mystic | 3bc1ba609de280db198eba52e5ea7122a37dbac6ce74e4b970414f4ff281c922

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 09:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3bc1ba609de280db198eba52e5ea7122a37dbac6ce74e4b970414f4ff281c922.exe
Size

1.1MB
MD5

67ab1194db48b22b48894a6439bcfa30
SHA1

32097b8066781092d766e7a8aaabf1d9d5c90867
SHA256

3bc1ba609de280db198eba52e5ea7122a37dbac6ce74e4b970414f4ff281c922
SHA512

7e4944276c16cbce6064b78dd8d70e37e48ed0c5d990c36cf22bdc0741fd18eb657d8fc3cda89bdd4101044f1b6134e2ecfaf4f5c0520c696fdfc0493cabe443
SSDEEP

24576:ByIqMK7EuWVB8jlVUB4BHvYNPaTcTR1M832dYP5M8zykkJKp6Iqd:0Nd7EuW+lVpBHvYNieR1MG2dYM8uPJg

Score

10^/10

mystic redline luate infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

luate

77.91.124.55:19071

Attributes

auth_value
e45cd419aba6c9d372088ffe5629308b

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/1380-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1380-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1380-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1380-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
3392	x2111991.exe
2620	x7148503.exe
1372	x5912160.exe
4224	g9142095.exe
4140	h8239360.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3bc1ba609de280db198eba52e5ea7122a37dbac6ce74e4b970414f4ff281c922.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2111991.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7148503.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x5912160.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4224 set thread context of 1380	4224	g9142095.exe	91

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5000	1380	WerFault.exe	91
4168	4224	WerFault.exe	89

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 3392	4948	3bc1ba609de280db198eba52e5ea7122a37dbac6ce74e4b970414f4ff281c922.exe	86
PID 4948 wrote to memory of 3392	4948	3bc1ba609de280db198eba52e5ea7122a37dbac6ce74e4b970414f4ff281c922.exe	86
PID 4948 wrote to memory of 3392	4948	3bc1ba609de280db198eba52e5ea7122a37dbac6ce74e4b970414f4ff281c922.exe	86
PID 3392 wrote to memory of 2620	3392	x2111991.exe	87
PID 3392 wrote to memory of 2620	3392	x2111991.exe	87
PID 3392 wrote to memory of 2620	3392	x2111991.exe	87
PID 2620 wrote to memory of 1372	2620	x7148503.exe	88
PID 2620 wrote to memory of 1372	2620	x7148503.exe	88
PID 2620 wrote to memory of 1372	2620	x7148503.exe	88
PID 1372 wrote to memory of 4224	1372	x5912160.exe	89
PID 1372 wrote to memory of 4224	1372	x5912160.exe	89
PID 1372 wrote to memory of 4224	1372	x5912160.exe	89
PID 4224 wrote to memory of 1380	4224	g9142095.exe	91
PID 4224 wrote to memory of 1380	4224	g9142095.exe	91
PID 4224 wrote to memory of 1380	4224	g9142095.exe	91
PID 4224 wrote to memory of 1380	4224	g9142095.exe	91
PID 4224 wrote to memory of 1380	4224	g9142095.exe	91
PID 4224 wrote to memory of 1380	4224	g9142095.exe	91
PID 4224 wrote to memory of 1380	4224	g9142095.exe	91
PID 4224 wrote to memory of 1380	4224	g9142095.exe	91
PID 4224 wrote to memory of 1380	4224	g9142095.exe	91
PID 4224 wrote to memory of 1380	4224	g9142095.exe	91
PID 1372 wrote to memory of 4140	1372	x5912160.exe	97
PID 1372 wrote to memory of 4140	1372	x5912160.exe	97
PID 1372 wrote to memory of 4140	1372	x5912160.exe	97

C:\Users\Admin\AppData\Local\Temp\3bc1ba609de280db198eba52e5ea7122a37dbac6ce74e4b970414f4ff281c922.exe
"C:\Users\Admin\AppData\Local\Temp\3bc1ba609de280db198eba52e5ea7122a37dbac6ce74e4b970414f4ff281c922.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2111991.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2111991.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7148503.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7148503.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5912160.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5912160.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1372
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9142095.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9142095.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4224
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 540
        7⤵
        Program crash
        
        PID:5000
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 148
        6⤵
        Program crash
        
        PID:4168
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8239360.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8239360.exe
        5⤵
        Executes dropped EXE
        
        PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4224 -ip 4224
1⤵
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1380 -ip 1380
1⤵
PID:3688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2111991.exe

Filesize
1.0MB

MD5
79daa4e4d0a043574cc756d99df1aa55

SHA1
f287bf2f830eba4453f7d897572764135fcdfa74

SHA256
6b36bf5e492defe0af74094d61a2c449ef2004e7bfc4127d41633cf16f09b0b6

SHA512
39bf1382e97f398ab2d467203225510ba0651cacd3acb9d32623a0a49f0c30b5aac6f516e60c1a00589b0ef73cceb3324b0980d4d6fe529bb7ca2d8feb8b9d7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2111991.exe

Filesize
1.0MB

MD5
79daa4e4d0a043574cc756d99df1aa55

SHA1
f287bf2f830eba4453f7d897572764135fcdfa74

SHA256
6b36bf5e492defe0af74094d61a2c449ef2004e7bfc4127d41633cf16f09b0b6

SHA512
39bf1382e97f398ab2d467203225510ba0651cacd3acb9d32623a0a49f0c30b5aac6f516e60c1a00589b0ef73cceb3324b0980d4d6fe529bb7ca2d8feb8b9d7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7148503.exe

Filesize
675KB

MD5
5a27cc15a8895157d2ae87e4d9ce30de

SHA1
1272bf2375ab850fbcc5319ef09af178d6a721ec

SHA256
6a9da1c4de10baf227fd90fe363b0e3f427e8cf7bb45dba3d69b32fa12646086

SHA512
338fa428004eab9a457d6a8970ba22d2421e0d307301e8259dfad793cc9b5a2ca8ca8afe1fbaa3d051d8f109d13556c1b950604564e9debad359c215a7ae15e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7148503.exe

Filesize
675KB

MD5
5a27cc15a8895157d2ae87e4d9ce30de

SHA1
1272bf2375ab850fbcc5319ef09af178d6a721ec

SHA256
6a9da1c4de10baf227fd90fe363b0e3f427e8cf7bb45dba3d69b32fa12646086

SHA512
338fa428004eab9a457d6a8970ba22d2421e0d307301e8259dfad793cc9b5a2ca8ca8afe1fbaa3d051d8f109d13556c1b950604564e9debad359c215a7ae15e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5912160.exe

Filesize
509KB

MD5
eafff7a11fb143af6e9a20a8309f1ad5

SHA1
31aad7e67289d70fdde93ba4d065fffadbc52b64

SHA256
df288a9ef27cedb5a0d43b5db011d2cc0bcba5a1a099999b4079b5e63031a1c4

SHA512
7739a2db16225d317cd2e4af400fb4bdf061cf92589d95b17c3195e8b0cf801bed6009ce8786727e0914a65e967e495f3d612b22f50506bf62de8a863b293324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5912160.exe

Filesize
509KB

MD5
eafff7a11fb143af6e9a20a8309f1ad5

SHA1
31aad7e67289d70fdde93ba4d065fffadbc52b64

SHA256
df288a9ef27cedb5a0d43b5db011d2cc0bcba5a1a099999b4079b5e63031a1c4

SHA512
7739a2db16225d317cd2e4af400fb4bdf061cf92589d95b17c3195e8b0cf801bed6009ce8786727e0914a65e967e495f3d612b22f50506bf62de8a863b293324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9142095.exe

Filesize
1016KB

MD5
1975602ab22593363465ad5870f76f14

SHA1
12637e1b16c80c1a705c47568017b7c377b6e32c

SHA256
b5a4590fe4468fbd0a14d3daaf0d45ebe3ab4b495038429018e377c9d23df497

SHA512
70283a795de210d4252c355cdb77d03f564e0b1a0ade5ad4437290d83a5cd86a734dd9781b052f11e37e59862a012955dbefcb4bace55ddbb7607b477210d56f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9142095.exe

Filesize
1016KB

MD5
1975602ab22593363465ad5870f76f14

SHA1
12637e1b16c80c1a705c47568017b7c377b6e32c

SHA256
b5a4590fe4468fbd0a14d3daaf0d45ebe3ab4b495038429018e377c9d23df497

SHA512
70283a795de210d4252c355cdb77d03f564e0b1a0ade5ad4437290d83a5cd86a734dd9781b052f11e37e59862a012955dbefcb4bace55ddbb7607b477210d56f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8239360.exe

Filesize
174KB

MD5
a4f22411478c7cc223ffd8b9f6079744

SHA1
f120bef711284810d92e67c3b855bed3448f9583

SHA256
5218f891f8895da2851cd6c4399c35736bd8a207036b708ea27adfdde6bf1a72

SHA512
608212f34ac68d21f41572e99952997a5fcdb0ef58915bc7150ea9fabcf33e0156913adda1cb2b242ee06db9c8b6d955bcdf695f48600719bcfb85645da99bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8239360.exe

Filesize
174KB

MD5
a4f22411478c7cc223ffd8b9f6079744

SHA1
f120bef711284810d92e67c3b855bed3448f9583

SHA256
5218f891f8895da2851cd6c4399c35736bd8a207036b708ea27adfdde6bf1a72

SHA512
608212f34ac68d21f41572e99952997a5fcdb0ef58915bc7150ea9fabcf33e0156913adda1cb2b242ee06db9c8b6d955bcdf695f48600719bcfb85645da99bf2

Download Submit
memory/1380-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1380-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1380-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1380-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4140-39-0x0000000005C70000-0x0000000006288000-memory.dmp

Filesize
6.1MB

Download
memory/4140-37-0x0000000074090000-0x0000000074840000-memory.dmp

Filesize
7.7MB

Download
memory/4140-38-0x0000000002F90000-0x0000000002F96000-memory.dmp

Filesize
24KB

Download
memory/4140-36-0x0000000000AC0000-0x0000000000AF0000-memory.dmp

Filesize
192KB

Download
memory/4140-40-0x0000000005760000-0x000000000586A000-memory.dmp

Filesize
1.0MB

Download
memory/4140-41-0x0000000005540000-0x0000000005550000-memory.dmp

Filesize
64KB

Download
memory/4140-42-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/4140-43-0x00000000054E0000-0x000000000551C000-memory.dmp

Filesize
240KB

Download
memory/4140-44-0x0000000005650000-0x000000000569C000-memory.dmp

Filesize
304KB

Download
memory/4140-45-0x0000000074090000-0x0000000074840000-memory.dmp

Filesize
7.7MB

Download
memory/4140-46-0x0000000005540000-0x0000000005550000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads