mystic | 94badceb6b6f1039c27cf2eb6f8e12015d66c1a9b77c420739cfa1d53fd3aeef

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba437a1e6e075cfd2f196bd8501c349ccc23b0400514b84b97bc3f786e0f57d6.exe
Size

907KB
MD5

1609538cc65c63edce6b5c220371e2b4
SHA1

adb56a58e570cf51e48dafb38d11cb2803cd59fb
SHA256

ba437a1e6e075cfd2f196bd8501c349ccc23b0400514b84b97bc3f786e0f57d6
SHA512

db7c54537311dc60d35331eaa692d26a24fd4ee770f1e5668d74d8e1ef90fa9c9440e5f85319af1194731ad3feff04a9f2564cc93578750c7e7f9bb387efd063
SSDEEP

12288:lMr/y90+mD8zCT3r69wXHu3/Dke760amsfpc4HAGMwFCI3nWLNDlQFIGcUdxWeoK:Kyf6n3pu3/HcmGuhkCI3nTqOR6I

Score

10^/10

mystic redline luate infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

luate

77.91.124.55:19071

Attributes

auth_value
e45cd419aba6c9d372088ffe5629308b

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/3388-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3388-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3388-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3388-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
2884	x5726644.exe
5032	x8805806.exe
3404	x0262204.exe
4108	g3485536.exe
4160	h4176629.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5726644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8805806.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x0262204.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ba437a1e6e075cfd2f196bd8501c349ccc23b0400514b84b97bc3f786e0f57d6.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4108 set thread context of 3388	4108	g3485536.exe	90

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4572	4108	WerFault.exe	89
4220	3388	WerFault.exe	90

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 2884	3720	ba437a1e6e075cfd2f196bd8501c349ccc23b0400514b84b97bc3f786e0f57d6.exe	86
PID 3720 wrote to memory of 2884	3720	ba437a1e6e075cfd2f196bd8501c349ccc23b0400514b84b97bc3f786e0f57d6.exe	86
PID 3720 wrote to memory of 2884	3720	ba437a1e6e075cfd2f196bd8501c349ccc23b0400514b84b97bc3f786e0f57d6.exe	86
PID 2884 wrote to memory of 5032	2884	x5726644.exe	87
PID 2884 wrote to memory of 5032	2884	x5726644.exe	87
PID 2884 wrote to memory of 5032	2884	x5726644.exe	87
PID 5032 wrote to memory of 3404	5032	x8805806.exe	88
PID 5032 wrote to memory of 3404	5032	x8805806.exe	88
PID 5032 wrote to memory of 3404	5032	x8805806.exe	88
PID 3404 wrote to memory of 4108	3404	x0262204.exe	89
PID 3404 wrote to memory of 4108	3404	x0262204.exe	89
PID 3404 wrote to memory of 4108	3404	x0262204.exe	89
PID 4108 wrote to memory of 3388	4108	g3485536.exe	90
PID 4108 wrote to memory of 3388	4108	g3485536.exe	90
PID 4108 wrote to memory of 3388	4108	g3485536.exe	90
PID 4108 wrote to memory of 3388	4108	g3485536.exe	90
PID 4108 wrote to memory of 3388	4108	g3485536.exe	90
PID 4108 wrote to memory of 3388	4108	g3485536.exe	90
PID 4108 wrote to memory of 3388	4108	g3485536.exe	90
PID 4108 wrote to memory of 3388	4108	g3485536.exe	90
PID 4108 wrote to memory of 3388	4108	g3485536.exe	90
PID 4108 wrote to memory of 3388	4108	g3485536.exe	90
PID 3404 wrote to memory of 4160	3404	x0262204.exe	97
PID 3404 wrote to memory of 4160	3404	x0262204.exe	97
PID 3404 wrote to memory of 4160	3404	x0262204.exe	97

C:\Users\Admin\AppData\Local\Temp\ba437a1e6e075cfd2f196bd8501c349ccc23b0400514b84b97bc3f786e0f57d6.exe
"C:\Users\Admin\AppData\Local\Temp\ba437a1e6e075cfd2f196bd8501c349ccc23b0400514b84b97bc3f786e0f57d6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5726644.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5726644.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8805806.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8805806.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5032
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0262204.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0262204.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3404
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3485536.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3485536.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4108
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 540
        7⤵
        Program crash
        
        PID:4220
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 552
        6⤵
        Program crash
        
        PID:4572
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4176629.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4176629.exe
        5⤵
        Executes dropped EXE
        
        PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4108 -ip 4108
1⤵
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3388 -ip 3388
1⤵
PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5726644.exe

Filesize
805KB

MD5
4f966e80bf9e88ccf3410550fcd5b017

SHA1
13ff88b9dba2667a797203f8e9b29e094f83e9d3

SHA256
a8dacdb2fddb376a8f77443657a873c2686f18468277a26e09838e252a660f54

SHA512
0f7d812669d1e095e23861d03e5b4b99f21878eaf3c1d64595452585250fa14608527d7a390a3a02d7585a62f11f2441e048fe0483576363f8f41a3c1b59e480

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5726644.exe

Filesize
805KB

MD5
4f966e80bf9e88ccf3410550fcd5b017

SHA1
13ff88b9dba2667a797203f8e9b29e094f83e9d3

SHA256
a8dacdb2fddb376a8f77443657a873c2686f18468277a26e09838e252a660f54

SHA512
0f7d812669d1e095e23861d03e5b4b99f21878eaf3c1d64595452585250fa14608527d7a390a3a02d7585a62f11f2441e048fe0483576363f8f41a3c1b59e480

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8805806.exe

Filesize
545KB

MD5
5ce66d56944d9daeea265dadbf3a6356

SHA1
6b95a74950d2439c9037727760dd34165f1b229c

SHA256
7ccb0348675be09971159dcef94515bd768f489d75614145e0b8639ac6111b3c

SHA512
fc2bbd6c467f6276218e87ed58648c82e93eddce10877748f5ffca64ea59abfdd2e8d3d605fa4aa404ac3e9f291c013e500508826aaa00e7d1f1e45be2130dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8805806.exe

Filesize
545KB

MD5
5ce66d56944d9daeea265dadbf3a6356

SHA1
6b95a74950d2439c9037727760dd34165f1b229c

SHA256
7ccb0348675be09971159dcef94515bd768f489d75614145e0b8639ac6111b3c

SHA512
fc2bbd6c467f6276218e87ed58648c82e93eddce10877748f5ffca64ea59abfdd2e8d3d605fa4aa404ac3e9f291c013e500508826aaa00e7d1f1e45be2130dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0262204.exe

Filesize
379KB

MD5
18a4841763d98309229bb1052c667843

SHA1
d1bfc798311c28591c1ab02cc945eae1c12767c6

SHA256
6c9b66adbb9ab3a93d3b4fd29ec76762386be94ec6192d739cd093d3a1dc8381

SHA512
b9db4a294cbd521ab37a17b621cc375dfbb74d85b7427835ba8536f570c5314417c486c3e59397c76007e46c7f3454166b1788e8d1f3b92df3b5ce173252946c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0262204.exe

Filesize
379KB

MD5
18a4841763d98309229bb1052c667843

SHA1
d1bfc798311c28591c1ab02cc945eae1c12767c6

SHA256
6c9b66adbb9ab3a93d3b4fd29ec76762386be94ec6192d739cd093d3a1dc8381

SHA512
b9db4a294cbd521ab37a17b621cc375dfbb74d85b7427835ba8536f570c5314417c486c3e59397c76007e46c7f3454166b1788e8d1f3b92df3b5ce173252946c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3485536.exe

Filesize
350KB

MD5
3e8db4501f3f636424531085946f4952

SHA1
7702881a79fab2037489af2c9161c26788f9788c

SHA256
920a5251e900f50bf1054a458c7e12dc8d9216b2f4326c55532507cadb8a23f8

SHA512
ea5d1966167590722a16aaa9ce96808c140459cd569ca64f30b5a38ecba96556294cdbf33c0e90bd767d2ba738d9cc90177942a2b97d5c7c69a2ff30bd33868d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3485536.exe

Filesize
350KB

MD5
3e8db4501f3f636424531085946f4952

SHA1
7702881a79fab2037489af2c9161c26788f9788c

SHA256
920a5251e900f50bf1054a458c7e12dc8d9216b2f4326c55532507cadb8a23f8

SHA512
ea5d1966167590722a16aaa9ce96808c140459cd569ca64f30b5a38ecba96556294cdbf33c0e90bd767d2ba738d9cc90177942a2b97d5c7c69a2ff30bd33868d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4176629.exe

Filesize
174KB

MD5
16e89fedb90026ad720473e14c5cb439

SHA1
e09a44eeacf345075f8b402d14dd67543886e399

SHA256
04f31aab159516c54b89a7a5035e9070d975b5580b1d8169968944af2592d301

SHA512
24dea487b4f6e4204ebd1c89d093409d3c75b063bf9f22b776a5c7f0e591da7ec5db0b204eae399ed3096933f5ae23abbe5fffb70fc3c73bee9fb76d6c884ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4176629.exe

Filesize
174KB

MD5
16e89fedb90026ad720473e14c5cb439

SHA1
e09a44eeacf345075f8b402d14dd67543886e399

SHA256
04f31aab159516c54b89a7a5035e9070d975b5580b1d8169968944af2592d301

SHA512
24dea487b4f6e4204ebd1c89d093409d3c75b063bf9f22b776a5c7f0e591da7ec5db0b204eae399ed3096933f5ae23abbe5fffb70fc3c73bee9fb76d6c884ee1

Download Submit
memory/3388-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3388-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3388-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3388-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4160-39-0x00000000052F0000-0x0000000005908000-memory.dmp

Filesize
6.1MB

Download
memory/4160-37-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/4160-38-0x00000000027C0000-0x00000000027C6000-memory.dmp

Filesize
24KB

Download
memory/4160-36-0x0000000000370000-0x00000000003A0000-memory.dmp

Filesize
192KB

Download
memory/4160-40-0x0000000004DE0000-0x0000000004EEA000-memory.dmp

Filesize
1.0MB

Download
memory/4160-41-0x0000000004D00000-0x0000000004D12000-memory.dmp

Filesize
72KB

Download
memory/4160-42-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/4160-43-0x0000000004D60000-0x0000000004D9C000-memory.dmp

Filesize
240KB

Download
memory/4160-44-0x0000000004EF0000-0x0000000004F3C000-memory.dmp

Filesize
304KB

Download
memory/4160-45-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/4160-46-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads