mystic | 8fe366b6ad0bc990027d4678c1fb5056ef24f63bbc912993de247c8c60a78925

Analysis

max time kernel
137s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b2c2ea338d66d44bb85255778ab29baa28d224601564b78248529a6a9f676fa.exe
Size

907KB
MD5

3f499a1933024166466a48c80ea6de27
SHA1

ca25d4bf7c2bdd0fe452332e7eed098946b18996
SHA256

5b2c2ea338d66d44bb85255778ab29baa28d224601564b78248529a6a9f676fa
SHA512

532216c4d2a7b7cc664e2fb187c7639e41d03afc131f3aff76288e7f2974ab0cc19a29e3705a45860cdcbf1c2f48552280d82228c7fb242a64a47c4c202bb807
SSDEEP

24576:RyraXEXASfGulWICYPf9nC+rouv47jeM+5DnTY9uz:EraEjG4WI339P6/ejY9u

Score

10^/10

mystic redline luate infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

luate

77.91.124.55:19071

Attributes

auth_value
e45cd419aba6c9d372088ffe5629308b

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/3196-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3196-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3196-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3196-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1036	x1768154.exe
2364	x7044605.exe
4576	x4323957.exe
220	g1148226.exe
3972	h4947966.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5b2c2ea338d66d44bb85255778ab29baa28d224601564b78248529a6a9f676fa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1768154.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7044605.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x4323957.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 220 set thread context of 3196	220	g1148226.exe	91

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5104	220	WerFault.exe	90
1128	3196	WerFault.exe	91

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 1036	1108	5b2c2ea338d66d44bb85255778ab29baa28d224601564b78248529a6a9f676fa.exe	87
PID 1108 wrote to memory of 1036	1108	5b2c2ea338d66d44bb85255778ab29baa28d224601564b78248529a6a9f676fa.exe	87
PID 1108 wrote to memory of 1036	1108	5b2c2ea338d66d44bb85255778ab29baa28d224601564b78248529a6a9f676fa.exe	87
PID 1036 wrote to memory of 2364	1036	x1768154.exe	88
PID 1036 wrote to memory of 2364	1036	x1768154.exe	88
PID 1036 wrote to memory of 2364	1036	x1768154.exe	88
PID 2364 wrote to memory of 4576	2364	x7044605.exe	89
PID 2364 wrote to memory of 4576	2364	x7044605.exe	89
PID 2364 wrote to memory of 4576	2364	x7044605.exe	89
PID 4576 wrote to memory of 220	4576	x4323957.exe	90
PID 4576 wrote to memory of 220	4576	x4323957.exe	90
PID 4576 wrote to memory of 220	4576	x4323957.exe	90
PID 220 wrote to memory of 3196	220	g1148226.exe	91
PID 220 wrote to memory of 3196	220	g1148226.exe	91
PID 220 wrote to memory of 3196	220	g1148226.exe	91
PID 220 wrote to memory of 3196	220	g1148226.exe	91
PID 220 wrote to memory of 3196	220	g1148226.exe	91
PID 220 wrote to memory of 3196	220	g1148226.exe	91
PID 220 wrote to memory of 3196	220	g1148226.exe	91
PID 220 wrote to memory of 3196	220	g1148226.exe	91
PID 220 wrote to memory of 3196	220	g1148226.exe	91
PID 220 wrote to memory of 3196	220	g1148226.exe	91
PID 4576 wrote to memory of 3972	4576	x4323957.exe	98
PID 4576 wrote to memory of 3972	4576	x4323957.exe	98
PID 4576 wrote to memory of 3972	4576	x4323957.exe	98

C:\Users\Admin\AppData\Local\Temp\5b2c2ea338d66d44bb85255778ab29baa28d224601564b78248529a6a9f676fa.exe
"C:\Users\Admin\AppData\Local\Temp\5b2c2ea338d66d44bb85255778ab29baa28d224601564b78248529a6a9f676fa.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1768154.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1768154.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7044605.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7044605.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4323957.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4323957.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4576
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1148226.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1148226.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:220
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 540
        7⤵
        Program crash
        
        PID:1128
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 556
        6⤵
        Program crash
        
        PID:5104
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4947966.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4947966.exe
        5⤵
        Executes dropped EXE
        
        PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3196 -ip 3196
1⤵
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 220 -ip 220
1⤵
PID:4216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1768154.exe

Filesize
805KB

MD5
9d26e1a538d4c9b9019ec6c310204841

SHA1
c03d69ff5b8431aee079884e51812ff80f67c228

SHA256
6d19912db2db6ee80402c2a16fc453b813f0b5a4308d56a6ccc1495a27402540

SHA512
3f5330b6e9ea29ee57d2ebb8b779d059c517e19ee377509c5f9df06aae56d6b6c299822a010e59419ded980d07336c022bcf693acd86075aa544d9c67bd5673f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1768154.exe

Filesize
805KB

MD5
9d26e1a538d4c9b9019ec6c310204841

SHA1
c03d69ff5b8431aee079884e51812ff80f67c228

SHA256
6d19912db2db6ee80402c2a16fc453b813f0b5a4308d56a6ccc1495a27402540

SHA512
3f5330b6e9ea29ee57d2ebb8b779d059c517e19ee377509c5f9df06aae56d6b6c299822a010e59419ded980d07336c022bcf693acd86075aa544d9c67bd5673f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7044605.exe

Filesize
545KB

MD5
2ca58f57dc6b9f082c5a4410817ca893

SHA1
3cb6333701247941b0d301d3c7b8dd1c6877abde

SHA256
087ed6703349157f3c45c4de130c617e9cde926ee77123d90931c529663f8477

SHA512
16cf3b13c2c81e0075f7098b09a4c1934e6810ddfff8de2df0f706aa07d00744865e05430c5eef46c791aeb08239852d40cde233fd506e92c018c82eb4730e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7044605.exe

Filesize
545KB

MD5
2ca58f57dc6b9f082c5a4410817ca893

SHA1
3cb6333701247941b0d301d3c7b8dd1c6877abde

SHA256
087ed6703349157f3c45c4de130c617e9cde926ee77123d90931c529663f8477

SHA512
16cf3b13c2c81e0075f7098b09a4c1934e6810ddfff8de2df0f706aa07d00744865e05430c5eef46c791aeb08239852d40cde233fd506e92c018c82eb4730e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4323957.exe

Filesize
379KB

MD5
4d42dba5a8b1d996d7dd8a6ea069a2a9

SHA1
1bcf34d3abfa648a079b240f56d8cfe27b9bf841

SHA256
cbfd38264b09960b5a6327832c7a20435dfefa29268b1fca81afd8b853be0ffa

SHA512
6f71c2269d2458799042ea7b285dcc69f7af55c0c8334c1d49cab31c9714c3b140908445ff96c8f1c59159f9dc3cccdae5b10abe76298cb473c58c250ba6237c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4323957.exe

Filesize
379KB

MD5
4d42dba5a8b1d996d7dd8a6ea069a2a9

SHA1
1bcf34d3abfa648a079b240f56d8cfe27b9bf841

SHA256
cbfd38264b09960b5a6327832c7a20435dfefa29268b1fca81afd8b853be0ffa

SHA512
6f71c2269d2458799042ea7b285dcc69f7af55c0c8334c1d49cab31c9714c3b140908445ff96c8f1c59159f9dc3cccdae5b10abe76298cb473c58c250ba6237c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1148226.exe

Filesize
350KB

MD5
9b761f165d26f5d8586102316b452643

SHA1
d6e9bca2cd581edf3cc78f0bff610a0b534a85b2

SHA256
a0ab90ef1ff5bb23e3dfe2c6c520cd864afbb09788acdef434478f4f4de74c32

SHA512
69e784b80a90504418299b568a0102884a278bfb2c1b5735d4d73537e5eb79e0c79b01c68c4e03e9877395e42aee343bcc26ac3b4edeb52d45056aec05ef153d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1148226.exe

Filesize
350KB

MD5
9b761f165d26f5d8586102316b452643

SHA1
d6e9bca2cd581edf3cc78f0bff610a0b534a85b2

SHA256
a0ab90ef1ff5bb23e3dfe2c6c520cd864afbb09788acdef434478f4f4de74c32

SHA512
69e784b80a90504418299b568a0102884a278bfb2c1b5735d4d73537e5eb79e0c79b01c68c4e03e9877395e42aee343bcc26ac3b4edeb52d45056aec05ef153d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4947966.exe

Filesize
174KB

MD5
d80f82a6d657c3645df5380b2cc5b744

SHA1
a6b310920e1f71b01edbff95f7de10619d3f6f27

SHA256
b478260294d884bd75a49a617ed21a9e6dc74a14f7d715f0217e8b79ef908d20

SHA512
9c3e137f5564a92768fb6050238f57c79c416cda9fd69a4fc66b6be1b0df8a194afeb48930d536f89d9a8a979d9111c3ab188c95869db4540f547349970af40d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4947966.exe

Filesize
174KB

MD5
d80f82a6d657c3645df5380b2cc5b744

SHA1
a6b310920e1f71b01edbff95f7de10619d3f6f27

SHA256
b478260294d884bd75a49a617ed21a9e6dc74a14f7d715f0217e8b79ef908d20

SHA512
9c3e137f5564a92768fb6050238f57c79c416cda9fd69a4fc66b6be1b0df8a194afeb48930d536f89d9a8a979d9111c3ab188c95869db4540f547349970af40d

Download Submit
memory/3196-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3196-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3196-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3196-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3972-39-0x00000000059E0000-0x0000000005FF8000-memory.dmp

Filesize
6.1MB

Download
memory/3972-37-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/3972-38-0x0000000005280000-0x0000000005286000-memory.dmp

Filesize
24KB

Download
memory/3972-36-0x0000000000AA0000-0x0000000000AD0000-memory.dmp

Filesize
192KB

Download
memory/3972-40-0x00000000054F0000-0x00000000055FA000-memory.dmp

Filesize
1.0MB

Download
memory/3972-42-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/3972-41-0x0000000005430000-0x0000000005442000-memory.dmp

Filesize
72KB

Download
memory/3972-43-0x0000000005490000-0x00000000054CC000-memory.dmp

Filesize
240KB

Download
memory/3972-44-0x0000000005600000-0x000000000564C000-memory.dmp

Filesize
304KB

Download
memory/3972-45-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/3972-46-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads