mystic | fea83d0257e158a68f352194a75f8ff5bf350e77f045b2b734698f490b12c827

Analysis

max time kernel
151s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2023, 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fea83d0257e158a68f352194a75f8ff5bf350e77f045b2b734698f490b12c827.exe
Size

928KB
MD5

ccdb878d630fde0f0dd9f2b394605f3d
SHA1

c73f01d4a171fb9b46b0d8a059551c71d13c355d
SHA256

fea83d0257e158a68f352194a75f8ff5bf350e77f045b2b734698f490b12c827
SHA512

471f05d8b31a4f1dd892e00657b2fc90ffdfc8798bf55449e5919503a119be51f7b7b3b1017cfdd3d0aac411a52c436266d135d176922d080b3d2c91f8d4093b
SSDEEP

24576:ry/e658JE7Z178dF7TNDPJm9hKoKoOF9QXE4lhbKV8:e/e6FH8xk9hKZuXEs

Score

10^/10

mystic redline luska infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

luska

77.91.124.55:19071

Attributes

auth_value
a6797888f51a88afbfd8854a79ac9357

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/4960-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4960-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4960-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4960-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
3348	x2178722.exe
2876	x2956423.exe
4468	x5762320.exe
1816	g8619343.exe
3568	h9280668.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fea83d0257e158a68f352194a75f8ff5bf350e77f045b2b734698f490b12c827.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2178722.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2956423.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x5762320.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1816 set thread context of 4960	1816	g8619343.exe	93

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2976	4960	WerFault.exe	93
2872	1816	WerFault.exe	91

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 3348	536	fea83d0257e158a68f352194a75f8ff5bf350e77f045b2b734698f490b12c827.exe	88
PID 536 wrote to memory of 3348	536	fea83d0257e158a68f352194a75f8ff5bf350e77f045b2b734698f490b12c827.exe	88
PID 536 wrote to memory of 3348	536	fea83d0257e158a68f352194a75f8ff5bf350e77f045b2b734698f490b12c827.exe	88
PID 3348 wrote to memory of 2876	3348	x2178722.exe	89
PID 3348 wrote to memory of 2876	3348	x2178722.exe	89
PID 3348 wrote to memory of 2876	3348	x2178722.exe	89
PID 2876 wrote to memory of 4468	2876	x2956423.exe	90
PID 2876 wrote to memory of 4468	2876	x2956423.exe	90
PID 2876 wrote to memory of 4468	2876	x2956423.exe	90
PID 4468 wrote to memory of 1816	4468	x5762320.exe	91
PID 4468 wrote to memory of 1816	4468	x5762320.exe	91
PID 4468 wrote to memory of 1816	4468	x5762320.exe	91
PID 1816 wrote to memory of 4960	1816	g8619343.exe	93
PID 1816 wrote to memory of 4960	1816	g8619343.exe	93
PID 1816 wrote to memory of 4960	1816	g8619343.exe	93
PID 1816 wrote to memory of 4960	1816	g8619343.exe	93
PID 1816 wrote to memory of 4960	1816	g8619343.exe	93
PID 1816 wrote to memory of 4960	1816	g8619343.exe	93
PID 1816 wrote to memory of 4960	1816	g8619343.exe	93
PID 1816 wrote to memory of 4960	1816	g8619343.exe	93
PID 1816 wrote to memory of 4960	1816	g8619343.exe	93
PID 1816 wrote to memory of 4960	1816	g8619343.exe	93
PID 4468 wrote to memory of 3568	4468	x5762320.exe	98
PID 4468 wrote to memory of 3568	4468	x5762320.exe	98
PID 4468 wrote to memory of 3568	4468	x5762320.exe	98

C:\Users\Admin\AppData\Local\Temp\fea83d0257e158a68f352194a75f8ff5bf350e77f045b2b734698f490b12c827.exe
"C:\Users\Admin\AppData\Local\Temp\fea83d0257e158a68f352194a75f8ff5bf350e77f045b2b734698f490b12c827.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:536
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2178722.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2178722.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3348
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2956423.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2956423.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5762320.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5762320.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4468
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8619343.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8619343.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1816
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 192
        7⤵
        Program crash
        
        PID:2976
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 156
        6⤵
        Program crash
        
        PID:2872
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9280668.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9280668.exe
        5⤵
        Executes dropped EXE
        
        PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1816 -ip 1816
1⤵
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4960 -ip 4960
1⤵
PID:4652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2178722.exe

Filesize
826KB

MD5
53205f4f9873e04adee8052e7b2e023c

SHA1
f243264aa408081f877ac4d6e41e62c9c7a903d1

SHA256
373eb9ddc82c29fe1e0b4b892943d81a7d12a75b17e58700375f5c2d87b2c7d1

SHA512
4010ec898899138a61872db4b7f25ff7165a922d2b955d20f7edb7e1458a37378ae0dd0cc90fd4163c2a85b0664762156248ad8d774ba0c3b86343774266140b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2178722.exe

Filesize
826KB

MD5
53205f4f9873e04adee8052e7b2e023c

SHA1
f243264aa408081f877ac4d6e41e62c9c7a903d1

SHA256
373eb9ddc82c29fe1e0b4b892943d81a7d12a75b17e58700375f5c2d87b2c7d1

SHA512
4010ec898899138a61872db4b7f25ff7165a922d2b955d20f7edb7e1458a37378ae0dd0cc90fd4163c2a85b0664762156248ad8d774ba0c3b86343774266140b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2956423.exe

Filesize
556KB

MD5
a70aaebe9564cb5398443886fa7dfc18

SHA1
43a3abd09994152c6bdcf2af35d6da993343d177

SHA256
7377e9cd0a05410baa8f0b76b7a7798bf368630042f46d3863068fa966362c00

SHA512
965bb70459028af028b5a3b21b1afb7702ca0443199ed126ef8d0d49c6ab3a733d356b70fa33c2062b083509453c933128177ebddc273311d8d9e53561fcdbb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2956423.exe

Filesize
556KB

MD5
a70aaebe9564cb5398443886fa7dfc18

SHA1
43a3abd09994152c6bdcf2af35d6da993343d177

SHA256
7377e9cd0a05410baa8f0b76b7a7798bf368630042f46d3863068fa966362c00

SHA512
965bb70459028af028b5a3b21b1afb7702ca0443199ed126ef8d0d49c6ab3a733d356b70fa33c2062b083509453c933128177ebddc273311d8d9e53561fcdbb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5762320.exe

Filesize
390KB

MD5
52e6bfda11be9c7f5f4fbaa119e54ac8

SHA1
9c1de1bcbe31b2e2fc1a1b8862571837632b8264

SHA256
20f91a9f41f238feb0c67fdf87057b0b4f130a014dc33977989d500381032262

SHA512
e8a3a9e24710780d8d0d97c932db6fd4d45490f3ab416dd622bf81ea279c063f6d7db52e7b82b8dba9969a7b05555a67468f907a709f92b53e7212d0fc1f3587

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5762320.exe

Filesize
390KB

MD5
52e6bfda11be9c7f5f4fbaa119e54ac8

SHA1
9c1de1bcbe31b2e2fc1a1b8862571837632b8264

SHA256
20f91a9f41f238feb0c67fdf87057b0b4f130a014dc33977989d500381032262

SHA512
e8a3a9e24710780d8d0d97c932db6fd4d45490f3ab416dd622bf81ea279c063f6d7db52e7b82b8dba9969a7b05555a67468f907a709f92b53e7212d0fc1f3587

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8619343.exe

Filesize
356KB

MD5
e2a7fb4215581c10aa65ad047a3a818c

SHA1
13e0b97e71b42cf7db6dfef300e83feae0416f64

SHA256
c826fa04ee7b3744ef3863b2665d1f1d57f25375e237413af032fd52e0b13523

SHA512
3cbf489ab7d7815af4c10568f8ddda08f9772ffafed2330b46e72b83f112171620b2792fbfc7e1432c783c09ec7e4584b4f8e859a58f7ea40cdd9b6bbe2b689a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8619343.exe

Filesize
356KB

MD5
e2a7fb4215581c10aa65ad047a3a818c

SHA1
13e0b97e71b42cf7db6dfef300e83feae0416f64

SHA256
c826fa04ee7b3744ef3863b2665d1f1d57f25375e237413af032fd52e0b13523

SHA512
3cbf489ab7d7815af4c10568f8ddda08f9772ffafed2330b46e72b83f112171620b2792fbfc7e1432c783c09ec7e4584b4f8e859a58f7ea40cdd9b6bbe2b689a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9280668.exe

Filesize
174KB

MD5
0ea9646e8c37a4a955ae6dec7d186211

SHA1
efd24aa6fc9db9a2f8ae5e8206cff5ccf41752ff

SHA256
65c981a99a5ff2338ab072a12a4335eb0a15e152e7b456cf385c484a34306281

SHA512
25c8a506a5aa561a12054df052935e9c9e268031b8408b37ff3bf310927a523a43570ce4319900e8dfe57e5d11e71874e0ae10345c29638832c22fd3a12d0abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9280668.exe

Filesize
174KB

MD5
0ea9646e8c37a4a955ae6dec7d186211

SHA1
efd24aa6fc9db9a2f8ae5e8206cff5ccf41752ff

SHA256
65c981a99a5ff2338ab072a12a4335eb0a15e152e7b456cf385c484a34306281

SHA512
25c8a506a5aa561a12054df052935e9c9e268031b8408b37ff3bf310927a523a43570ce4319900e8dfe57e5d11e71874e0ae10345c29638832c22fd3a12d0abb

Download Submit
memory/3568-39-0x000000000AF60000-0x000000000B578000-memory.dmp

Filesize
6.1MB

Download
memory/3568-42-0x000000000A9A0000-0x000000000A9B2000-memory.dmp

Filesize
72KB

Download
memory/3568-46-0x00000000055B0000-0x00000000055C0000-memory.dmp

Filesize
64KB

Download
memory/3568-45-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/3568-36-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/3568-37-0x0000000000AB0000-0x0000000000AE0000-memory.dmp

Filesize
192KB

Download
memory/3568-44-0x000000000AB70000-0x000000000ABBC000-memory.dmp

Filesize
304KB

Download
memory/3568-40-0x000000000AA60000-0x000000000AB6A000-memory.dmp

Filesize
1.0MB

Download
memory/3568-38-0x0000000002EE0000-0x0000000002EE6000-memory.dmp

Filesize
24KB

Download
memory/3568-41-0x00000000055B0000-0x00000000055C0000-memory.dmp

Filesize
64KB

Download
memory/3568-43-0x000000000AA00000-0x000000000AA3C000-memory.dmp

Filesize
240KB

Download
memory/4960-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4960-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4960-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4960-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads