mystic | eafc2bfbeaeddb89f86da75f29f14435b745b919f0b99dd1d0d30b9d33efb415

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e79c48869da7300155b8f28e75c456d3c8b56a174d85529c97d8307a157a099a.exe
Size

1.1MB
MD5

8928e859550f225a0fa2c3727e6f551a
SHA1

a2ac88ff7cdfd0337a2df772802de116a2001344
SHA256

e79c48869da7300155b8f28e75c456d3c8b56a174d85529c97d8307a157a099a
SHA512

496746371015da58117348e6ba82f814f46a0d1fd5383ef1265abf968906f418bf09d9b3bede061ee57dd17187618a15fe21b1fd45aec12abea819163e86eedd
SSDEEP

24576:NyAHA7bV1IlZkQCi3ED34dM1gaqiANXL4sVBN3Hp0FbK4+Hg4:oxHyCiUD34n1hNXL7N3Gg

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral19/memory/4652-35-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral19/memory/4652-36-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral19/memory/4652-38-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oG933Dg.exe family_redline
behavioral19/memory/4396-42-0x0000000000FF0000-0x000000000102E000-memory.dmp family_redline
Executes dropped EXE 6 IoCs

Processes:

mr6fe1Ad.exeuC5iM7zq.exeRE9fs9fY.exeSp3zD1OT.exe1jh48il7.exe2oG933Dg.exe

pid process

1056 mr6fe1Ad.exe
4556 uC5iM7zq.exe
664 RE9fs9fY.exe
1888 Sp3zD1OT.exe
3864 1jh48il7.exe
4396 2oG933Dg.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oG933Dg.exe	family_redline
behavioral19/memory/4396-42-0x0000000000FF0000-0x000000000102E000-memory.dmp	family_redline

pid	process
1056	mr6fe1Ad.exe
4556	uC5iM7zq.exe
664	RE9fs9fY.exe
1888	Sp3zD1OT.exe
3864	1jh48il7.exe
4396	2oG933Dg.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RE9fs9fY.exeSp3zD1OT.exee79c48869da7300155b8f28e75c456d3c8b56a174d85529c97d8307a157a099a.exemr6fe1Ad.exeuC5iM7zq.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	RE9fs9fY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Sp3zD1OT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e79c48869da7300155b8f28e75c456d3c8b56a174d85529c97d8307a157a099a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	mr6fe1Ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	uC5iM7zq.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1jh48il7.exe

description pid process target process

PID 3864 set thread context of 4652 3864 1jh48il7.exe AppLaunch.exe

description	pid	process	target process
PID 3864 set thread context of 4652	3864	1jh48il7.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

e79c48869da7300155b8f28e75c456d3c8b56a174d85529c97d8307a157a099a.exemr6fe1Ad.exeuC5iM7zq.exeRE9fs9fY.exeSp3zD1OT.exe1jh48il7.exe

description	pid	process	target process
PID 3464 wrote to memory of 1056	3464	e79c48869da7300155b8f28e75c456d3c8b56a174d85529c97d8307a157a099a.exe	mr6fe1Ad.exe
PID 3464 wrote to memory of 1056	3464	e79c48869da7300155b8f28e75c456d3c8b56a174d85529c97d8307a157a099a.exe	mr6fe1Ad.exe
PID 3464 wrote to memory of 1056	3464	e79c48869da7300155b8f28e75c456d3c8b56a174d85529c97d8307a157a099a.exe	mr6fe1Ad.exe
PID 1056 wrote to memory of 4556	1056	mr6fe1Ad.exe	uC5iM7zq.exe
PID 1056 wrote to memory of 4556	1056	mr6fe1Ad.exe	uC5iM7zq.exe
PID 1056 wrote to memory of 4556	1056	mr6fe1Ad.exe	uC5iM7zq.exe
PID 4556 wrote to memory of 664	4556	uC5iM7zq.exe	RE9fs9fY.exe
PID 4556 wrote to memory of 664	4556	uC5iM7zq.exe	RE9fs9fY.exe
PID 4556 wrote to memory of 664	4556	uC5iM7zq.exe	RE9fs9fY.exe
PID 664 wrote to memory of 1888	664	RE9fs9fY.exe	Sp3zD1OT.exe
PID 664 wrote to memory of 1888	664	RE9fs9fY.exe	Sp3zD1OT.exe
PID 664 wrote to memory of 1888	664	RE9fs9fY.exe	Sp3zD1OT.exe
PID 1888 wrote to memory of 3864	1888	Sp3zD1OT.exe	1jh48il7.exe
PID 1888 wrote to memory of 3864	1888	Sp3zD1OT.exe	1jh48il7.exe
PID 1888 wrote to memory of 3864	1888	Sp3zD1OT.exe	1jh48il7.exe
PID 3864 wrote to memory of 4652	3864	1jh48il7.exe	AppLaunch.exe
PID 3864 wrote to memory of 4652	3864	1jh48il7.exe	AppLaunch.exe
PID 3864 wrote to memory of 4652	3864	1jh48il7.exe	AppLaunch.exe
PID 3864 wrote to memory of 4652	3864	1jh48il7.exe	AppLaunch.exe
PID 3864 wrote to memory of 4652	3864	1jh48il7.exe	AppLaunch.exe
PID 3864 wrote to memory of 4652	3864	1jh48il7.exe	AppLaunch.exe
PID 3864 wrote to memory of 4652	3864	1jh48il7.exe	AppLaunch.exe
PID 3864 wrote to memory of 4652	3864	1jh48il7.exe	AppLaunch.exe
PID 3864 wrote to memory of 4652	3864	1jh48il7.exe	AppLaunch.exe
PID 3864 wrote to memory of 4652	3864	1jh48il7.exe	AppLaunch.exe
PID 1888 wrote to memory of 4396	1888	Sp3zD1OT.exe	2oG933Dg.exe
PID 1888 wrote to memory of 4396	1888	Sp3zD1OT.exe	2oG933Dg.exe
PID 1888 wrote to memory of 4396	1888	Sp3zD1OT.exe	2oG933Dg.exe

C:\Users\Admin\AppData\Local\Temp\e79c48869da7300155b8f28e75c456d3c8b56a174d85529c97d8307a157a099a.exe
"C:\Users\Admin\AppData\Local\Temp\e79c48869da7300155b8f28e75c456d3c8b56a174d85529c97d8307a157a099a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3464

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mr6fe1Ad.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mr6fe1Ad.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1056

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uC5iM7zq.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uC5iM7zq.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4556

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\RE9fs9fY.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\RE9fs9fY.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:664

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Sp3zD1OT.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Sp3zD1OT.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1888

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jh48il7.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jh48il7.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:4652

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oG933Dg.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oG933Dg.exe
6⤵
- Executes dropped EXE
PID:4396

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mr6fe1Ad.exe
Filesize
1.0MB

MD5
a33bec5a4ff5bee6094c6790a486df7f

SHA1
9ae1ff1202b847d29c84398fd0b84a12f87e10b4

SHA256
a72aaab98fd4cc954f263d2715662c53ffa7d4222d50900192c6ab2109a99f0a

SHA512
2f797f31e18d70de09a57e790117b2569f2596261c6023fe88cffa01cfb761b948d8c8e3ae16a40c3499f9949eaed4d0d964cf38cdfa33550aa69eda576537ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uC5iM7zq.exe
Filesize
844KB

MD5
c9c21a0c100d324c30fd3b55f0ed4542

SHA1
8f11ddd8bd31b952c9a960c92f220da833f8b5a7

SHA256
bcbc5eaefea6789d2c1f8bf4824cef403414b4a387f6847a5a86b20e7061b862

SHA512
170c14c28dadb643da7b54cdb7bcbfeb92a51a0df87b238c6f324f137a070760ae4253fa01ac84c53ef0761ff05d033ba6fc882f191706c3204ac633fe49c993

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\RE9fs9fY.exe
Filesize
594KB

MD5
86cd2582ed91306f05a61d7ae23b31e5

SHA1
d0d010c336d1f52aa685a7f3f59ec66895d4582e

SHA256
03bd331490a904c6323e87fd14ff45c960b7d64a6e115dbce903cf89e6b0f5bc

SHA512
c485d947d479c366e32d2b7d1733626cea8b971bdc5ea9d1a57f583a29748c825fabacebf179c713f9e3655b843b9dfefb7850d7fb1052b27dcdc46ef00a0aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Sp3zD1OT.exe
Filesize
398KB

MD5
1efa9b18a2563ebebae8a6eabad4db7b

SHA1
b95bc070b14bbb19b209b2d4413db63f79272fbc

SHA256
e2e852038c1504d54c9702b961095f0af961417103d2a5c8b10740dc188ac5e5

SHA512
07bf09d5fa8798b9f0d40650c180275c78e201abd9d5ebfb37d2d37dcb55e0802d6c4e35467695aeec3c930add915d200847bd13ee41bc58762f067b553de5bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1jh48il7.exe
Filesize
320KB

MD5
5d46d756761c7b1440076303beeca0ef

SHA1
8e50680d58c89566cf78b067aefed754d9fc4935

SHA256
8ef43142ccd7fbffcd0c4fa2ed3a196f7a964f71753dfc37a895d956e02e0c83

SHA512
19457218e35c87deade73de832140d6def871159eeec74a0df5c72dc0d56757a36c36a17327a73af6f03c6d8ca86d2f031f5d0364222dfcefc49df0d88758683

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oG933Dg.exe
Filesize
222KB

MD5
3a2fb4ae3cb49d3452da38d13bb9a4c9

SHA1
b1aadf5266265ab50b01330037fec3405cf4501a

SHA256
f97449c137f4f454706cd578b7345a4b56fb2dd066558af125773e0ed8b2326a

SHA512
8d1913bf768b1e39e1eaf8ed67b9b47f2e00fb3897a767bbb665c0715bb10f551293aabdc6d6429c26455c364a686cca225596471147813cec679e522c84dcce

Download Submit
memory/4396-42-0x0000000000FF0000-0x000000000102E000-memory.dmp

Filesize
248KB

Download
memory/4396-43-0x00000000083A0000-0x0000000008944000-memory.dmp

Filesize
5.6MB

Download
memory/4396-44-0x0000000007EF0000-0x0000000007F82000-memory.dmp

Filesize
584KB

Download
memory/4396-45-0x0000000003480000-0x000000000348A000-memory.dmp

Filesize
40KB

Download
memory/4396-46-0x0000000008F70000-0x0000000009588000-memory.dmp

Filesize
6.1MB

Download
memory/4396-47-0x00000000081F0000-0x00000000082FA000-memory.dmp

Filesize
1.0MB

Download
memory/4396-48-0x0000000008100000-0x0000000008112000-memory.dmp

Filesize
72KB

Download
memory/4396-49-0x0000000008160000-0x000000000819C000-memory.dmp

Filesize
240KB

Download
memory/4396-50-0x00000000081A0000-0x00000000081EC000-memory.dmp

Filesize
304KB

Download
memory/4652-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4652-38-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4652-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download