mystic | 9e0acffebc0952db0a6deca20d7da7842752e7b62fdf17c5a6132cbd82a85fef

Analysis

max time kernel
140s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07/10/2023, 16:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9e0acffebc0952db0a6deca20d7da7842752e7b62fdf17c5a6132cbd82a85fef.exe
Size

1.2MB
MD5

8062d3af8d126f153a6f8d5203972b4b
SHA1

fcaf218814d45ed77751ff21057ad3bca5c6f485
SHA256

9e0acffebc0952db0a6deca20d7da7842752e7b62fdf17c5a6132cbd82a85fef
SHA512

b5ee77a25aee48c11c645996f7b7faecdf168e979b5d76afd1093ae28deaa35a01c7db398155f13da6ae757cf05c536688a081ca8e07c332fb7c646b8a8a2f33
SSDEEP

24576:zytYpZ9ztKtIUClvanandVVGNLCgLnKPgLbdj6u5eBrEsaDrR:GepHxVkoTVqLC0KPMdj6wcrEHr

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/1124-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1124-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1124-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1124-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000023265-41.dat	family_redline
behavioral1/files/0x0006000000023265-42.dat	family_redline
behavioral1/memory/4824-43-0x00000000003E0000-0x000000000041E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
568	gZ5mf7eF.exe
1796	SM1pu0Yq.exe
4236	Qi0cc5MQ.exe
1884	sk3Kb5ZK.exe
3684	1Fv43JS4.exe
4824	2BI504Uu.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	gZ5mf7eF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	SM1pu0Yq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Qi0cc5MQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	sk3Kb5ZK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9e0acffebc0952db0a6deca20d7da7842752e7b62fdf17c5a6132cbd82a85fef.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3684 set thread context of 1124	3684	1Fv43JS4.exe	90

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1012	3684	WerFault.exe	87
3020	1124	WerFault.exe	90

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 568	2368	9e0acffebc0952db0a6deca20d7da7842752e7b62fdf17c5a6132cbd82a85fef.exe	82
PID 2368 wrote to memory of 568	2368	9e0acffebc0952db0a6deca20d7da7842752e7b62fdf17c5a6132cbd82a85fef.exe	82
PID 2368 wrote to memory of 568	2368	9e0acffebc0952db0a6deca20d7da7842752e7b62fdf17c5a6132cbd82a85fef.exe	82
PID 568 wrote to memory of 1796	568	gZ5mf7eF.exe	84
PID 568 wrote to memory of 1796	568	gZ5mf7eF.exe	84
PID 568 wrote to memory of 1796	568	gZ5mf7eF.exe	84
PID 1796 wrote to memory of 4236	1796	SM1pu0Yq.exe	85
PID 1796 wrote to memory of 4236	1796	SM1pu0Yq.exe	85
PID 1796 wrote to memory of 4236	1796	SM1pu0Yq.exe	85
PID 4236 wrote to memory of 1884	4236	Qi0cc5MQ.exe	86
PID 4236 wrote to memory of 1884	4236	Qi0cc5MQ.exe	86
PID 4236 wrote to memory of 1884	4236	Qi0cc5MQ.exe	86
PID 1884 wrote to memory of 3684	1884	sk3Kb5ZK.exe	87
PID 1884 wrote to memory of 3684	1884	sk3Kb5ZK.exe	87
PID 1884 wrote to memory of 3684	1884	sk3Kb5ZK.exe	87
PID 3684 wrote to memory of 3156	3684	1Fv43JS4.exe	89
PID 3684 wrote to memory of 3156	3684	1Fv43JS4.exe	89
PID 3684 wrote to memory of 3156	3684	1Fv43JS4.exe	89
PID 3684 wrote to memory of 1124	3684	1Fv43JS4.exe	90
PID 3684 wrote to memory of 1124	3684	1Fv43JS4.exe	90
PID 3684 wrote to memory of 1124	3684	1Fv43JS4.exe	90
PID 3684 wrote to memory of 1124	3684	1Fv43JS4.exe	90
PID 3684 wrote to memory of 1124	3684	1Fv43JS4.exe	90
PID 3684 wrote to memory of 1124	3684	1Fv43JS4.exe	90
PID 3684 wrote to memory of 1124	3684	1Fv43JS4.exe	90
PID 3684 wrote to memory of 1124	3684	1Fv43JS4.exe	90
PID 3684 wrote to memory of 1124	3684	1Fv43JS4.exe	90
PID 3684 wrote to memory of 1124	3684	1Fv43JS4.exe	90
PID 1884 wrote to memory of 4824	1884	sk3Kb5ZK.exe	97
PID 1884 wrote to memory of 4824	1884	sk3Kb5ZK.exe	97
PID 1884 wrote to memory of 4824	1884	sk3Kb5ZK.exe	97

C:\Users\Admin\AppData\Local\Temp\9e0acffebc0952db0a6deca20d7da7842752e7b62fdf17c5a6132cbd82a85fef.exe
"C:\Users\Admin\AppData\Local\Temp\9e0acffebc0952db0a6deca20d7da7842752e7b62fdf17c5a6132cbd82a85fef.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gZ5mf7eF.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gZ5mf7eF.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:568
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SM1pu0Yq.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SM1pu0Yq.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qi0cc5MQ.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qi0cc5MQ.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4236
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sk3Kb5ZK.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sk3Kb5ZK.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1884
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Fv43JS4.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Fv43JS4.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3156
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 540
        8⤵
        Program crash
        
        PID:3020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 156
        7⤵
        Program crash
        
        PID:1012
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2BI504Uu.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2BI504Uu.exe
        6⤵
        Executes dropped EXE
        
        PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1124 -ip 1124
1⤵
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3684 -ip 3684
1⤵
PID:3796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gZ5mf7eF.exe

Filesize
1.0MB

MD5
4c49bf93f07480e68ed8ff8509c43222

SHA1
0632f77b3ccae03933ca21de05e149d723d48166

SHA256
fe74c6f85a9822ee1c7b1c91e79b8d3ad0bd88c90955b964d76630b933f7fb8b

SHA512
904b2dc28a94a2e0bd04a72f404deb3f60f4c7a7414efc2cdf32e51a1d777d2f2dc092256bd6d5dab15b4dd4f27399ea19a01bb148efead952de001b0e7dc3de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gZ5mf7eF.exe

Filesize
1.0MB

MD5
4c49bf93f07480e68ed8ff8509c43222

SHA1
0632f77b3ccae03933ca21de05e149d723d48166

SHA256
fe74c6f85a9822ee1c7b1c91e79b8d3ad0bd88c90955b964d76630b933f7fb8b

SHA512
904b2dc28a94a2e0bd04a72f404deb3f60f4c7a7414efc2cdf32e51a1d777d2f2dc092256bd6d5dab15b4dd4f27399ea19a01bb148efead952de001b0e7dc3de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SM1pu0Yq.exe

Filesize
880KB

MD5
7fca8b3b5d33b4d31c29c1a9d26a5176

SHA1
45b2321d9e3c56e77d43dd456496309a3bc3c05e

SHA256
a365181ca8531d61be1fa2bb03cac3b188163af7158c16ba0109a1797c49876f

SHA512
522b5fdadade19e122c4bf59e356e697b96325d4b4b6f5cd7dbbeea2af31c7aab8136bd8bdc7200d0631511dbddc25b82ad972a1284bbd8f9b07519155697676

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SM1pu0Yq.exe

Filesize
880KB

MD5
7fca8b3b5d33b4d31c29c1a9d26a5176

SHA1
45b2321d9e3c56e77d43dd456496309a3bc3c05e

SHA256
a365181ca8531d61be1fa2bb03cac3b188163af7158c16ba0109a1797c49876f

SHA512
522b5fdadade19e122c4bf59e356e697b96325d4b4b6f5cd7dbbeea2af31c7aab8136bd8bdc7200d0631511dbddc25b82ad972a1284bbd8f9b07519155697676

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qi0cc5MQ.exe

Filesize
586KB

MD5
cb6e3ef3e906497256198eff1a56d498

SHA1
33c993f5e000652625dde310080dd7e3fb84fa74

SHA256
94d62d90e6479e6590e0722e00e56b556765cca0e50d09d481cd57322fc651a2

SHA512
46341532c8d8fe14261134dd762b1a20f517773bcf223cc3377d6dfb8614afae4218aaaa9551e84a5332342913eeac6446ce869b65db94ea79ed7294910ba591

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qi0cc5MQ.exe

Filesize
586KB

MD5
cb6e3ef3e906497256198eff1a56d498

SHA1
33c993f5e000652625dde310080dd7e3fb84fa74

SHA256
94d62d90e6479e6590e0722e00e56b556765cca0e50d09d481cd57322fc651a2

SHA512
46341532c8d8fe14261134dd762b1a20f517773bcf223cc3377d6dfb8614afae4218aaaa9551e84a5332342913eeac6446ce869b65db94ea79ed7294910ba591

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sk3Kb5ZK.exe

Filesize
413KB

MD5
c3b2b4f5974c0368fda4d2ae4e1f3fe7

SHA1
3ca52b006dc7520f7d9800cf024052605ee130d5

SHA256
efe2791b6dd56d5c1a2521af5c9e46dd3b15a6edf34354c1a06595cba38276c8

SHA512
ede9c83c3f602350e42167c03a7ba70465508b78216c59d7da5de6ea694b81007608e452e78ef9575f38fff6e87254861b4ff19fdd96e1f09b48d51f4a6ff24b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sk3Kb5ZK.exe

Filesize
413KB

MD5
c3b2b4f5974c0368fda4d2ae4e1f3fe7

SHA1
3ca52b006dc7520f7d9800cf024052605ee130d5

SHA256
efe2791b6dd56d5c1a2521af5c9e46dd3b15a6edf34354c1a06595cba38276c8

SHA512
ede9c83c3f602350e42167c03a7ba70465508b78216c59d7da5de6ea694b81007608e452e78ef9575f38fff6e87254861b4ff19fdd96e1f09b48d51f4a6ff24b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Fv43JS4.exe

Filesize
378KB

MD5
eae66dcfa5b4edf2ee8f8bcd682c0082

SHA1
c75aebb9c1347c416c1fd4d4fcf880bb6ce5fb0c

SHA256
c1c47708d2b038156a34ca16e692173ac4b6132f13102e27f78220cbb7b1fa92

SHA512
69492135b5dd5d48b22e87276b1d1a339407d3b544cc8e4d14f816bc44dc5e50f99cdb1bcafd9b47ff1d59f376232593482e0969c0ada4cd84d6874702d87ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Fv43JS4.exe

Filesize
378KB

MD5
eae66dcfa5b4edf2ee8f8bcd682c0082

SHA1
c75aebb9c1347c416c1fd4d4fcf880bb6ce5fb0c

SHA256
c1c47708d2b038156a34ca16e692173ac4b6132f13102e27f78220cbb7b1fa92

SHA512
69492135b5dd5d48b22e87276b1d1a339407d3b544cc8e4d14f816bc44dc5e50f99cdb1bcafd9b47ff1d59f376232593482e0969c0ada4cd84d6874702d87ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2BI504Uu.exe

Filesize
221KB

MD5
f731b3eb6f2bdd8ed02cc299f17afb06

SHA1
4e95692fc874fe82ce06288c3131a59aa00abdab

SHA256
2f5f6a0c5d02edc613f0b284b0faa22fc94486f2f4350b131957bc88a1c86e03

SHA512
e98fb9c67198bee75000dc19fec2f93a468dc08248071e83d64595c6c7f2e2c511ff8f2ab4edb814e56bd396098598b610e5de9ff13010d0d8582ac7c84be793

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2BI504Uu.exe

Filesize
221KB

MD5
f731b3eb6f2bdd8ed02cc299f17afb06

SHA1
4e95692fc874fe82ce06288c3131a59aa00abdab

SHA256
2f5f6a0c5d02edc613f0b284b0faa22fc94486f2f4350b131957bc88a1c86e03

SHA512
e98fb9c67198bee75000dc19fec2f93a468dc08248071e83d64595c6c7f2e2c511ff8f2ab4edb814e56bd396098598b610e5de9ff13010d0d8582ac7c84be793

Download Submit
memory/1124-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1124-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1124-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1124-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4824-46-0x00000000071C0000-0x0000000007252000-memory.dmp

Filesize
584KB

Download
memory/4824-44-0x00000000744F0000-0x0000000074CA0000-memory.dmp

Filesize
7.7MB

Download
memory/4824-45-0x0000000007690000-0x0000000007C34000-memory.dmp

Filesize
5.6MB

Download
memory/4824-43-0x00000000003E0000-0x000000000041E000-memory.dmp

Filesize
248KB

Download
memory/4824-47-0x0000000007130000-0x0000000007140000-memory.dmp

Filesize
64KB

Download
memory/4824-48-0x0000000007370000-0x000000000737A000-memory.dmp

Filesize
40KB

Download
memory/4824-49-0x0000000008260000-0x0000000008878000-memory.dmp

Filesize
6.1MB

Download
memory/4824-50-0x0000000007510000-0x000000000761A000-memory.dmp

Filesize
1.0MB

Download
memory/4824-51-0x0000000007440000-0x0000000007452000-memory.dmp

Filesize
72KB

Download
memory/4824-52-0x00000000074A0000-0x00000000074DC000-memory.dmp

Filesize
240KB

Download
memory/4824-53-0x0000000007620000-0x000000000766C000-memory.dmp

Filesize
304KB

Download
memory/4824-54-0x00000000744F0000-0x0000000074CA0000-memory.dmp

Filesize
7.7MB

Download
memory/4824-55-0x0000000007130000-0x0000000007140000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads