mystic | 7d9837d308d96f96fc3b7fc68a7e4a933a1c4268a974e34629661dec50214832

General

Target

7d9837d308d96f96fc3b7fc68a7e4a933a1c4268a974e34629661dec50214832N.exe
Size

821KB
MD5

639d8042d16de28c65e78469e505a4e0
SHA1

8382e873cf83e53adc9808d492010052375d194a
SHA256

7d9837d308d96f96fc3b7fc68a7e4a933a1c4268a974e34629661dec50214832
SHA512

9e5c3b437202b17c0d9c7d1fdb303c5402d5dc95ffea514e0ab61c3368d9f08c32bcbea1ef23e35ed32a60f1a6b574a30a6b79d2f95cc5c338a252d823b6086a
SSDEEP

12288:iMrFy90iQyaEisqVQ2/SmB8sMySNPrr28fxpIN/tyBmUUBfAChHsvVp4DMJsW:PyxuEC/SecuEIuBzyfhkHJJsW

Score

10^/10

mystic redline gigant discovery infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

C2

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2044-14-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral1/memory/2044-16-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral1/memory/2044-15-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral1/memory/2044-18-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
Mystic family
mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2zE388fI.exe	family_redline
behavioral1/memory/3816-22-0x0000000000600000-0x000000000063E000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

lf3tK1yY.exe1TR55Yr7.exe2zE388fI.exe

pid process

224 lf3tK1yY.exe
1332 1TR55Yr7.exe
3816 2zE388fI.exe

pid	process
224	lf3tK1yY.exe
1332	1TR55Yr7.exe
3816	2zE388fI.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7d9837d308d96f96fc3b7fc68a7e4a933a1c4268a974e34629661dec50214832N.exelf3tK1yY.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7d9837d308d96f96fc3b7fc68a7e4a933a1c4268a974e34629661dec50214832N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	lf3tK1yY.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1TR55Yr7.exe

description pid process target process

PID 1332 set thread context of 2044 1332 1TR55Yr7.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3208 1332 WerFault.exe 1TR55Yr7.exe
2200 2044 WerFault.exe AppLaunch.exe

description	pid	process	target process
PID 1332 set thread context of 2044	1332	1TR55Yr7.exe	AppLaunch.exe

pid	pid_target	process	target process
3208	1332	WerFault.exe	1TR55Yr7.exe
2200	2044	WerFault.exe	AppLaunch.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2zE388fI.exe7d9837d308d96f96fc3b7fc68a7e4a933a1c4268a974e34629661dec50214832N.exelf3tK1yY.exe1TR55Yr7.exeAppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2zE388fI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7d9837d308d96f96fc3b7fc68a7e4a933a1c4268a974e34629661dec50214832N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lf3tK1yY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1TR55Yr7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

7d9837d308d96f96fc3b7fc68a7e4a933a1c4268a974e34629661dec50214832N.exelf3tK1yY.exe1TR55Yr7.exe

description	pid	process	target process
PID 1220 wrote to memory of 224	1220	7d9837d308d96f96fc3b7fc68a7e4a933a1c4268a974e34629661dec50214832N.exe	lf3tK1yY.exe
PID 1220 wrote to memory of 224	1220	7d9837d308d96f96fc3b7fc68a7e4a933a1c4268a974e34629661dec50214832N.exe	lf3tK1yY.exe
PID 1220 wrote to memory of 224	1220	7d9837d308d96f96fc3b7fc68a7e4a933a1c4268a974e34629661dec50214832N.exe	lf3tK1yY.exe
PID 224 wrote to memory of 1332	224	lf3tK1yY.exe	1TR55Yr7.exe
PID 224 wrote to memory of 1332	224	lf3tK1yY.exe	1TR55Yr7.exe
PID 224 wrote to memory of 1332	224	lf3tK1yY.exe	1TR55Yr7.exe
PID 1332 wrote to memory of 2044	1332	1TR55Yr7.exe	AppLaunch.exe
PID 1332 wrote to memory of 2044	1332	1TR55Yr7.exe	AppLaunch.exe
PID 1332 wrote to memory of 2044	1332	1TR55Yr7.exe	AppLaunch.exe
PID 1332 wrote to memory of 2044	1332	1TR55Yr7.exe	AppLaunch.exe
PID 1332 wrote to memory of 2044	1332	1TR55Yr7.exe	AppLaunch.exe
PID 1332 wrote to memory of 2044	1332	1TR55Yr7.exe	AppLaunch.exe
PID 1332 wrote to memory of 2044	1332	1TR55Yr7.exe	AppLaunch.exe
PID 1332 wrote to memory of 2044	1332	1TR55Yr7.exe	AppLaunch.exe
PID 1332 wrote to memory of 2044	1332	1TR55Yr7.exe	AppLaunch.exe
PID 1332 wrote to memory of 2044	1332	1TR55Yr7.exe	AppLaunch.exe
PID 224 wrote to memory of 3816	224	lf3tK1yY.exe	2zE388fI.exe
PID 224 wrote to memory of 3816	224	lf3tK1yY.exe	2zE388fI.exe
PID 224 wrote to memory of 3816	224	lf3tK1yY.exe	2zE388fI.exe

C:\Users\Admin\AppData\Local\Temp\7d9837d308d96f96fc3b7fc68a7e4a933a1c4268a974e34629661dec50214832N.exe
"C:\Users\Admin\AppData\Local\Temp\7d9837d308d96f96fc3b7fc68a7e4a933a1c4268a974e34629661dec50214832N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lf3tK1yY.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lf3tK1yY.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1TR55Yr7.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1TR55Yr7.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1332
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2044
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 540
        5⤵
        Program crash
        
        PID:2200
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 576
      4⤵
      Program crash
      PID:3208
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2zE388fI.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2zE388fI.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1332 -ip 1332
1⤵
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2044 -ip 2044
1⤵
PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lf3tK1yY.exe

Filesize
649KB

MD5
9d4830cb45213fa515d2049449b7bec2

SHA1
fe5913ac72500ef8959872656132b46537d9c47d

SHA256
fdb849c735d10ee2ca41cdd4fb52c78a8d7132935ae6ced77703602a461d66d2

SHA512
4192d3e840c0a7675091b516502e2adf962c8c1a4a928d7856dd9b9b5913120b469f4d297f087817e8144bd5cd31d706821e0ae7d48e25785dbc98ebb66a714c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1TR55Yr7.exe

Filesize
1.7MB

MD5
144dc3c0a5275a93ff86f00b5c61b9ec

SHA1
784168ab3c4711737656ca13dc4cb59ca267fa45

SHA256
179649325e561f83a53c5cba99cd8f1f589064c8d0f2029fb8e06f61ae986787

SHA512
9af6a9870077621eb046d6fed0fac88eba35edd4cd5e60f49c46018ab633d5cc77ddb9a93886178544198099a4e3b20726a32729ec9d1cf89524b4a579afb783

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2zE388fI.exe

Filesize
231KB

MD5
58ffdba1578ba9ce2b6e6b79516a0c1c

SHA1
93c666283fa9dc31d6694e1d3146f9a5d8bac89b

SHA256
3018ab9f37209c8d3fe16bf6c4ad3867775ce998d0394020b5b8432d464cc1f5

SHA512
38077c50437f600116143aaaffd8d3b05e0f46045b85e38390f67ae71ce42418cfd350259de3e60459e8ff4b8baf6e2afe89b9a4b39d67d9dbf488b60329d7f3

Download Submit
memory/2044-14-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2044-16-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2044-15-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2044-18-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3816-23-0x0000000007A90000-0x0000000008034000-memory.dmp

Filesize
5.6MB

Download
memory/3816-22-0x0000000000600000-0x000000000063E000-memory.dmp

Filesize
248KB

Download
memory/3816-24-0x0000000007580000-0x0000000007612000-memory.dmp

Filesize
584KB

Download
memory/3816-25-0x0000000004AD0000-0x0000000004ADA000-memory.dmp

Filesize
40KB

Download
memory/3816-26-0x0000000008660000-0x0000000008C78000-memory.dmp

Filesize
6.1MB

Download
memory/3816-27-0x0000000008040000-0x000000000814A000-memory.dmp

Filesize
1.0MB

Download
memory/3816-28-0x0000000007540000-0x0000000007552000-memory.dmp

Filesize
72KB

Download
memory/3816-29-0x0000000007660000-0x000000000769C000-memory.dmp

Filesize
240KB

Download
memory/3816-30-0x00000000076A0000-0x00000000076EC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads