mystic | 477922325633bfc1def1ea2d953349f4e417896d7f49e067fe6bc5de05ab7698

General

Target

477922325633bfc1def1ea2d953349f4e417896d7f49e067fe6bc5de05ab7698.exe
Size

561KB
MD5

70dc58001691e2262a8061d57893789a
SHA1

532f97b6a9090396f778f3ce3248f7585066a098
SHA256

477922325633bfc1def1ea2d953349f4e417896d7f49e067fe6bc5de05ab7698
SHA512

d7ddadbca5c7ad7db627e559c5f952586c28e9873b62e7706d34b6e1ede2ebace4bb1aaec9fabb756fefcff4396060d73586132510ed16584cd8eaac473e8240
SSDEEP

12288:VMrcy90awy7S8NxqrvtEmiLcXi4iE+01Ib/nSZ:Vybwy7hUv5kcXv3+e1Z

Score

10^/10

mystic redline kinza discovery infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

C2

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/3380-7-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/3380-11-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/3380-9-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/3380-8-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
Mystic family
mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023d90-13.dat	family_redline
behavioral1/memory/1956-16-0x00000000001A0000-0x00000000001DE000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
4708	1Vq88Ph3.exe
1956	2wf123ea.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	477922325633bfc1def1ea2d953349f4e417896d7f49e067fe6bc5de05ab7698.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4708 set thread context of 3380	4708	1Vq88Ph3.exe	90

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3836	3380	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	477922325633bfc1def1ea2d953349f4e417896d7f49e067fe6bc5de05ab7698.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1Vq88Ph3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2wf123ea.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 4708	2836	477922325633bfc1def1ea2d953349f4e417896d7f49e067fe6bc5de05ab7698.exe	84
PID 2836 wrote to memory of 4708	2836	477922325633bfc1def1ea2d953349f4e417896d7f49e067fe6bc5de05ab7698.exe	84
PID 2836 wrote to memory of 4708	2836	477922325633bfc1def1ea2d953349f4e417896d7f49e067fe6bc5de05ab7698.exe	84
PID 4708 wrote to memory of 4252	4708	1Vq88Ph3.exe	89
PID 4708 wrote to memory of 4252	4708	1Vq88Ph3.exe	89
PID 4708 wrote to memory of 4252	4708	1Vq88Ph3.exe	89
PID 4708 wrote to memory of 3380	4708	1Vq88Ph3.exe	90
PID 4708 wrote to memory of 3380	4708	1Vq88Ph3.exe	90
PID 4708 wrote to memory of 3380	4708	1Vq88Ph3.exe	90
PID 4708 wrote to memory of 3380	4708	1Vq88Ph3.exe	90
PID 4708 wrote to memory of 3380	4708	1Vq88Ph3.exe	90
PID 4708 wrote to memory of 3380	4708	1Vq88Ph3.exe	90
PID 4708 wrote to memory of 3380	4708	1Vq88Ph3.exe	90
PID 4708 wrote to memory of 3380	4708	1Vq88Ph3.exe	90
PID 4708 wrote to memory of 3380	4708	1Vq88Ph3.exe	90
PID 4708 wrote to memory of 3380	4708	1Vq88Ph3.exe	90
PID 2836 wrote to memory of 1956	2836	477922325633bfc1def1ea2d953349f4e417896d7f49e067fe6bc5de05ab7698.exe	92
PID 2836 wrote to memory of 1956	2836	477922325633bfc1def1ea2d953349f4e417896d7f49e067fe6bc5de05ab7698.exe	92
PID 2836 wrote to memory of 1956	2836	477922325633bfc1def1ea2d953349f4e417896d7f49e067fe6bc5de05ab7698.exe	92

C:\Users\Admin\AppData\Local\Temp\477922325633bfc1def1ea2d953349f4e417896d7f49e067fe6bc5de05ab7698.exe
"C:\Users\Admin\AppData\Local\Temp\477922325633bfc1def1ea2d953349f4e417896d7f49e067fe6bc5de05ab7698.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Vq88Ph3.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Vq88Ph3.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4708
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:4252
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3380
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 540
      4⤵
      Program crash
      PID:3836
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2wf123ea.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2wf123ea.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3380 -ip 3380
1⤵
PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Vq88Ph3.exe

Filesize
1.1MB

MD5
7e88670e893f284a13a2d88af7295317

SHA1
4bc0d76245e9d6ca8fe69daa23c46b2b8f770f1a

SHA256
d5e9e8612572f4586bc94b4475503558b7c4cd9329d3ade5b86f45018957deb9

SHA512
01541840ee2aa44de1f5f41bee31409560c481c10ed07d854239c0c9bdb648c86857a6a83a907e23f3b2865043b175689aa5f4f13fd0fd5f5444756b9ddfcdc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2wf123ea.exe

Filesize
222KB

MD5
6f5d21b3141b3c3baf8c824cfbba293f

SHA1
3bdecffd2f13ea667b5398a1d830216500bf9324

SHA256
761181f215413041dc70c4e908a996f4579cb90724ec1c638f778e51683ca484

SHA512
ef0482db23ee7962bddfad8f7c9c486b487a1944776591500d16af7793b3cdd96320ed9bdf113c6eae98f133f54cad0c4951b955c84ed4c05bae2b0cbef490ed

Download Submit
memory/1956-21-0x0000000007FF0000-0x0000000008608000-memory.dmp

Filesize
6.1MB

Download
memory/1956-20-0x00000000044E0000-0x00000000044EA000-memory.dmp

Filesize
40KB

Download
memory/1956-27-0x0000000073CA0000-0x0000000074450000-memory.dmp

Filesize
7.7MB

Download
memory/1956-26-0x0000000073CAE000-0x0000000073CAF000-memory.dmp

Filesize
4KB

Download
memory/1956-15-0x0000000073CAE000-0x0000000073CAF000-memory.dmp

Filesize
4KB

Download
memory/1956-16-0x00000000001A0000-0x00000000001DE000-memory.dmp

Filesize
248KB

Download
memory/1956-17-0x0000000007420000-0x00000000079C4000-memory.dmp

Filesize
5.6MB

Download
memory/1956-18-0x0000000006F10000-0x0000000006FA2000-memory.dmp

Filesize
584KB

Download
memory/1956-19-0x0000000073CA0000-0x0000000074450000-memory.dmp

Filesize
7.7MB

Download
memory/1956-25-0x0000000007330000-0x000000000737C000-memory.dmp

Filesize
304KB

Download
memory/1956-24-0x00000000072F0000-0x000000000732C000-memory.dmp

Filesize
240KB

Download
memory/1956-22-0x00000000079D0000-0x0000000007ADA000-memory.dmp

Filesize
1.0MB

Download
memory/1956-23-0x0000000007290000-0x00000000072A2000-memory.dmp

Filesize
72KB

Download
memory/3380-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3380-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3380-11-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3380-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads