mystic | a6ff6a7ab6362d9ccec1a6426ea922e6a019db52566978b4abbe072ead27de1b

General

Target

a6ff6a7ab6362d9ccec1a6426ea922e6a019db52566978b4abbe072ead27de1b.exe
Size

649KB
MD5

f1a296f2fcae06b2454d4d2faeb4ef73
SHA1

4ca48f90f2d1cc5cedb51ee55bff2bd91f11c2e8
SHA256

a6ff6a7ab6362d9ccec1a6426ea922e6a019db52566978b4abbe072ead27de1b
SHA512

acc2b42c58f1209f4e386202678f7b3f206543f0ab972b22e2684d547c88c82589aff145ff83477ad91f692da30832f305d816ad6306d5543ea31cd88be5a084
SSDEEP

12288:fMr5y90jtT1OxsuP2MDT2YrmGdon11pI97Y52W/8+9RGgoVoz1r7FAgD:iymZ6BT22LmnHpI97OM+9QXQlFfD

Score

10^/10

mystic redline virad discovery infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

virad

C2

77.91.124.82:19071

Attributes

auth_value
434dd63619ca8bbf10125913fb40ca28

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000023c55-19.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
Mystic family
mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c56-22.dat	family_redline
behavioral1/memory/5100-24-0x0000000000310000-0x0000000000340000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
232	y7103906.exe
1176	y2974710.exe
2840	m9747464.exe
5100	n4352385.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a6ff6a7ab6362d9ccec1a6426ea922e6a019db52566978b4abbe072ead27de1b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y7103906.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y2974710.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	n4352385.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a6ff6a7ab6362d9ccec1a6426ea922e6a019db52566978b4abbe072ead27de1b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y7103906.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y2974710.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	m9747464.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 232	3008	a6ff6a7ab6362d9ccec1a6426ea922e6a019db52566978b4abbe072ead27de1b.exe	84
PID 3008 wrote to memory of 232	3008	a6ff6a7ab6362d9ccec1a6426ea922e6a019db52566978b4abbe072ead27de1b.exe	84
PID 3008 wrote to memory of 232	3008	a6ff6a7ab6362d9ccec1a6426ea922e6a019db52566978b4abbe072ead27de1b.exe	84
PID 232 wrote to memory of 1176	232	y7103906.exe	85
PID 232 wrote to memory of 1176	232	y7103906.exe	85
PID 232 wrote to memory of 1176	232	y7103906.exe	85
PID 1176 wrote to memory of 2840	1176	y2974710.exe	86
PID 1176 wrote to memory of 2840	1176	y2974710.exe	86
PID 1176 wrote to memory of 2840	1176	y2974710.exe	86
PID 1176 wrote to memory of 5100	1176	y2974710.exe	88
PID 1176 wrote to memory of 5100	1176	y2974710.exe	88
PID 1176 wrote to memory of 5100	1176	y2974710.exe	88

C:\Users\Admin\AppData\Local\Temp\a6ff6a7ab6362d9ccec1a6426ea922e6a019db52566978b4abbe072ead27de1b.exe
"C:\Users\Admin\AppData\Local\Temp\a6ff6a7ab6362d9ccec1a6426ea922e6a019db52566978b4abbe072ead27de1b.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7103906.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7103906.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2974710.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2974710.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9747464.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9747464.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2840
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4352385.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4352385.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7103906.exe

Filesize
547KB

MD5
53758c869b863722590878277d5bd9bb

SHA1
a425347f47f663f455f337a5fb63eaaa83fc339f

SHA256
8548875f8cf60890e553dbd72ab6b17372442c7d98cb53bd835a734f3603b4c1

SHA512
0d52bc4f9ab6b222839d4f4ad0cecf62566cf83e080e92f8ad004fe2906bc104d1f658ee66666a67a0e2f0eaf76a8b717f88a9961782eb3ce13164962c2014ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2974710.exe

Filesize
271KB

MD5
e65a621321d5985e9375043f2506b81e

SHA1
0d44cf13120b2a8f179f43d7dec3b5fb541ecfd0

SHA256
2316c069de752496e8893b10410d88b731b09c301c3f6fb9194196a7e87dbe4a

SHA512
3aef59c0a494a089201869b068ab6ac0078d32e2f235064f51a067e9f856ce53049a455603f0574ba084f8d647bd91a4e66128dabbe9023b912ade0652d13ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m9747464.exe

Filesize
140KB

MD5
890ec0e7d22caf706cb827151b074303

SHA1
17a7e00ffcbc4955bc37375a88be6ebde39ba066

SHA256
412a02034f4b14d415eab5642d0f10e221d2dd11c557f0b405c0a64984634083

SHA512
cdda085e0345c8f4ad14adc95b3732b50d3b3b946cdd58a67db5f3a9ab13d099d987a97c863e6ba0c578db89194502f604aa0c97c66a7c81a701f2ff6d8ee0b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4352385.exe

Filesize
174KB

MD5
0acd7785d0fe4b3f3a73bdeae47fca86

SHA1
a2032dcd73c1f4b3724cd525ff7bc9e1bc5f43cb

SHA256
93a66c35c6d20801fdb517ee2083230a803ad72fa1c8dcbb79e3c9dcc8feec6d

SHA512
8a7013c98faf06db6d4c0ff54cc9f38ec4163fcb305e3e76174fbb2baa964334044bfe3b7546cc8f39254263e2c885f9ce276b8a49ff714923252af830e497ff

Download Submit
memory/5100-24-0x0000000000310000-0x0000000000340000-memory.dmp

Filesize
192KB

Download
memory/5100-25-0x0000000002600000-0x0000000002606000-memory.dmp

Filesize
24KB

Download
memory/5100-26-0x000000000A7D0000-0x000000000ADE8000-memory.dmp

Filesize
6.1MB

Download
memory/5100-27-0x000000000A2C0000-0x000000000A3CA000-memory.dmp

Filesize
1.0MB

Download
memory/5100-28-0x000000000A200000-0x000000000A212000-memory.dmp

Filesize
72KB

Download
memory/5100-29-0x000000000A260000-0x000000000A29C000-memory.dmp

Filesize
240KB

Download
memory/5100-30-0x0000000004750000-0x000000000479C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads