mystic | eafc2bfbeaeddb89f86da75f29f14435b745b919f0b99dd1d0d30b9d33efb415

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4c8c5a1d2ba6f3920e2785153bc3ad1843efb3696b1cfd86ebffe60bc121e4e.exe
Size

819KB
MD5

f89fddde3d9714fc698fc708de161a7a
SHA1

1a9af029df06aa8cbf4a1b3e7e25079bf3c347f4
SHA256

d4c8c5a1d2ba6f3920e2785153bc3ad1843efb3696b1cfd86ebffe60bc121e4e
SHA512

dc3153f743b911f934668ebfa48377756fbec4f102f836c2fb933b9344d08dcc742b2d58c4d3ed07060c886d7220ee84f130554dc791f106d8fa3ea05ea6acf7
SSDEEP

24576:ry1LboSWg7clqL9Ii9tvVtPQrIdnnw93:e1LsSWwcl6fvVtPPdnc

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral17/memory/408-21-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral17/memory/408-25-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral17/memory/408-23-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral17/memory/408-22-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2oJ022sA.exe family_redline
behavioral17/memory/2408-29-0x0000000000900000-0x000000000093E000-memory.dmp family_redline
Executes dropped EXE 4 IoCs

Processes:

Qt5Ox4yn.exefM0GH3nm.exe1lT98ol5.exe2oJ022sA.exe

pid process

4732 Qt5Ox4yn.exe
4780 fM0GH3nm.exe
2652 1lT98ol5.exe
2408 2oJ022sA.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2oJ022sA.exe	family_redline
behavioral17/memory/2408-29-0x0000000000900000-0x000000000093E000-memory.dmp	family_redline

pid	process
4732	Qt5Ox4yn.exe
4780	fM0GH3nm.exe
2652	1lT98ol5.exe
2408	2oJ022sA.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Qt5Ox4yn.exefM0GH3nm.exed4c8c5a1d2ba6f3920e2785153bc3ad1843efb3696b1cfd86ebffe60bc121e4e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Qt5Ox4yn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	fM0GH3nm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d4c8c5a1d2ba6f3920e2785153bc3ad1843efb3696b1cfd86ebffe60bc121e4e.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1lT98ol5.exe

description pid process target process

PID 2652 set thread context of 408 2652 1lT98ol5.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1152 2652 WerFault.exe 1lT98ol5.exe

description	pid	process	target process
PID 2652 set thread context of 408	2652	1lT98ol5.exe	AppLaunch.exe

pid	pid_target	process	target process
1152	2652	WerFault.exe	1lT98ol5.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

d4c8c5a1d2ba6f3920e2785153bc3ad1843efb3696b1cfd86ebffe60bc121e4e.exeQt5Ox4yn.exefM0GH3nm.exe1lT98ol5.exe

description	pid	process	target process
PID 2692 wrote to memory of 4732	2692	d4c8c5a1d2ba6f3920e2785153bc3ad1843efb3696b1cfd86ebffe60bc121e4e.exe	Qt5Ox4yn.exe
PID 2692 wrote to memory of 4732	2692	d4c8c5a1d2ba6f3920e2785153bc3ad1843efb3696b1cfd86ebffe60bc121e4e.exe	Qt5Ox4yn.exe
PID 2692 wrote to memory of 4732	2692	d4c8c5a1d2ba6f3920e2785153bc3ad1843efb3696b1cfd86ebffe60bc121e4e.exe	Qt5Ox4yn.exe
PID 4732 wrote to memory of 4780	4732	Qt5Ox4yn.exe	fM0GH3nm.exe
PID 4732 wrote to memory of 4780	4732	Qt5Ox4yn.exe	fM0GH3nm.exe
PID 4732 wrote to memory of 4780	4732	Qt5Ox4yn.exe	fM0GH3nm.exe
PID 4780 wrote to memory of 2652	4780	fM0GH3nm.exe	1lT98ol5.exe
PID 4780 wrote to memory of 2652	4780	fM0GH3nm.exe	1lT98ol5.exe
PID 4780 wrote to memory of 2652	4780	fM0GH3nm.exe	1lT98ol5.exe
PID 2652 wrote to memory of 4376	2652	1lT98ol5.exe	AppLaunch.exe
PID 2652 wrote to memory of 4376	2652	1lT98ol5.exe	AppLaunch.exe
PID 2652 wrote to memory of 4376	2652	1lT98ol5.exe	AppLaunch.exe
PID 2652 wrote to memory of 408	2652	1lT98ol5.exe	AppLaunch.exe
PID 2652 wrote to memory of 408	2652	1lT98ol5.exe	AppLaunch.exe
PID 2652 wrote to memory of 408	2652	1lT98ol5.exe	AppLaunch.exe
PID 2652 wrote to memory of 408	2652	1lT98ol5.exe	AppLaunch.exe
PID 2652 wrote to memory of 408	2652	1lT98ol5.exe	AppLaunch.exe
PID 2652 wrote to memory of 408	2652	1lT98ol5.exe	AppLaunch.exe
PID 2652 wrote to memory of 408	2652	1lT98ol5.exe	AppLaunch.exe
PID 2652 wrote to memory of 408	2652	1lT98ol5.exe	AppLaunch.exe
PID 2652 wrote to memory of 408	2652	1lT98ol5.exe	AppLaunch.exe
PID 2652 wrote to memory of 408	2652	1lT98ol5.exe	AppLaunch.exe
PID 4780 wrote to memory of 2408	4780	fM0GH3nm.exe	2oJ022sA.exe
PID 4780 wrote to memory of 2408	4780	fM0GH3nm.exe	2oJ022sA.exe
PID 4780 wrote to memory of 2408	4780	fM0GH3nm.exe	2oJ022sA.exe

C:\Users\Admin\AppData\Local\Temp\d4c8c5a1d2ba6f3920e2785153bc3ad1843efb3696b1cfd86ebffe60bc121e4e.exe
"C:\Users\Admin\AppData\Local\Temp\d4c8c5a1d2ba6f3920e2785153bc3ad1843efb3696b1cfd86ebffe60bc121e4e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2692

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Qt5Ox4yn.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Qt5Ox4yn.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4732

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fM0GH3nm.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fM0GH3nm.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4780

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1lT98ol5.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1lT98ol5.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:4376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 588
5⤵
- Program crash
PID:1152

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2oJ022sA.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2oJ022sA.exe
4⤵
- Executes dropped EXE
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2652 -ip 2652
1⤵
PID:4684

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Qt5Ox4yn.exe
Filesize
584KB

MD5
c84cbcb1e5fec8264e42493bcbe5eaf9

SHA1
d2e86b19e8461d0d406f6ba8662af8edb2a1dce9

SHA256
97ed2581cf602b5ef1336e862f3de5e776e88bfd87aea5100281050cd163be5e

SHA512
7d871fffd2a058c4972118ed332094371d8f9400dd66b08b2ac2ff191164f220de755ab270e2d717ad516ac500c6454aa7a9cc9423ea68d83cfcd643e23e2775

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fM0GH3nm.exe
Filesize
383KB

MD5
434ab44f0ff61ddedeb8cd193bf06dd5

SHA1
e950775714e5d415a03bd861a8b2760d92e63b4e

SHA256
812996904b2bbae0465be949d1a4820ad8466edce073018f2765246604ebc794

SHA512
0dc804f72f7306a8d1c6a3b7284d9208f254db369c8fc1096e00ea9f481d9d240810137562da4ac0de8bed0faf581bbd7f9335fb70a53a651c626ad6ac95b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1lT98ol5.exe
Filesize
298KB

MD5
fdb8c7360f7ab13d6f1d38b8548dd75a

SHA1
2250d40cadea9d40267c262d8285f533c564208c

SHA256
d6c844dfab6dcc477fe11687f6b098fa9c66fc15a4c7ae9984faaf647e1fcd7a

SHA512
a0b2f5560e68ca558ff6d600a4e2a49a63dab25ecc39e06ec481e3580bb43a393e542936e275a1fed2b554dc0b296bb71321870e96aaff6a5449b96e8167c9a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2oJ022sA.exe
Filesize
222KB

MD5
a6d1fca3c9d29a76548e684799abf99a

SHA1
eb591c51e55a343bd86ca29245efd824248ba553

SHA256
95a0b44533ec469f93a3ffb56cb9b37fa0594b763d34b1d86727c7ba9fa085fd

SHA512
3a5362e90dd5d53498c1cce3f9f9673bdf00053787a93d93290d5abec82dc6f3e4c404aebf65084f4e3df782d4e039be620c06e79dfe5cff28dae1b999d08f80

Download Submit
memory/408-21-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/408-25-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/408-23-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/408-22-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2408-29-0x0000000000900000-0x000000000093E000-memory.dmp

Filesize
248KB

Download
memory/2408-30-0x0000000007B90000-0x0000000008134000-memory.dmp

Filesize
5.6MB

Download
memory/2408-31-0x0000000007680000-0x0000000007712000-memory.dmp

Filesize
584KB

Download
memory/2408-32-0x0000000002C50000-0x0000000002C5A000-memory.dmp

Filesize
40KB

Download
memory/2408-33-0x0000000008760000-0x0000000008D78000-memory.dmp

Filesize
6.1MB

Download
memory/2408-34-0x0000000008140000-0x000000000824A000-memory.dmp

Filesize
1.0MB

Download
memory/2408-35-0x0000000007A00000-0x0000000007A12000-memory.dmp

Filesize
72KB

Download
memory/2408-36-0x0000000007A60000-0x0000000007A9C000-memory.dmp

Filesize
240KB

Download
memory/2408-37-0x0000000007AA0000-0x0000000007AEC000-memory.dmp

Filesize
304KB

Download