mystic | 4b2b83f77c6d81f60d963a3d35562930e3631bc83c02f5b66faf0f12484b6eac

Analysis

max time kernel
147s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b2b83f77c6d81f60d963a3d35562930e3631bc83c02f5b66faf0f12484b6eac.exe
Size

908KB
MD5

939f12f6f0ef949958e6835b42998c67
SHA1

0f87bda2f9f0ecf6bd0dde9fefe7ed865a747388
SHA256

4b2b83f77c6d81f60d963a3d35562930e3631bc83c02f5b66faf0f12484b6eac
SHA512

1ab6f2979aa977fc871b076d78d35948cfec1e2e6c3fe4cab62ebdfe9bf4818a79308c912906135c58d5a85f5ad7969509b40353ba3f4f499c36ede301939591
SSDEEP

24576:syqXpmgNgmulSfDNjrpbWcyLHrEGuglXrarYf:bqXpmgNmlSffWcyAGn4k

Score

10^/10

mystic redline luate infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

luate

77.91.124.55:19071

Attributes

auth_value
e45cd419aba6c9d372088ffe5629308b

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/1836-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1836-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1836-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1836-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
2028	x9015294.exe
4756	x0791643.exe
1756	x1603673.exe
4840	g6841266.exe
4164	h7789775.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4b2b83f77c6d81f60d963a3d35562930e3631bc83c02f5b66faf0f12484b6eac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9015294.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x0791643.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x1603673.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4840 set thread context of 1836	4840	g6841266.exe	90

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4420	1836	WerFault.exe	90
2400	4840	WerFault.exe	89

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3768 wrote to memory of 2028	3768	4b2b83f77c6d81f60d963a3d35562930e3631bc83c02f5b66faf0f12484b6eac.exe	86
PID 3768 wrote to memory of 2028	3768	4b2b83f77c6d81f60d963a3d35562930e3631bc83c02f5b66faf0f12484b6eac.exe	86
PID 3768 wrote to memory of 2028	3768	4b2b83f77c6d81f60d963a3d35562930e3631bc83c02f5b66faf0f12484b6eac.exe	86
PID 2028 wrote to memory of 4756	2028	x9015294.exe	87
PID 2028 wrote to memory of 4756	2028	x9015294.exe	87
PID 2028 wrote to memory of 4756	2028	x9015294.exe	87
PID 4756 wrote to memory of 1756	4756	x0791643.exe	88
PID 4756 wrote to memory of 1756	4756	x0791643.exe	88
PID 4756 wrote to memory of 1756	4756	x0791643.exe	88
PID 1756 wrote to memory of 4840	1756	x1603673.exe	89
PID 1756 wrote to memory of 4840	1756	x1603673.exe	89
PID 1756 wrote to memory of 4840	1756	x1603673.exe	89
PID 4840 wrote to memory of 1836	4840	g6841266.exe	90
PID 4840 wrote to memory of 1836	4840	g6841266.exe	90
PID 4840 wrote to memory of 1836	4840	g6841266.exe	90
PID 4840 wrote to memory of 1836	4840	g6841266.exe	90
PID 4840 wrote to memory of 1836	4840	g6841266.exe	90
PID 4840 wrote to memory of 1836	4840	g6841266.exe	90
PID 4840 wrote to memory of 1836	4840	g6841266.exe	90
PID 4840 wrote to memory of 1836	4840	g6841266.exe	90
PID 4840 wrote to memory of 1836	4840	g6841266.exe	90
PID 4840 wrote to memory of 1836	4840	g6841266.exe	90
PID 1756 wrote to memory of 4164	1756	x1603673.exe	102
PID 1756 wrote to memory of 4164	1756	x1603673.exe	102
PID 1756 wrote to memory of 4164	1756	x1603673.exe	102

C:\Users\Admin\AppData\Local\Temp\4b2b83f77c6d81f60d963a3d35562930e3631bc83c02f5b66faf0f12484b6eac.exe
"C:\Users\Admin\AppData\Local\Temp\4b2b83f77c6d81f60d963a3d35562930e3631bc83c02f5b66faf0f12484b6eac.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3768
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9015294.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9015294.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0791643.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0791643.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4756
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1603673.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1603673.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1756
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6841266.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6841266.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4840
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 540
        7⤵
        Program crash
        
        PID:4420
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 552
        6⤵
        Program crash
        
        PID:2400
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7789775.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7789775.exe
        5⤵
        Executes dropped EXE
        
        PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4840 -ip 4840
1⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1836 -ip 1836
1⤵
PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9015294.exe

Filesize
806KB

MD5
b04c913290b70fb112b550f63aaea449

SHA1
0709447040e3420f28275cf2cd09d3f6571400ff

SHA256
23c5f3e5b85e0ca364d86e819db747087a78a747252f362248fdfdb71eba99aa

SHA512
da5102b33bcff1cac52e9e43670c930d3e53f792608b3be59edc3b5077fdabecfe8c27f45e80c55f9ab679d412d3ae902deb3d5c42f810f66c0bb8c6b9d63cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9015294.exe

Filesize
806KB

MD5
b04c913290b70fb112b550f63aaea449

SHA1
0709447040e3420f28275cf2cd09d3f6571400ff

SHA256
23c5f3e5b85e0ca364d86e819db747087a78a747252f362248fdfdb71eba99aa

SHA512
da5102b33bcff1cac52e9e43670c930d3e53f792608b3be59edc3b5077fdabecfe8c27f45e80c55f9ab679d412d3ae902deb3d5c42f810f66c0bb8c6b9d63cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0791643.exe

Filesize
545KB

MD5
9dd054b0e9d6fc484f382787eb4071c8

SHA1
74eb3f27cadf927772e048af6fe509ab3eab13b3

SHA256
892f1bf5d03c460f658f033c4d1b1a68fbd9deea92806f72e4ef7a766e69b0e5

SHA512
d31bacb713e6087f8c6ae6d971f25d9b0c78e309000d5d44c0bb15e1bc4479c1124fdbf58301e916488ef9ab97e01ee821adc95410d3924e27f5bce1f9101526

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0791643.exe

Filesize
545KB

MD5
9dd054b0e9d6fc484f382787eb4071c8

SHA1
74eb3f27cadf927772e048af6fe509ab3eab13b3

SHA256
892f1bf5d03c460f658f033c4d1b1a68fbd9deea92806f72e4ef7a766e69b0e5

SHA512
d31bacb713e6087f8c6ae6d971f25d9b0c78e309000d5d44c0bb15e1bc4479c1124fdbf58301e916488ef9ab97e01ee821adc95410d3924e27f5bce1f9101526

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1603673.exe

Filesize
379KB

MD5
2df77f873ac1f0fbdb1cb20107716f9c

SHA1
174990ccfbe42da10a9860ec6a4e556ffe599548

SHA256
ddb4313111d828d81367a1ee4e94da68eb1dfa3dd984970196d90515183d17d0

SHA512
5186833b54a4551aa1be33666d5630ed5cfdb020ee92d814e1ee961616018503d6cc08d9221bbe51dc6d7c011ab2a91d423f988767297cf5704dc97a54f8916c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1603673.exe

Filesize
379KB

MD5
2df77f873ac1f0fbdb1cb20107716f9c

SHA1
174990ccfbe42da10a9860ec6a4e556ffe599548

SHA256
ddb4313111d828d81367a1ee4e94da68eb1dfa3dd984970196d90515183d17d0

SHA512
5186833b54a4551aa1be33666d5630ed5cfdb020ee92d814e1ee961616018503d6cc08d9221bbe51dc6d7c011ab2a91d423f988767297cf5704dc97a54f8916c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6841266.exe

Filesize
350KB

MD5
c2d378d4995590f1a73335d2b0ee394c

SHA1
00704bc537e86055dac45c78d80739d8dd985c63

SHA256
e76cee271a0100dbdbf4795e9d8a79ddceccdd8f0da525906de6fa1b6738e7b4

SHA512
1abd88faf3b9792d94b8151369a857a97c9ae750513b2c58abfb6fca5096033986e3313da95e2caa56388770b74f29cd47c4ddbe7ddf8e98fd16b3f5ee6ba7c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6841266.exe

Filesize
350KB

MD5
c2d378d4995590f1a73335d2b0ee394c

SHA1
00704bc537e86055dac45c78d80739d8dd985c63

SHA256
e76cee271a0100dbdbf4795e9d8a79ddceccdd8f0da525906de6fa1b6738e7b4

SHA512
1abd88faf3b9792d94b8151369a857a97c9ae750513b2c58abfb6fca5096033986e3313da95e2caa56388770b74f29cd47c4ddbe7ddf8e98fd16b3f5ee6ba7c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7789775.exe

Filesize
174KB

MD5
d73251720a59f6827a7c4d83fb67e289

SHA1
346008ab58a4acf2cde7902d6bec8ab2b8c3f923

SHA256
a61a65f48adff8ae63ef29d118cd1203689d19b646377a08bcd97faa474038d7

SHA512
443d4e42765427ccb4b484ea343015a474eb0709dd6c781d412c84141023fcc122a45f5876e0f7197b516bf946c955c8c5642332b098d6e605b37e08faed1c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7789775.exe

Filesize
174KB

MD5
d73251720a59f6827a7c4d83fb67e289

SHA1
346008ab58a4acf2cde7902d6bec8ab2b8c3f923

SHA256
a61a65f48adff8ae63ef29d118cd1203689d19b646377a08bcd97faa474038d7

SHA512
443d4e42765427ccb4b484ea343015a474eb0709dd6c781d412c84141023fcc122a45f5876e0f7197b516bf946c955c8c5642332b098d6e605b37e08faed1c13

Download Submit
memory/1836-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1836-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1836-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1836-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4164-39-0x0000000005440000-0x0000000005A58000-memory.dmp

Filesize
6.1MB

Download
memory/4164-37-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/4164-38-0x0000000000C40000-0x0000000000C46000-memory.dmp

Filesize
24KB

Download
memory/4164-36-0x0000000000410000-0x0000000000440000-memory.dmp

Filesize
192KB

Download
memory/4164-40-0x0000000004F30000-0x000000000503A000-memory.dmp

Filesize
1.0MB

Download
memory/4164-41-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/4164-42-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/4164-43-0x0000000004E20000-0x0000000004E5C000-memory.dmp

Filesize
240KB

Download
memory/4164-44-0x0000000004E60000-0x0000000004EAC000-memory.dmp

Filesize
304KB

Download
memory/4164-45-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/4164-46-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads