mystic | ddc60473907851aa97a51ea0961943a3c617a74bf412949604158c27cb58ab7c

General

Target

x7589026.exe
Size

548KB
MD5

5fc38a43465ad286f27b5292792487c8
SHA1

1bf8cc84816dd5e82e4afe79ac4200db7242416d
SHA256

ddc60473907851aa97a51ea0961943a3c617a74bf412949604158c27cb58ab7c
SHA512

ff23d407198bb63c4f78e5b783f9e013269904403bf98088934178b93383ac83c43ab513d6311a38181847991c7a165640fff60778f89bd68a619258d3d55ac1
SSDEEP

12288:OMrsy90G7PedwiE3AO9LGxtm2o3XgddsjnI+Cm:2y17m63AOJ9ngvsIRm

Score

10^/10

mystic redline luate infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

luate

C2

77.91.124.55:19071

Attributes

auth_value
e45cd419aba6c9d372088ffe5629308b

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/4840-14-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4840-15-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4840-16-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4840-18-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4972	x4379601.exe
4992	g8487715.exe
4260	h5531326.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	x7589026.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4379601.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4992 set thread context of 4840	4992	g8487715.exe	86

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2020	4992	WerFault.exe	84
1068	4840	WerFault.exe	86

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 4972	4640	x7589026.exe	83
PID 4640 wrote to memory of 4972	4640	x7589026.exe	83
PID 4640 wrote to memory of 4972	4640	x7589026.exe	83
PID 4972 wrote to memory of 4992	4972	x4379601.exe	84
PID 4972 wrote to memory of 4992	4972	x4379601.exe	84
PID 4972 wrote to memory of 4992	4972	x4379601.exe	84
PID 4992 wrote to memory of 4840	4992	g8487715.exe	86
PID 4992 wrote to memory of 4840	4992	g8487715.exe	86
PID 4992 wrote to memory of 4840	4992	g8487715.exe	86
PID 4992 wrote to memory of 4840	4992	g8487715.exe	86
PID 4992 wrote to memory of 4840	4992	g8487715.exe	86
PID 4992 wrote to memory of 4840	4992	g8487715.exe	86
PID 4992 wrote to memory of 4840	4992	g8487715.exe	86
PID 4992 wrote to memory of 4840	4992	g8487715.exe	86
PID 4992 wrote to memory of 4840	4992	g8487715.exe	86
PID 4992 wrote to memory of 4840	4992	g8487715.exe	86
PID 4972 wrote to memory of 4260	4972	x4379601.exe	92
PID 4972 wrote to memory of 4260	4972	x4379601.exe	92
PID 4972 wrote to memory of 4260	4972	x4379601.exe	92

C:\Users\Admin\AppData\Local\Temp\x7589026.exe
"C:\Users\Admin\AppData\Local\Temp\x7589026.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4379601.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4379601.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8487715.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8487715.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4992
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4840
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 196
        5⤵
        Program crash
        
        PID:1068
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 148
      4⤵
      Program crash
      PID:2020
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5531326.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5531326.exe
    3⤵
    - Executes dropped EXE
    PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4840 -ip 4840
1⤵
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4992 -ip 4992
1⤵
PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4379601.exe

Filesize
382KB

MD5
71df223322279636ccabfb90ef2b4bb2

SHA1
39b50ddd4db6106ca1254ab3d023852b56a16eb2

SHA256
a7a97e5d117dd00c697c9c4fbf2ab386e084b3b145bdb583be4cf62c27cf44b2

SHA512
e31b98ee0b53a6bc5ea455100d8abab91d580878de7075652e7f33205abd23d25c0327072738ac5d558fe6a59ac0c4151f5ccc36a7efaa20e77836b4a15c073d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4379601.exe

Filesize
382KB

MD5
71df223322279636ccabfb90ef2b4bb2

SHA1
39b50ddd4db6106ca1254ab3d023852b56a16eb2

SHA256
a7a97e5d117dd00c697c9c4fbf2ab386e084b3b145bdb583be4cf62c27cf44b2

SHA512
e31b98ee0b53a6bc5ea455100d8abab91d580878de7075652e7f33205abd23d25c0327072738ac5d558fe6a59ac0c4151f5ccc36a7efaa20e77836b4a15c073d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8487715.exe

Filesize
346KB

MD5
fd620ebb2c1951d4834346f11afd4657

SHA1
5a1d626babe7ea1e0155bd014e9f857f471fdab8

SHA256
11ede2eb1509bddc07e53278a98204e4c68cadee8903b535b30c2e715b00b1bf

SHA512
735d8a64c1b6311d60094fd18baaeb3a712a96d581780c19b97a9418f175cf9eb500eb84421e53c2007319bc691046ae4c1a2d74c8b80e4e2682a43a021abf29

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8487715.exe

Filesize
346KB

MD5
fd620ebb2c1951d4834346f11afd4657

SHA1
5a1d626babe7ea1e0155bd014e9f857f471fdab8

SHA256
11ede2eb1509bddc07e53278a98204e4c68cadee8903b535b30c2e715b00b1bf

SHA512
735d8a64c1b6311d60094fd18baaeb3a712a96d581780c19b97a9418f175cf9eb500eb84421e53c2007319bc691046ae4c1a2d74c8b80e4e2682a43a021abf29

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5531326.exe

Filesize
174KB

MD5
f8e6d22fee9ce1df80496787c5685de4

SHA1
dab5db4646fff6b7aa534b7ff528ea06071d10fc

SHA256
fb6d79f8cd979e5df09cea9df252c6125ef59902f19d1c667439b60cbd339275

SHA512
7541b3a7d513d6945bc9830adf205ed3196ae7385991339ea4610431153fd242752c7148b69f944aa7f03932ae5d4540c09ef4d11450823b26e6a6a15b2ae4bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5531326.exe

Filesize
174KB

MD5
f8e6d22fee9ce1df80496787c5685de4

SHA1
dab5db4646fff6b7aa534b7ff528ea06071d10fc

SHA256
fb6d79f8cd979e5df09cea9df252c6125ef59902f19d1c667439b60cbd339275

SHA512
7541b3a7d513d6945bc9830adf205ed3196ae7385991339ea4610431153fd242752c7148b69f944aa7f03932ae5d4540c09ef4d11450823b26e6a6a15b2ae4bd

Download Submit
memory/4260-27-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/4260-25-0x0000000005760000-0x0000000005D78000-memory.dmp

Filesize
6.1MB

Download
memory/4260-32-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/4260-31-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/4260-22-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/4260-23-0x00000000006A0000-0x00000000006D0000-memory.dmp

Filesize
192KB

Download
memory/4260-24-0x0000000002980000-0x0000000002986000-memory.dmp

Filesize
24KB

Download
memory/4260-30-0x00000000050D0000-0x000000000511C000-memory.dmp

Filesize
304KB

Download
memory/4260-26-0x0000000005250000-0x000000000535A000-memory.dmp

Filesize
1.0MB

Download
memory/4260-29-0x0000000005090000-0x00000000050CC000-memory.dmp

Filesize
240KB

Download
memory/4260-28-0x0000000002AD0000-0x0000000002AE2000-memory.dmp

Filesize
72KB

Download
memory/4840-14-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4840-18-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4840-15-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4840-16-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads