53897a6N.exe
"C:\Users\Admin\AppData\Local\Temp\ebed7638ed1683139872218c9acfcf40e689f609f9d79dfdd60af3faa53897a6N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YP3Nl4dB.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YP3Nl4dB.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Er9Yg5DU.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Er9Yg5DU.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:212
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1cF59Db8.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1cF59Db8.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5068
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4144
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ix410tC.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ix410tC.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YP3Nl4dB.exe

Filesize
874KB

MD5
e6b1d59bb6f139b7f415e496ef99b3e5

SHA1
b56905fd9f26f4f99539e53d2669b22e145c4fca

SHA256
0178c66540aa42349124a6c13e15abbd0a111bc790084a1d1eab63a3db9a63d2

SHA512
404d05d01932ca725198447ef99f1ec5a8e36c92395cad113c0e039464ebdfa6bb39814b3d417a455b465c9fe6f32a6ccb1a71890dbb25c682799760b0b56409

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Er9Yg5DU.exe

Filesize
678KB

MD5
809e72b60c534a9e32aca15039d5c560

SHA1
914934908c05809566f284dd977813d667cb4590

SHA256
4f09e5659794eaea5955bcb72eafe75510d97aa047565312f4c4d37826f3d93a

SHA512
e37d266520692ec449859ef3eb67519a5fbb8ecc5a7361b2ce375f2a7fa7600343296edb16076f8b8094fd188cfe9a031b821f849d40a4178789e830dc686885

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1cF59Db8.exe

Filesize
1.8MB

MD5
9e2dfae93300da40f441af5b783f580a

SHA1
b01a13d60ae482d65886534e64217a736f9a0f45

SHA256
5b1e847932e40e4097d7e5eb568a82ad39a4581482763cb395e470ce0344be23

SHA512
2eb3bd6cfd28b143a5cefdd851354520341553ce3ee953d759d819bd319afb3b00e56968062d22c4f3d11b7335d92ac40d54e5359f34c439b276a088b53e7ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ix410tC.exe

Filesize
221KB

MD5
dc217dce419378409e174e845291c230

SHA1
19e22cf01328f1a372f0bcd6ed81d5646c59b89a

SHA256
f241941b9299d1e1a55e992c94be4c7fdec00623db55ac2c6b74a5a7517a63c8

SHA512
4018a1bf5cfa51c161fd61fada479a2933a858907b71474ad3fbe373892150783d82a98fb69e414ccde9db10a4ff9b8fbf81663dba94d48c3f5bea61c72f443e

Download Submit
memory/1080-33-0x0000000008940000-0x0000000008F58000-memory.dmp

Filesize
6.1MB

Download
memory/1080-29-0x0000000000AE0000-0x0000000000B1E000-memory.dmp

Filesize
248KB

Download
memory/1080-30-0x0000000007D70000-0x0000000008314000-memory.dmp

Filesize
5.6MB

Download
memory/1080-31-0x00000000078A0000-0x0000000007932000-memory.dmp

Filesize
584KB

Download
memory/1080-32-0x0000000004E40000-0x0000000004E4A000-memory.dmp

Filesize
40KB

Download
memory/1080-34-0x0000000008320000-0x000000000842A000-memory.dmp

Filesize
1.0MB

Download
memory/1080-35-0x0000000007990000-0x00000000079A2000-memory.dmp

Filesize
72KB

Download
memory/1080-36-0x0000000007B10000-0x0000000007B4C000-memory.dmp

Filesize
240KB

Download
memory/1080-37-0x00000000079C0000-0x0000000007A0C000-memory.dmp

Filesize
304KB

Download
memory/4144-23-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4144-22-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4144-25-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4144-21-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads