mystic | 3b4c5828362b10aa3f5adabbb7df2fe252f38e07b0d9b5bbfabdc749916c26a8

General

Target

3b4c5828362b10aa3f5adabbb7df2fe252f38e07b0d9b5bbfabdc749916c26a8N.exe
Size

1.6MB
MD5

0d26b42076051a0694f57161698a2eb0
SHA1

30f49f32b6f0f71e1ffcfce95a78e4f58cc70fbc
SHA256

3b4c5828362b10aa3f5adabbb7df2fe252f38e07b0d9b5bbfabdc749916c26a8
SHA512

c5c9e874daf6d822f3328b028163e06f146adb0cf23a549756c9d3240c03c5980ad6dc70bfaf324da41cfc8be3cbd6dbcdc568c1cfb768f2debc1cff6e2d09ca
SSDEEP

24576:WyKuKgpUnfZqeIgj4+9m30htY+V5GPDt1WMMet8Lp3iyeOIpl96/k2jpVzB74X8I:lFpUffpzmWNVIt1RMymSl96s2jl4M

Score

10^/10

mystic redline gigant discovery infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

C2

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3784-35-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral1/memory/3784-36-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral1/memory/3784-38-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
Mystic family
mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2GG502LU.exe	family_redline
behavioral1/memory/5096-42-0x0000000000EB0000-0x0000000000EEE000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 6 IoCs

Processes:

oq5jq1Su.exeOY0dW1qI.exegJ5YQ3Bt.exejA1GH5Qw.exe1PM24FE1.exe2GG502LU.exe

pid process

1888 oq5jq1Su.exe
3692 OY0dW1qI.exe
4268 gJ5YQ3Bt.exe
1796 jA1GH5Qw.exe
676 1PM24FE1.exe
5096 2GG502LU.exe

pid	process
1888	oq5jq1Su.exe
3692	OY0dW1qI.exe
4268	gJ5YQ3Bt.exe
1796	jA1GH5Qw.exe
676	1PM24FE1.exe
5096	2GG502LU.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

jA1GH5Qw.exe3b4c5828362b10aa3f5adabbb7df2fe252f38e07b0d9b5bbfabdc749916c26a8N.exeoq5jq1Su.exeOY0dW1qI.exegJ5YQ3Bt.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	jA1GH5Qw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3b4c5828362b10aa3f5adabbb7df2fe252f38e07b0d9b5bbfabdc749916c26a8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	oq5jq1Su.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	OY0dW1qI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	gJ5YQ3Bt.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1PM24FE1.exe

description pid process target process

PID 676 set thread context of 3784 676 1PM24FE1.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2880 676 WerFault.exe 1PM24FE1.exe

description	pid	process	target process
PID 676 set thread context of 3784	676	1PM24FE1.exe	AppLaunch.exe

pid	pid_target	process	target process
2880	676	WerFault.exe	1PM24FE1.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

OY0dW1qI.exegJ5YQ3Bt.exejA1GH5Qw.exe1PM24FE1.exeAppLaunch.exe2GG502LU.exe3b4c5828362b10aa3f5adabbb7df2fe252f38e07b0d9b5bbfabdc749916c26a8N.exeoq5jq1Su.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OY0dW1qI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gJ5YQ3Bt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jA1GH5Qw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1PM24FE1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2GG502LU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b4c5828362b10aa3f5adabbb7df2fe252f38e07b0d9b5bbfabdc749916c26a8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oq5jq1Su.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

3b4c5828362b10aa3f5adabbb7df2fe252f38e07b0d9b5bbfabdc749916c26a8N.exeoq5jq1Su.exeOY0dW1qI.exegJ5YQ3Bt.exejA1GH5Qw.exe1PM24FE1.exe

description	pid	process	target process
PID 2924 wrote to memory of 1888	2924	3b4c5828362b10aa3f5adabbb7df2fe252f38e07b0d9b5bbfabdc749916c26a8N.exe	oq5jq1Su.exe
PID 2924 wrote to memory of 1888	2924	3b4c5828362b10aa3f5adabbb7df2fe252f38e07b0d9b5bbfabdc749916c26a8N.exe	oq5jq1Su.exe
PID 2924 wrote to memory of 1888	2924	3b4c5828362b10aa3f5adabbb7df2fe252f38e07b0d9b5bbfabdc749916c26a8N.exe	oq5jq1Su.exe
PID 1888 wrote to memory of 3692	1888	oq5jq1Su.exe	OY0dW1qI.exe
PID 1888 wrote to memory of 3692	1888	oq5jq1Su.exe	OY0dW1qI.exe
PID 1888 wrote to memory of 3692	1888	oq5jq1Su.exe	OY0dW1qI.exe
PID 3692 wrote to memory of 4268	3692	OY0dW1qI.exe	gJ5YQ3Bt.exe
PID 3692 wrote to memory of 4268	3692	OY0dW1qI.exe	gJ5YQ3Bt.exe
PID 3692 wrote to memory of 4268	3692	OY0dW1qI.exe	gJ5YQ3Bt.exe
PID 4268 wrote to memory of 1796	4268	gJ5YQ3Bt.exe	jA1GH5Qw.exe
PID 4268 wrote to memory of 1796	4268	gJ5YQ3Bt.exe	jA1GH5Qw.exe
PID 4268 wrote to memory of 1796	4268	gJ5YQ3Bt.exe	jA1GH5Qw.exe
PID 1796 wrote to memory of 676	1796	jA1GH5Qw.exe	1PM24FE1.exe
PID 1796 wrote to memory of 676	1796	jA1GH5Qw.exe	1PM24FE1.exe
PID 1796 wrote to memory of 676	1796	jA1GH5Qw.exe	1PM24FE1.exe
PID 676 wrote to memory of 3784	676	1PM24FE1.exe	AppLaunch.exe
PID 676 wrote to memory of 3784	676	1PM24FE1.exe	AppLaunch.exe
PID 676 wrote to memory of 3784	676	1PM24FE1.exe	AppLaunch.exe
PID 676 wrote to memory of 3784	676	1PM24FE1.exe	AppLaunch.exe
PID 676 wrote to memory of 3784	676	1PM24FE1.exe	AppLaunch.exe
PID 676 wrote to memory of 3784	676	1PM24FE1.exe	AppLaunch.exe
PID 676 wrote to memory of 3784	676	1PM24FE1.exe	AppLaunch.exe
PID 676 wrote to memory of 3784	676	1PM24FE1.exe	AppLaunch.exe
PID 676 wrote to memory of 3784	676	1PM24FE1.exe	AppLaunch.exe
PID 676 wrote to memory of 3784	676	1PM24FE1.exe	AppLaunch.exe
PID 1796 wrote to memory of 5096	1796	jA1GH5Qw.exe	2GG502LU.exe
PID 1796 wrote to memory of 5096	1796	jA1GH5Qw.exe	2GG502LU.exe
PID 1796 wrote to memory of 5096	1796	jA1GH5Qw.exe	2GG502LU.exe

C:\Users\Admin\AppData\Local\Temp\3b4c5828362b10aa3f5adabbb7df2fe252f38e07b0d9b5bbfabdc749916c26a8N.exe
"C:\Users\Admin\AppData\Local\Temp\3b4c5828362b10aa3f5adabbb7df2fe252f38e07b0d9b5bbfabdc749916c26a8N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oq5jq1Su.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oq5jq1Su.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OY0dW1qI.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OY0dW1qI.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3692
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gJ5YQ3Bt.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gJ5YQ3Bt.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4268
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jA1GH5Qw.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jA1GH5Qw.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1796
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PM24FE1.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PM24FE1.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:676
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 572
        7⤵
        Program crash
        
        PID:2880
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2GG502LU.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2GG502LU.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 676 -ip 676
1⤵
PID:1064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oq5jq1Su.exe

Filesize
1.5MB

MD5
b5d9c4748193051363e0aa85f45b6477

SHA1
b79de1878d845884831b2a7ee50b2e307a50faef

SHA256
13e414602caa2f59db58b471ce294ad77a342ed95d2634e789a36b4da4c6a8de

SHA512
38cb6cada3fa572402b2c7c48831edcb94ebf53612b4b91dcf5e599161e249425c755162b7b22ea7d456ff1a44aa272d794b4ee281e259c13f946e8b71055a76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OY0dW1qI.exe

Filesize
1.3MB

MD5
84825357547bb42bff87a38ee9b44b8b

SHA1
612d4fc996e8e3f855aa04fb1968ef24457ea175

SHA256
2aac44669e8af8e580188df28ff107e12763a7d031b2cdd2ba7aea8cd1803447

SHA512
27445bcb8ea55176659257fa82927d918e56def2f2940aaabbc141013e1d5cc31f38516ebd2bffa9cc941132261b9dcbf46043a24dc7a6b346d1c7d47563b4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gJ5YQ3Bt.exe

Filesize
821KB

MD5
b7e6e27f65274bfa7a8115a1834a260b

SHA1
242ed07cb41349f3f5d7e41b602a2df3070ee091

SHA256
ac19624914ef0f344a7d2af3c4fa957e81040c787f593d52511836f1a4c3e7c9

SHA512
440a0844696ebfe1cbfe0e29ca6a4347657bdf5c3ae0fffc46b3f199882d84ef80a48a9ccdf516b23bbd7ce727ab1eb3bbe704d66bbe7570071bef4aa2dd43d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jA1GH5Qw.exe

Filesize
649KB

MD5
ad1d878048d6e08c37790a5863d1abfe

SHA1
9184eecd10c7c5ee61c2c632cf3653a0a4a600ad

SHA256
79d4c8579ffe78b191775fee4e919b2671ec1e0bb2d8508ca70653118572f0f8

SHA512
3d4c7764471b085f7412dfa15df3c073a5b4e064cf9442b6b5deee78aa2952495480828ae48d90426ff89b326be13141257d693871c1a6ae9f22c6c7cd66cd19

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PM24FE1.exe

Filesize
1.7MB

MD5
144dc3c0a5275a93ff86f00b5c61b9ec

SHA1
784168ab3c4711737656ca13dc4cb59ca267fa45

SHA256
179649325e561f83a53c5cba99cd8f1f589064c8d0f2029fb8e06f61ae986787

SHA512
9af6a9870077621eb046d6fed0fac88eba35edd4cd5e60f49c46018ab633d5cc77ddb9a93886178544198099a4e3b20726a32729ec9d1cf89524b4a579afb783

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2GG502LU.exe

Filesize
231KB

MD5
54655d0f1e3a5ca7543947018cffb46b

SHA1
309c4dd94b69bc0118adf700d9ef007e71707a80

SHA256
d374bf2a87f954fead7e3540d474988afc5647a1b0ed79f5036531c76c8a727e

SHA512
c51938125705b2781bba57f2b833f73989a55a14ec322763a62bb3d6ddfb1f16f765f64ab5c0986e6f133eb9e5ce6e97fc1900a715cf5b2e09c65a8926f859f7

Download Submit
memory/3784-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3784-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3784-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5096-42-0x0000000000EB0000-0x0000000000EEE000-memory.dmp

Filesize
248KB

Download
memory/5096-43-0x00000000082C0000-0x0000000008864000-memory.dmp

Filesize
5.6MB

Download
memory/5096-44-0x0000000007DB0000-0x0000000007E42000-memory.dmp

Filesize
584KB

Download
memory/5096-45-0x0000000003350000-0x000000000335A000-memory.dmp

Filesize
40KB

Download
memory/5096-46-0x0000000008E90000-0x00000000094A8000-memory.dmp

Filesize
6.1MB

Download
memory/5096-47-0x0000000008870000-0x000000000897A000-memory.dmp

Filesize
1.0MB

Download
memory/5096-48-0x0000000007EA0000-0x0000000007EB2000-memory.dmp

Filesize
72KB

Download
memory/5096-49-0x0000000008030000-0x000000000806C000-memory.dmp

Filesize
240KB

Download
memory/5096-50-0x0000000007ED0000-0x0000000007F1C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads