mystic | 7decb7675605f65b6adafa81ace426cffa10321bd4821225215a4ba499dce669

Analysis

max time kernel
159s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18f4893f8dbb1717b4685c8646f90554.exe
Size

910KB
MD5

18f4893f8dbb1717b4685c8646f90554
SHA1

04b0da66addf77e2d011a3cfb8999011f10fd344
SHA256

7decb7675605f65b6adafa81ace426cffa10321bd4821225215a4ba499dce669
SHA512

91d92b342a98a1fa7ed86a892d908c12eb8e1fec79c1747831f2484c993f536dbe3429b103d1a8c4c0245f2ed99e582726e739c97cf181830906e2b7b82e3eb8
SSDEEP

12288:4MrFy90Gvb3A7jOpYwu8EJ2qh2RRwNen0hmkFFb1uj4UrYk0qY14qWuTD4zrqy0X:NyrzOOpYwu8EcYenuChcX1L1e6F

Score

10^/10

mystic redline luate infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

luate

77.91.124.55:19071

Attributes

auth_value
e45cd419aba6c9d372088ffe5629308b

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/2944-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2944-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2944-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2944-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4044	x3231893.exe
1320	x3633049.exe
1800	x1193534.exe
4840	g1784005.exe
1224	h2646308.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	18f4893f8dbb1717b4685c8646f90554.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3231893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3633049.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x1193534.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4840 set thread context of 2944	4840	g1784005.exe	90

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1720	2944	WerFault.exe	90
5068	4840	WerFault.exe	88

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 4044	4364	18f4893f8dbb1717b4685c8646f90554.exe	85
PID 4364 wrote to memory of 4044	4364	18f4893f8dbb1717b4685c8646f90554.exe	85
PID 4364 wrote to memory of 4044	4364	18f4893f8dbb1717b4685c8646f90554.exe	85
PID 4044 wrote to memory of 1320	4044	x3231893.exe	86
PID 4044 wrote to memory of 1320	4044	x3231893.exe	86
PID 4044 wrote to memory of 1320	4044	x3231893.exe	86
PID 1320 wrote to memory of 1800	1320	x3633049.exe	87
PID 1320 wrote to memory of 1800	1320	x3633049.exe	87
PID 1320 wrote to memory of 1800	1320	x3633049.exe	87
PID 1800 wrote to memory of 4840	1800	x1193534.exe	88
PID 1800 wrote to memory of 4840	1800	x1193534.exe	88
PID 1800 wrote to memory of 4840	1800	x1193534.exe	88
PID 4840 wrote to memory of 2944	4840	g1784005.exe	90
PID 4840 wrote to memory of 2944	4840	g1784005.exe	90
PID 4840 wrote to memory of 2944	4840	g1784005.exe	90
PID 4840 wrote to memory of 2944	4840	g1784005.exe	90
PID 4840 wrote to memory of 2944	4840	g1784005.exe	90
PID 4840 wrote to memory of 2944	4840	g1784005.exe	90
PID 4840 wrote to memory of 2944	4840	g1784005.exe	90
PID 4840 wrote to memory of 2944	4840	g1784005.exe	90
PID 4840 wrote to memory of 2944	4840	g1784005.exe	90
PID 4840 wrote to memory of 2944	4840	g1784005.exe	90
PID 1800 wrote to memory of 1224	1800	x1193534.exe	98
PID 1800 wrote to memory of 1224	1800	x1193534.exe	98
PID 1800 wrote to memory of 1224	1800	x1193534.exe	98

C:\Users\Admin\AppData\Local\Temp\18f4893f8dbb1717b4685c8646f90554.exe
"C:\Users\Admin\AppData\Local\Temp\18f4893f8dbb1717b4685c8646f90554.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3231893.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3231893.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3633049.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3633049.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1320
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1193534.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1193534.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1800
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1784005.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1784005.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4840
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 540
        7⤵
        Program crash
        
        PID:1720
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 148
        6⤵
        Program crash
        
        PID:5068
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2646308.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2646308.exe
        5⤵
        Executes dropped EXE
        
        PID:1224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4840 -ip 4840
1⤵
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2944 -ip 2944
1⤵
PID:4212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3231893.exe

Filesize
809KB

MD5
0cca24a85d4e1d433b65157e1638b1e0

SHA1
4d844bc59f4f50ab68ba44e6a85076b33f72494f

SHA256
d1dffa4519071978a0147eb8621e8ff8ccd6ae68b94d4d49fb25506578f587f2

SHA512
c0c8fcf672d2d7301b2d44081c1916d25499b2305e65529a508cd7cc79f88394cd3223a39db64666be1ab5b00fafca26bbab564013ded0d7ab5ea84b00650f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3231893.exe

Filesize
809KB

MD5
0cca24a85d4e1d433b65157e1638b1e0

SHA1
4d844bc59f4f50ab68ba44e6a85076b33f72494f

SHA256
d1dffa4519071978a0147eb8621e8ff8ccd6ae68b94d4d49fb25506578f587f2

SHA512
c0c8fcf672d2d7301b2d44081c1916d25499b2305e65529a508cd7cc79f88394cd3223a39db64666be1ab5b00fafca26bbab564013ded0d7ab5ea84b00650f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3633049.exe

Filesize
547KB

MD5
c400732d7254fcee98f7e43c998c7a1e

SHA1
c41148f05060ad18d566d39676fc6b7ebfff640a

SHA256
e040ae2fca7e2ea9304b3c12a658039cf2e648cea86fbbdfad8bc9a213fda05d

SHA512
17a9f2a27d7ad607f1d5d6571fd80f897ac4a5148ae7f815993c18621bc8e04013a7df6ff9a56d577560719bf4f8f9120cf984f6d8dbd27c06cf3d653bc6a9a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3633049.exe

Filesize
547KB

MD5
c400732d7254fcee98f7e43c998c7a1e

SHA1
c41148f05060ad18d566d39676fc6b7ebfff640a

SHA256
e040ae2fca7e2ea9304b3c12a658039cf2e648cea86fbbdfad8bc9a213fda05d

SHA512
17a9f2a27d7ad607f1d5d6571fd80f897ac4a5148ae7f815993c18621bc8e04013a7df6ff9a56d577560719bf4f8f9120cf984f6d8dbd27c06cf3d653bc6a9a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1193534.exe

Filesize
381KB

MD5
285633b24c1bac35ef6930a810d73473

SHA1
0d153fa35e97625fe2f127d0ec1735f7efa5d429

SHA256
15d060d87c203db2e0b3231300c4abf313d4731baca0fbe23d0b169dab1f5d90

SHA512
fcf5f0271523436aa65211a0e1c372b949123300d54e8022e59a24f61cc816d127ce5b7fb15863a837bec1fafa7d6cd29a5d0600e6e8bd7c7fdb1430c3fbb6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1193534.exe

Filesize
381KB

MD5
285633b24c1bac35ef6930a810d73473

SHA1
0d153fa35e97625fe2f127d0ec1735f7efa5d429

SHA256
15d060d87c203db2e0b3231300c4abf313d4731baca0fbe23d0b169dab1f5d90

SHA512
fcf5f0271523436aa65211a0e1c372b949123300d54e8022e59a24f61cc816d127ce5b7fb15863a837bec1fafa7d6cd29a5d0600e6e8bd7c7fdb1430c3fbb6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1784005.exe

Filesize
346KB

MD5
01dbf0ecf0b14d8b37049c1f0565cdaa

SHA1
25d73d8f5dafd39ad8d0ec80043185a664ea2f42

SHA256
4ff0306568559b1bd6045e0a9dc9c765eba34fce2bfdd29a62c6c15ae8fc8a6b

SHA512
471c498c8250e62b8b03a5ddeccf3c9d1a35dd6349aeab272226cdf46f820fe3d1cb5730e56b54a22f97549fe4a2104abf0f6d368ce5a9d95847463e539b0f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1784005.exe

Filesize
346KB

MD5
01dbf0ecf0b14d8b37049c1f0565cdaa

SHA1
25d73d8f5dafd39ad8d0ec80043185a664ea2f42

SHA256
4ff0306568559b1bd6045e0a9dc9c765eba34fce2bfdd29a62c6c15ae8fc8a6b

SHA512
471c498c8250e62b8b03a5ddeccf3c9d1a35dd6349aeab272226cdf46f820fe3d1cb5730e56b54a22f97549fe4a2104abf0f6d368ce5a9d95847463e539b0f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2646308.exe

Filesize
174KB

MD5
c6b2a51256937abd550f0e69d09c9d31

SHA1
ccf34846fc08d1e441fe357f0bc139dd19c37806

SHA256
89199564a91bdcec7b1090c3be8f30bdd1030992b974c421e8d7d945c42c7e6e

SHA512
221ea95f542a64d81db2b84fb7abd0bbe8ebe9a9c0658a40a6e2bb9ad7990b53ff3933b85b5b3439615226fc59ce1bcdda3da2aa0684ecdd5bb51b7a5b7b3895

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2646308.exe

Filesize
174KB

MD5
c6b2a51256937abd550f0e69d09c9d31

SHA1
ccf34846fc08d1e441fe357f0bc139dd19c37806

SHA256
89199564a91bdcec7b1090c3be8f30bdd1030992b974c421e8d7d945c42c7e6e

SHA512
221ea95f542a64d81db2b84fb7abd0bbe8ebe9a9c0658a40a6e2bb9ad7990b53ff3933b85b5b3439615226fc59ce1bcdda3da2aa0684ecdd5bb51b7a5b7b3895

Download Submit
memory/1224-39-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/1224-42-0x0000000005640000-0x0000000005650000-memory.dmp

Filesize
64KB

Download
memory/1224-46-0x0000000005BB0000-0x0000000005BFC000-memory.dmp

Filesize
304KB

Download
memory/1224-45-0x0000000005640000-0x0000000005650000-memory.dmp

Filesize
64KB

Download
memory/1224-36-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/1224-37-0x0000000000CB0000-0x0000000000CE0000-memory.dmp

Filesize
192KB

Download
memory/1224-44-0x0000000005A60000-0x0000000005A9C000-memory.dmp

Filesize
240KB

Download
memory/1224-40-0x0000000005D70000-0x0000000006388000-memory.dmp

Filesize
6.1MB

Download
memory/1224-38-0x0000000003000000-0x0000000003006000-memory.dmp

Filesize
24KB

Download
memory/1224-41-0x0000000005750000-0x000000000585A000-memory.dmp

Filesize
1.0MB

Download
memory/1224-43-0x0000000005580000-0x0000000005592000-memory.dmp

Filesize
72KB

Download
memory/2944-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2944-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2944-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2944-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads