mystic | 75bc651b81daed0a35e1587e59c867610a31cb3e0b8423325e0322739a6fb2b5

Analysis

max time kernel
144s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75bc651b81daed0a35e1587e59c867610a31cb3e0b8423325e0322739a6fb2b5.exe
Size

1.1MB
MD5

4d4ab373da2d7170b2ebb5789fe1b8c5
SHA1

a67d00f36345463fb8c2f30596ef601b620f7683
SHA256

75bc651b81daed0a35e1587e59c867610a31cb3e0b8423325e0322739a6fb2b5
SHA512

83f84d41d7de0849d0fdaccca78c384cffa4fb679659dec4c65b285f3d592898ad16d77ef7fbebedf5525cd5a233a4a517363989a2743dbccd564c668ade2242
SSDEEP

24576:nyljaxBG7KCicvm+3Vg9DZcCXKwvbOOtNXM84V519rtf:yljabG7KCflg9DZFvbjtNa59R

Score

10^/10

mystic redline luate infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

luate

77.91.124.55:19071

Attributes

auth_value
e45cd419aba6c9d372088ffe5629308b

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/1512-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1512-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1512-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1512-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4752	x7433626.exe
4388	x0022475.exe
3856	x2529638.exe
2220	g6650455.exe
4416	h7662844.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7433626.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x0022475.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x2529638.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	75bc651b81daed0a35e1587e59c867610a31cb3e0b8423325e0322739a6fb2b5.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2220 set thread context of 1512	2220	g6650455.exe	89

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4988	1512	WerFault.exe	89
2724	2220	WerFault.exe	62

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 4752	4280	75bc651b81daed0a35e1587e59c867610a31cb3e0b8423325e0322739a6fb2b5.exe	47
PID 4280 wrote to memory of 4752	4280	75bc651b81daed0a35e1587e59c867610a31cb3e0b8423325e0322739a6fb2b5.exe	47
PID 4280 wrote to memory of 4752	4280	75bc651b81daed0a35e1587e59c867610a31cb3e0b8423325e0322739a6fb2b5.exe	47
PID 4752 wrote to memory of 4388	4752	x7433626.exe	54
PID 4752 wrote to memory of 4388	4752	x7433626.exe	54
PID 4752 wrote to memory of 4388	4752	x7433626.exe	54
PID 4388 wrote to memory of 3856	4388	x0022475.exe	58
PID 4388 wrote to memory of 3856	4388	x0022475.exe	58
PID 4388 wrote to memory of 3856	4388	x0022475.exe	58
PID 3856 wrote to memory of 2220	3856	x2529638.exe	62
PID 3856 wrote to memory of 2220	3856	x2529638.exe	62
PID 3856 wrote to memory of 2220	3856	x2529638.exe	62
PID 2220 wrote to memory of 1512	2220	g6650455.exe	89
PID 2220 wrote to memory of 1512	2220	g6650455.exe	89
PID 2220 wrote to memory of 1512	2220	g6650455.exe	89
PID 2220 wrote to memory of 1512	2220	g6650455.exe	89
PID 2220 wrote to memory of 1512	2220	g6650455.exe	89
PID 2220 wrote to memory of 1512	2220	g6650455.exe	89
PID 2220 wrote to memory of 1512	2220	g6650455.exe	89
PID 2220 wrote to memory of 1512	2220	g6650455.exe	89
PID 2220 wrote to memory of 1512	2220	g6650455.exe	89
PID 2220 wrote to memory of 1512	2220	g6650455.exe	89
PID 3856 wrote to memory of 4416	3856	x2529638.exe	97
PID 3856 wrote to memory of 4416	3856	x2529638.exe	97
PID 3856 wrote to memory of 4416	3856	x2529638.exe	97

C:\Users\Admin\AppData\Local\Temp\75bc651b81daed0a35e1587e59c867610a31cb3e0b8423325e0322739a6fb2b5.exe
"C:\Users\Admin\AppData\Local\Temp\75bc651b81daed0a35e1587e59c867610a31cb3e0b8423325e0322739a6fb2b5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7433626.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7433626.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0022475.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0022475.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4388
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2529638.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2529638.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3856
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6650455.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6650455.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2220
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 196
        7⤵
        Program crash
        
        PID:4988
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 592
        6⤵
        Program crash
        
        PID:2724
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7662844.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7662844.exe
        5⤵
        Executes dropped EXE
        
        PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2220 -ip 2220
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1512 -ip 1512
1⤵
PID:676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7433626.exe

Filesize
1.0MB

MD5
15924b11d2d2c455bc656e12d48be0bc

SHA1
eb47c1492fe6a8a71e51f40b6fadb7933d96c717

SHA256
35f474e21be0196a239bef9e2c4457abde03a2e1ec05da62ec7bdeed2a919012

SHA512
f509d1fd2a5c424eb05362ec2e62df996be9173fb346e4913552461c4fee92a47e5bd60fe84a686c6b18227d9faacaa27100b6173c0c78f892c7820a313507a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7433626.exe

Filesize
1.0MB

MD5
15924b11d2d2c455bc656e12d48be0bc

SHA1
eb47c1492fe6a8a71e51f40b6fadb7933d96c717

SHA256
35f474e21be0196a239bef9e2c4457abde03a2e1ec05da62ec7bdeed2a919012

SHA512
f509d1fd2a5c424eb05362ec2e62df996be9173fb346e4913552461c4fee92a47e5bd60fe84a686c6b18227d9faacaa27100b6173c0c78f892c7820a313507a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0022475.exe

Filesize
675KB

MD5
1466bb9b5db9bb64e368d8189d4e6f69

SHA1
c744af4cc8a4d98d71f7efb6f57df1d6457c43ea

SHA256
0f2e5ed751f05db830ca9872d97a3ae196dde110d57fa9b356f24e1d7bf6c4c1

SHA512
3bb9ba8a38dbd4591c3b3455568353a71156da51c2277edafd1085b6011b1ec99622f72afd31e50f889a80c3f574db42f7f26e72851a8d30e0dbda9fc9df2a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0022475.exe

Filesize
675KB

MD5
1466bb9b5db9bb64e368d8189d4e6f69

SHA1
c744af4cc8a4d98d71f7efb6f57df1d6457c43ea

SHA256
0f2e5ed751f05db830ca9872d97a3ae196dde110d57fa9b356f24e1d7bf6c4c1

SHA512
3bb9ba8a38dbd4591c3b3455568353a71156da51c2277edafd1085b6011b1ec99622f72afd31e50f889a80c3f574db42f7f26e72851a8d30e0dbda9fc9df2a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2529638.exe

Filesize
509KB

MD5
e5f924acb1d3002d130dd311c04dd518

SHA1
3f5506a4339ac4f183b7dbc01454c893159ceb6d

SHA256
cae46e7211f6c94afa1808aa009ffab304b638b09d55a1f5b67087fba9c0cf27

SHA512
b00119a24d9a22809339408618bc4ec7a7b1e75da7719eee1098b0192178bd9c5d1996fdc551303debfd5b76746f78ce3f5f099a65e4658b67f738690da95cca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2529638.exe

Filesize
509KB

MD5
e5f924acb1d3002d130dd311c04dd518

SHA1
3f5506a4339ac4f183b7dbc01454c893159ceb6d

SHA256
cae46e7211f6c94afa1808aa009ffab304b638b09d55a1f5b67087fba9c0cf27

SHA512
b00119a24d9a22809339408618bc4ec7a7b1e75da7719eee1098b0192178bd9c5d1996fdc551303debfd5b76746f78ce3f5f099a65e4658b67f738690da95cca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6650455.exe

Filesize
1016KB

MD5
038bedf48ab213da7e0dd85ff86deba8

SHA1
10b59e56a9635ec01b5c886493ffd70ed2834153

SHA256
2f6e629321680f5e674bc7c0c6dbefb8e2639b0e63e1065b29eca447a925223a

SHA512
1337b7b2ad6732cf94241e87b9bcce35f3cd9bb33865377f1fcbba0b3bc308a39aeaf45e631e61a2a512d8d0bbf2a044139255396930b1c70d8c5d22617d9080

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6650455.exe

Filesize
1016KB

MD5
038bedf48ab213da7e0dd85ff86deba8

SHA1
10b59e56a9635ec01b5c886493ffd70ed2834153

SHA256
2f6e629321680f5e674bc7c0c6dbefb8e2639b0e63e1065b29eca447a925223a

SHA512
1337b7b2ad6732cf94241e87b9bcce35f3cd9bb33865377f1fcbba0b3bc308a39aeaf45e631e61a2a512d8d0bbf2a044139255396930b1c70d8c5d22617d9080

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7662844.exe

Filesize
174KB

MD5
afc78d3fc8e509fdf057066e25e3b4d4

SHA1
ef6b913213ff9172ae6c96828a3837fc15839753

SHA256
020d3b925e16186375512f372c2a16b4754dac32a8ee2cc4345217d4c92fef82

SHA512
bf81a0a773763d8cae1e910dc7f26609b5bb241eca0be5246c6f2e7c7fd551ad0837f35aa867aafdfabe9e5644ffc3d866afcd64dd78bb86902b3b8955f1904f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7662844.exe

Filesize
174KB

MD5
afc78d3fc8e509fdf057066e25e3b4d4

SHA1
ef6b913213ff9172ae6c96828a3837fc15839753

SHA256
020d3b925e16186375512f372c2a16b4754dac32a8ee2cc4345217d4c92fef82

SHA512
bf81a0a773763d8cae1e910dc7f26609b5bb241eca0be5246c6f2e7c7fd551ad0837f35aa867aafdfabe9e5644ffc3d866afcd64dd78bb86902b3b8955f1904f

Download Submit
memory/1512-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1512-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1512-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1512-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4416-39-0x0000000005D90000-0x00000000063A8000-memory.dmp

Filesize
6.1MB

Download
memory/4416-37-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/4416-38-0x00000000030B0000-0x00000000030B6000-memory.dmp

Filesize
24KB

Download
memory/4416-36-0x0000000000E50000-0x0000000000E80000-memory.dmp

Filesize
192KB

Download
memory/4416-40-0x00000000058A0000-0x00000000059AA000-memory.dmp

Filesize
1.0MB

Download
memory/4416-41-0x00000000030A0000-0x00000000030B0000-memory.dmp

Filesize
64KB

Download
memory/4416-42-0x00000000057E0000-0x00000000057F2000-memory.dmp

Filesize
72KB

Download
memory/4416-43-0x0000000005840000-0x000000000587C000-memory.dmp

Filesize
240KB

Download
memory/4416-44-0x00000000059B0000-0x00000000059FC000-memory.dmp

Filesize
304KB

Download
memory/4416-45-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/4416-46-0x00000000030A0000-0x00000000030B0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads