mystic | f2f14e6530afa877205e78cd8d60eb1594a3607fad77fe66135005e257325ef3

Analysis

max time kernel
145s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8cf19247877aa7c2491171cdccd5230.exe
Size

942KB
MD5

a8cf19247877aa7c2491171cdccd5230
SHA1

eb8a9375ce6791ec03609ff8bce01ec6a8f0bcd3
SHA256

f2f14e6530afa877205e78cd8d60eb1594a3607fad77fe66135005e257325ef3
SHA512

9fd99b5d5ad81d1f04f23ad9ffa4493af64985ea9e079005bbd73667c013b449d098a0f5e9c2217fe9434312e22a56ad08a6791f2976553ebff240c3412b5f35
SSDEEP

24576:FypHxujvHbJAd/MhaXnJyzJP33jr3Lfk8:gCbHbJuMhMnuJT

Score

10^/10

mystic redline luate infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

luate

77.91.124.55:19071

Attributes

auth_value
e45cd419aba6c9d372088ffe5629308b

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/1164-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1164-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1164-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1164-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1112	x4122673.exe
2532	x2426218.exe
5000	x4070711.exe
312	g6192356.exe
2020	h4374245.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a8cf19247877aa7c2491171cdccd5230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4122673.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2426218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x4070711.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 312 set thread context of 1164	312	g6192356.exe	91

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1804	1164	WerFault.exe	91
4964	312	WerFault.exe	89

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 1112	2660	a8cf19247877aa7c2491171cdccd5230.exe	86
PID 2660 wrote to memory of 1112	2660	a8cf19247877aa7c2491171cdccd5230.exe	86
PID 2660 wrote to memory of 1112	2660	a8cf19247877aa7c2491171cdccd5230.exe	86
PID 1112 wrote to memory of 2532	1112	x4122673.exe	87
PID 1112 wrote to memory of 2532	1112	x4122673.exe	87
PID 1112 wrote to memory of 2532	1112	x4122673.exe	87
PID 2532 wrote to memory of 5000	2532	x2426218.exe	88
PID 2532 wrote to memory of 5000	2532	x2426218.exe	88
PID 2532 wrote to memory of 5000	2532	x2426218.exe	88
PID 5000 wrote to memory of 312	5000	x4070711.exe	89
PID 5000 wrote to memory of 312	5000	x4070711.exe	89
PID 5000 wrote to memory of 312	5000	x4070711.exe	89
PID 312 wrote to memory of 2668	312	g6192356.exe	90
PID 312 wrote to memory of 2668	312	g6192356.exe	90
PID 312 wrote to memory of 2668	312	g6192356.exe	90
PID 312 wrote to memory of 1164	312	g6192356.exe	91
PID 312 wrote to memory of 1164	312	g6192356.exe	91
PID 312 wrote to memory of 1164	312	g6192356.exe	91
PID 312 wrote to memory of 1164	312	g6192356.exe	91
PID 312 wrote to memory of 1164	312	g6192356.exe	91
PID 312 wrote to memory of 1164	312	g6192356.exe	91
PID 312 wrote to memory of 1164	312	g6192356.exe	91
PID 312 wrote to memory of 1164	312	g6192356.exe	91
PID 312 wrote to memory of 1164	312	g6192356.exe	91
PID 312 wrote to memory of 1164	312	g6192356.exe	91
PID 5000 wrote to memory of 2020	5000	x4070711.exe	98
PID 5000 wrote to memory of 2020	5000	x4070711.exe	98
PID 5000 wrote to memory of 2020	5000	x4070711.exe	98

C:\Users\Admin\AppData\Local\Temp\a8cf19247877aa7c2491171cdccd5230.exe
"C:\Users\Admin\AppData\Local\Temp\a8cf19247877aa7c2491171cdccd5230.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4122673.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4122673.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2426218.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2426218.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4070711.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4070711.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:5000
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6192356.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6192356.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:312
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2668
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 540
        7⤵
        Program crash
        
        PID:1804
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 312 -s 584
        6⤵
        Program crash
        
        PID:4964
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4374245.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4374245.exe
        5⤵
        Executes dropped EXE
        
        PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 312 -ip 312
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1164 -ip 1164
1⤵
PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4122673.exe

Filesize
840KB

MD5
8a3d5810c1af9616c70c3ff4c26a971c

SHA1
7a2f12e067bdcac8ea528e5f85ff37f65b7f9aa3

SHA256
30c1ddc7a3c156c3c3666d0158bae67974d4962688089803ac8ade9482670f1a

SHA512
a4045430d46524a66aea66e958c1e58921b0c5add4c3a2edb39354e84587f24c732b76fff5f43e4cef99256a239ec4b07a13a833a159a51cde5f163f7bb9d98f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4122673.exe

Filesize
840KB

MD5
8a3d5810c1af9616c70c3ff4c26a971c

SHA1
7a2f12e067bdcac8ea528e5f85ff37f65b7f9aa3

SHA256
30c1ddc7a3c156c3c3666d0158bae67974d4962688089803ac8ade9482670f1a

SHA512
a4045430d46524a66aea66e958c1e58921b0c5add4c3a2edb39354e84587f24c732b76fff5f43e4cef99256a239ec4b07a13a833a159a51cde5f163f7bb9d98f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2426218.exe

Filesize
562KB

MD5
ae1336013144644dad2d5c389b3b8a3e

SHA1
b19ac959e3eadee52bee13b26c387b6a47465f76

SHA256
f9d3696b656285663221a1804616dfcdb8ed30aee7735990e717849bc3c9662e

SHA512
7810bccd6368967a1bd90117be267387740c54388407a08bd8672b9a9908336a540963452db3465de94c68f3e29a76ef8d957cd628c0747de163c1c66b568d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2426218.exe

Filesize
562KB

MD5
ae1336013144644dad2d5c389b3b8a3e

SHA1
b19ac959e3eadee52bee13b26c387b6a47465f76

SHA256
f9d3696b656285663221a1804616dfcdb8ed30aee7735990e717849bc3c9662e

SHA512
7810bccd6368967a1bd90117be267387740c54388407a08bd8672b9a9908336a540963452db3465de94c68f3e29a76ef8d957cd628c0747de163c1c66b568d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4070711.exe

Filesize
396KB

MD5
40ff098803c4a11a28f27fb954c774ba

SHA1
a77a759cb697889a02b418da4e5baaafba0bec63

SHA256
1b2ead1cf52f23c364324d4754377f5ac2ba0f09372f290989de504d33074ede

SHA512
c91cc08f614ea2364536ab687faa2f4f7fdbedbfd83988af38d45a2b7f3bc6a5e8bba4e12ee82bd261372ec971ca21893459f9c792470fe575d93a4f577ed742

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4070711.exe

Filesize
396KB

MD5
40ff098803c4a11a28f27fb954c774ba

SHA1
a77a759cb697889a02b418da4e5baaafba0bec63

SHA256
1b2ead1cf52f23c364324d4754377f5ac2ba0f09372f290989de504d33074ede

SHA512
c91cc08f614ea2364536ab687faa2f4f7fdbedbfd83988af38d45a2b7f3bc6a5e8bba4e12ee82bd261372ec971ca21893459f9c792470fe575d93a4f577ed742

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6192356.exe

Filesize
379KB

MD5
53ce048636c37ef62829feabdc39cf20

SHA1
98d3b91379bad6685e3466c8eda6d9b6fb6150a0

SHA256
b6fc1741666c55a9cc1087bc9c01a412e715f713120ed5195913c466b5c4f35b

SHA512
0a486cb8ff18eedffc0e4d8968dc9ba467ba7318d55f997b7884c582d7c63758881767d6f974ece91036d41b06ead4a5036012272a9a7f0db9874abe0ae0ec08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6192356.exe

Filesize
379KB

MD5
53ce048636c37ef62829feabdc39cf20

SHA1
98d3b91379bad6685e3466c8eda6d9b6fb6150a0

SHA256
b6fc1741666c55a9cc1087bc9c01a412e715f713120ed5195913c466b5c4f35b

SHA512
0a486cb8ff18eedffc0e4d8968dc9ba467ba7318d55f997b7884c582d7c63758881767d6f974ece91036d41b06ead4a5036012272a9a7f0db9874abe0ae0ec08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4374245.exe

Filesize
174KB

MD5
f331d14c65d45b9c8a35e7f1661c7422

SHA1
4999a280282a8853a0c3e0303394edb2d4711d6e

SHA256
ee357c5f1c804bfd935bcb95267e7e96d3a0ca89ca88aa8bcffdb1fed360d23a

SHA512
6e35a3f29688de8b796ecfdb83074c8b565a2efdb72336e944a383caf70cf4e8adb9e57851c7cc5eafebdfab6d29da80a8057e922d90edf8ac80a1f568ff1214

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4374245.exe

Filesize
174KB

MD5
f331d14c65d45b9c8a35e7f1661c7422

SHA1
4999a280282a8853a0c3e0303394edb2d4711d6e

SHA256
ee357c5f1c804bfd935bcb95267e7e96d3a0ca89ca88aa8bcffdb1fed360d23a

SHA512
6e35a3f29688de8b796ecfdb83074c8b565a2efdb72336e944a383caf70cf4e8adb9e57851c7cc5eafebdfab6d29da80a8057e922d90edf8ac80a1f568ff1214

Download Submit
memory/1164-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1164-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1164-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1164-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2020-39-0x0000000005260000-0x0000000005878000-memory.dmp

Filesize
6.1MB

Download
memory/2020-37-0x00000000742C0000-0x0000000074A70000-memory.dmp

Filesize
7.7MB

Download
memory/2020-38-0x0000000002470000-0x0000000002476000-memory.dmp

Filesize
24KB

Download
memory/2020-36-0x0000000000210000-0x0000000000240000-memory.dmp

Filesize
192KB

Download
memory/2020-40-0x0000000004DA0000-0x0000000004EAA000-memory.dmp

Filesize
1.0MB

Download
memory/2020-41-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/2020-42-0x0000000004CE0000-0x0000000004CF2000-memory.dmp

Filesize
72KB

Download
memory/2020-43-0x0000000004D40000-0x0000000004D7C000-memory.dmp

Filesize
240KB

Download
memory/2020-44-0x0000000004EB0000-0x0000000004EFC000-memory.dmp

Filesize
304KB

Download
memory/2020-45-0x00000000742C0000-0x0000000074A70000-memory.dmp

Filesize
7.7MB

Download
memory/2020-46-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads