mystic | fe2d6154f80dd218fe679f30b90969bfaaabf3e0e308c05529d03be853ffa61a

Analysis

max time kernel
143s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1d5633d84850bec1bbe92b72f80ebb8f95ce9c0642f0930b8f9bfa95da130ea.exe
Size

907KB
MD5

02ddc57e766bf186b0a848221839e5e9
SHA1

59d13a4f71ff1321e7bed568cb670843539dc6e7
SHA256

b1d5633d84850bec1bbe92b72f80ebb8f95ce9c0642f0930b8f9bfa95da130ea
SHA512

63dcc3ef1b6af81e6605f6bdc125e7b6202e20196c858a0abd1a92a3e80656628514aff9bc6f7d2ee157bb80f2acd49bc12c540b404fa7ea9b6c3e1f89d8b110
SSDEEP

24576:Vy8D1RsaswjByhRFr9udCv7q0LP2gh2E2o:wwsgoF52Cv7l2

Score

10^/10

mystic redline luate infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

luate

77.91.124.55:19071

Attributes

auth_value
e45cd419aba6c9d372088ffe5629308b

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/4552-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4552-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4552-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4552-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
2952	x1468711.exe
3644	x8504553.exe
1476	x3417916.exe
2044	g2006911.exe
3868	h5982249.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b1d5633d84850bec1bbe92b72f80ebb8f95ce9c0642f0930b8f9bfa95da130ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1468711.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8504553.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x3417916.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2044 set thread context of 4552	2044	g2006911.exe	90

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4396	4552	WerFault.exe	90
2180	2044	WerFault.exe	86

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2952	2708	b1d5633d84850bec1bbe92b72f80ebb8f95ce9c0642f0930b8f9bfa95da130ea.exe	83
PID 2708 wrote to memory of 2952	2708	b1d5633d84850bec1bbe92b72f80ebb8f95ce9c0642f0930b8f9bfa95da130ea.exe	83
PID 2708 wrote to memory of 2952	2708	b1d5633d84850bec1bbe92b72f80ebb8f95ce9c0642f0930b8f9bfa95da130ea.exe	83
PID 2952 wrote to memory of 3644	2952	x1468711.exe	84
PID 2952 wrote to memory of 3644	2952	x1468711.exe	84
PID 2952 wrote to memory of 3644	2952	x1468711.exe	84
PID 3644 wrote to memory of 1476	3644	x8504553.exe	85
PID 3644 wrote to memory of 1476	3644	x8504553.exe	85
PID 3644 wrote to memory of 1476	3644	x8504553.exe	85
PID 1476 wrote to memory of 2044	1476	x3417916.exe	86
PID 1476 wrote to memory of 2044	1476	x3417916.exe	86
PID 1476 wrote to memory of 2044	1476	x3417916.exe	86
PID 2044 wrote to memory of 3504	2044	g2006911.exe	88
PID 2044 wrote to memory of 3504	2044	g2006911.exe	88
PID 2044 wrote to memory of 3504	2044	g2006911.exe	88
PID 2044 wrote to memory of 3664	2044	g2006911.exe	89
PID 2044 wrote to memory of 3664	2044	g2006911.exe	89
PID 2044 wrote to memory of 3664	2044	g2006911.exe	89
PID 2044 wrote to memory of 4552	2044	g2006911.exe	90
PID 2044 wrote to memory of 4552	2044	g2006911.exe	90
PID 2044 wrote to memory of 4552	2044	g2006911.exe	90
PID 2044 wrote to memory of 4552	2044	g2006911.exe	90
PID 2044 wrote to memory of 4552	2044	g2006911.exe	90
PID 2044 wrote to memory of 4552	2044	g2006911.exe	90
PID 2044 wrote to memory of 4552	2044	g2006911.exe	90
PID 2044 wrote to memory of 4552	2044	g2006911.exe	90
PID 2044 wrote to memory of 4552	2044	g2006911.exe	90
PID 2044 wrote to memory of 4552	2044	g2006911.exe	90
PID 1476 wrote to memory of 3868	1476	x3417916.exe	97
PID 1476 wrote to memory of 3868	1476	x3417916.exe	97
PID 1476 wrote to memory of 3868	1476	x3417916.exe	97

C:\Users\Admin\AppData\Local\Temp\b1d5633d84850bec1bbe92b72f80ebb8f95ce9c0642f0930b8f9bfa95da130ea.exe
"C:\Users\Admin\AppData\Local\Temp\b1d5633d84850bec1bbe92b72f80ebb8f95ce9c0642f0930b8f9bfa95da130ea.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1468711.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1468711.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8504553.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8504553.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3644
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3417916.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3417916.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1476
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2006911.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2006911.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2044
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3504
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3664
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 540
        7⤵
        Program crash
        
        PID:4396
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 580
        6⤵
        Program crash
        
        PID:2180
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5982249.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5982249.exe
        5⤵
        Executes dropped EXE
        
        PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4552 -ip 4552
1⤵
PID:564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2044 -ip 2044
1⤵
PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1468711.exe

Filesize
805KB

MD5
9e2376d62bfccf554beef1a4a7147e39

SHA1
9ece230fd8dd9aab9f6daa81f8613b45bf697603

SHA256
e20795ca09c0e0bbae859b0e914854520bbaaf732706f46075356f6f24e80c5b

SHA512
b58ea4b7f194d81d69db9c052b681b4113d2317c2dea646e331572da43ca834f45c2fe7bd913b37f6dbe20189e51a07de2ee9f6a4ce6c4f504f1cf165a09e463

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1468711.exe

Filesize
805KB

MD5
9e2376d62bfccf554beef1a4a7147e39

SHA1
9ece230fd8dd9aab9f6daa81f8613b45bf697603

SHA256
e20795ca09c0e0bbae859b0e914854520bbaaf732706f46075356f6f24e80c5b

SHA512
b58ea4b7f194d81d69db9c052b681b4113d2317c2dea646e331572da43ca834f45c2fe7bd913b37f6dbe20189e51a07de2ee9f6a4ce6c4f504f1cf165a09e463

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8504553.exe

Filesize
545KB

MD5
0e32f58d90566b81ac003ba00774335f

SHA1
1963f1c6a3a2c987d77ed3b406f70a40690b9ad8

SHA256
be6de7c9f17fdd66d1e6e0123c36291634067294ba39b6f739c0d0fc584c11b1

SHA512
33ac378a4e3925ca852df5889461e38f1d92c6df55bb00d1b1fe06eca140749936bc710b9a4e46c00c9de25206825fdd64d9d895076e533fa81cbd0990691ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8504553.exe

Filesize
545KB

MD5
0e32f58d90566b81ac003ba00774335f

SHA1
1963f1c6a3a2c987d77ed3b406f70a40690b9ad8

SHA256
be6de7c9f17fdd66d1e6e0123c36291634067294ba39b6f739c0d0fc584c11b1

SHA512
33ac378a4e3925ca852df5889461e38f1d92c6df55bb00d1b1fe06eca140749936bc710b9a4e46c00c9de25206825fdd64d9d895076e533fa81cbd0990691ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3417916.exe

Filesize
379KB

MD5
2c21e5272217a3b911b60af74e4982fe

SHA1
d2dfb17b589cfa6d1901cbec5b94c53b2292d211

SHA256
9f501c5317e05f2d9a339af4b919b5b2ad2060727204a970de7a9ebb3d4ce9b7

SHA512
cea2050ff4ecc68a3cf188baa6f0010b395ad7f1b290745af9910a91ec9894a65c101d452c890bb3ec2066d8807ca2907b2fd40a346eb16bd6d81bc3538f4e49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3417916.exe

Filesize
379KB

MD5
2c21e5272217a3b911b60af74e4982fe

SHA1
d2dfb17b589cfa6d1901cbec5b94c53b2292d211

SHA256
9f501c5317e05f2d9a339af4b919b5b2ad2060727204a970de7a9ebb3d4ce9b7

SHA512
cea2050ff4ecc68a3cf188baa6f0010b395ad7f1b290745af9910a91ec9894a65c101d452c890bb3ec2066d8807ca2907b2fd40a346eb16bd6d81bc3538f4e49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2006911.exe

Filesize
350KB

MD5
250c84e2bdae167f99d625dbc5527bc8

SHA1
411f67107c17395b3db5d93317c77bf20fb3cbe1

SHA256
49201f7755a0dfa7e8e3ac53e0185f5b6452cce7cc9d7355f9188fa6434a8a08

SHA512
ff35c8d88a602187f7aa28f67bb65495072918ddc8fc9911b2940339797aed9c70036c67fec8ba08bcde7da3d08bfd38b614e24c159ebac3a51fab5ba53fbb4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2006911.exe

Filesize
350KB

MD5
250c84e2bdae167f99d625dbc5527bc8

SHA1
411f67107c17395b3db5d93317c77bf20fb3cbe1

SHA256
49201f7755a0dfa7e8e3ac53e0185f5b6452cce7cc9d7355f9188fa6434a8a08

SHA512
ff35c8d88a602187f7aa28f67bb65495072918ddc8fc9911b2940339797aed9c70036c67fec8ba08bcde7da3d08bfd38b614e24c159ebac3a51fab5ba53fbb4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5982249.exe

Filesize
174KB

MD5
56e445f9e5a1ccd9673bd5cf50d8301e

SHA1
f512675779269b91dc8dee283500da1d38a16790

SHA256
32c59896cc299ce07c7e12b6db489512c8a434df8d04f7a796eb6f2019445f95

SHA512
3ab6761a747e2d47cb587720dc425d370d0427ecc16826d6b489cd1a32fb26792a785f231828248c1485537fff77c8c7a5d767197edec7c9d649d6c2404145f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5982249.exe

Filesize
174KB

MD5
56e445f9e5a1ccd9673bd5cf50d8301e

SHA1
f512675779269b91dc8dee283500da1d38a16790

SHA256
32c59896cc299ce07c7e12b6db489512c8a434df8d04f7a796eb6f2019445f95

SHA512
3ab6761a747e2d47cb587720dc425d370d0427ecc16826d6b489cd1a32fb26792a785f231828248c1485537fff77c8c7a5d767197edec7c9d649d6c2404145f6

Download Submit
memory/3868-39-0x0000000005580000-0x0000000005B98000-memory.dmp

Filesize
6.1MB

Download
memory/3868-42-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/3868-46-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/3868-45-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/3868-36-0x00000000005D0000-0x0000000000600000-memory.dmp

Filesize
192KB

Download
memory/3868-37-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/3868-44-0x0000000005000000-0x000000000504C000-memory.dmp

Filesize
304KB

Download
memory/3868-40-0x0000000005070000-0x000000000517A000-memory.dmp

Filesize
1.0MB

Download
memory/3868-38-0x00000000028B0000-0x00000000028B6000-memory.dmp

Filesize
24KB

Download
memory/3868-41-0x0000000004F60000-0x0000000004F72000-memory.dmp

Filesize
72KB

Download
memory/3868-43-0x0000000004FC0000-0x0000000004FFC000-memory.dmp

Filesize
240KB

Download
memory/4552-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4552-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4552-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4552-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads