mystic | ec899066f95a987847b84861ef619f96bec5fd822c5c866af5699987d3d23a02

General

Target

x4223126.exe
Size

509KB
MD5

b993f23e7347015a9c19aeea5d39c192
SHA1

b15089ae8da45a4de0e548fb99e9d465fac6abe1
SHA256

ec899066f95a987847b84861ef619f96bec5fd822c5c866af5699987d3d23a02
SHA512

520f873975310d8a3fe73dac6b1d200a1ada6c7646300fff0ab26a90cd97c7c7ae2f9a7e9f403216a1d2188fac72853e81d2669413c922b8f1b5e724f5ec4669
SSDEEP

12288:6MrHy90KGSJPlGkDMo8QAjvGq4MsQ2XY65rKJ6x9ziZw7w:typxlG33Rjk4T68wHzFw

Score

10^/10

mystic redline luate infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

luate

C2

77.91.124.55:19071

Attributes

auth_value
e45cd419aba6c9d372088ffe5629308b

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/524-7-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/524-8-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/524-9-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/524-11-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
1220	g8376858.exe
4488	h6264285.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	x4223126.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1220 set thread context of 524	1220	g8376858.exe	90

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2148	1220	WerFault.exe	85
4048	524	WerFault.exe	90

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 1220	2676	x4223126.exe	85
PID 2676 wrote to memory of 1220	2676	x4223126.exe	85
PID 2676 wrote to memory of 1220	2676	x4223126.exe	85
PID 1220 wrote to memory of 988	1220	g8376858.exe	88
PID 1220 wrote to memory of 988	1220	g8376858.exe	88
PID 1220 wrote to memory of 988	1220	g8376858.exe	88
PID 1220 wrote to memory of 3300	1220	g8376858.exe	89
PID 1220 wrote to memory of 3300	1220	g8376858.exe	89
PID 1220 wrote to memory of 3300	1220	g8376858.exe	89
PID 1220 wrote to memory of 524	1220	g8376858.exe	90
PID 1220 wrote to memory of 524	1220	g8376858.exe	90
PID 1220 wrote to memory of 524	1220	g8376858.exe	90
PID 1220 wrote to memory of 524	1220	g8376858.exe	90
PID 1220 wrote to memory of 524	1220	g8376858.exe	90
PID 1220 wrote to memory of 524	1220	g8376858.exe	90
PID 1220 wrote to memory of 524	1220	g8376858.exe	90
PID 1220 wrote to memory of 524	1220	g8376858.exe	90
PID 1220 wrote to memory of 524	1220	g8376858.exe	90
PID 1220 wrote to memory of 524	1220	g8376858.exe	90
PID 2676 wrote to memory of 4488	2676	x4223126.exe	97
PID 2676 wrote to memory of 4488	2676	x4223126.exe	97
PID 2676 wrote to memory of 4488	2676	x4223126.exe	97

C:\Users\Admin\AppData\Local\Temp\x4223126.exe
"C:\Users\Admin\AppData\Local\Temp\x4223126.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8376858.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8376858.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1220
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:988
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:3300
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:524
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 524 -s 540
      4⤵
      Program crash
      PID:4048
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 152
    3⤵
    - Program crash
    PID:2148
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h6264285.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h6264285.exe
  2⤵
  - Executes dropped EXE
  PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1220 -ip 1220
1⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 524 -ip 524
1⤵
PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8376858.exe

Filesize
1016KB

MD5
a4bd2065fde8cf1b9aa2916e4010a34d

SHA1
2e67df9cd4a4c02b8f0ae2c91101130b8c14cc33

SHA256
5d11d2324c8fd2aed4ab969a47bb04981f1f48bdbde44c502a696b2084860bc6

SHA512
cc5e4c5f6d00acf79db5b7e99bc1874cca3761339dfa862af7fd36a3fbf81b3d1ef4e30690eab78938afaea8f189d5f2da6b0b9c6b76d4106965407446fed777

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8376858.exe

Filesize
1016KB

MD5
a4bd2065fde8cf1b9aa2916e4010a34d

SHA1
2e67df9cd4a4c02b8f0ae2c91101130b8c14cc33

SHA256
5d11d2324c8fd2aed4ab969a47bb04981f1f48bdbde44c502a696b2084860bc6

SHA512
cc5e4c5f6d00acf79db5b7e99bc1874cca3761339dfa862af7fd36a3fbf81b3d1ef4e30690eab78938afaea8f189d5f2da6b0b9c6b76d4106965407446fed777

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h6264285.exe

Filesize
174KB

MD5
3569efc9827855b8c5e5710286838cfc

SHA1
ded57191126206191af1af08c2cb5151747dc0ee

SHA256
ce9b787bd3ed06aa55a1b6497f793327fcbffeae7daf8c9991e7b8ac8fbaf16c

SHA512
996c790e0d56867894e71497433cc0488f186335e9d0643fd97463c3c568bd0750e07cabcd21e739bdeea3c60cf4dff0ec570577c0b1abedd8b64c8186419b75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h6264285.exe

Filesize
174KB

MD5
3569efc9827855b8c5e5710286838cfc

SHA1
ded57191126206191af1af08c2cb5151747dc0ee

SHA256
ce9b787bd3ed06aa55a1b6497f793327fcbffeae7daf8c9991e7b8ac8fbaf16c

SHA512
996c790e0d56867894e71497433cc0488f186335e9d0643fd97463c3c568bd0750e07cabcd21e739bdeea3c60cf4dff0ec570577c0b1abedd8b64c8186419b75

Download Submit
memory/524-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/524-8-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/524-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/524-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4488-15-0x00000000001E0000-0x0000000000210000-memory.dmp

Filesize
192KB

Download
memory/4488-16-0x0000000073F80000-0x0000000074730000-memory.dmp

Filesize
7.7MB

Download
memory/4488-17-0x00000000025D0000-0x00000000025D6000-memory.dmp

Filesize
24KB

Download
memory/4488-18-0x00000000052A0000-0x00000000058B8000-memory.dmp

Filesize
6.1MB

Download
memory/4488-19-0x0000000004D90000-0x0000000004E9A000-memory.dmp

Filesize
1.0MB

Download
memory/4488-21-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/4488-20-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

Filesize
72KB

Download
memory/4488-22-0x0000000004D10000-0x0000000004D4C000-memory.dmp

Filesize
240KB

Download
memory/4488-23-0x0000000004EA0000-0x0000000004EEC000-memory.dmp

Filesize
304KB

Download
memory/4488-24-0x0000000073F80000-0x0000000074730000-memory.dmp

Filesize
7.7MB

Download
memory/4488-25-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads