mystic | d260b91a13a881b6013c9956842f2943e567f964a9107e4ce3a900094caca5e6

Analysis

max time kernel
172s
max time network
187s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2023 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.30b1d024147aa37722a8a7ce9a1e9570.exe
Size

1.1MB
MD5

30b1d024147aa37722a8a7ce9a1e9570
SHA1

d0d43285720b4891bdefce6d1118f928ae7f6104
SHA256

d260b91a13a881b6013c9956842f2943e567f964a9107e4ce3a900094caca5e6
SHA512

54c3eb8007a1297dfaac748e00baa622ac332a3471abe1ea8f45abb3d57ba781f6a4f056acb3ca6a144e423713e840d6cbfa8fce9ca203c92ed4531dfed90d61
SSDEEP

24576:hfyJh/lbJy3QxNjeHQGNCGDGgM4O9/QmZPGyz56gQQXQC9:IpbJJutN7DBM7lPZ/or

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4808-28-0x0000000000400000-0x0000000000433000-memory.dmp	family_mystic
behavioral2/memory/4808-29-0x0000000000400000-0x0000000000433000-memory.dmp	family_mystic
behavioral2/memory/4808-30-0x0000000000400000-0x0000000000433000-memory.dmp	family_mystic
behavioral2/memory/4808-32-0x0000000000400000-0x0000000000433000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2GF834dy.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2GF834dy.exe	family_redline
behavioral2/memory/2572-37-0x00000000002F0000-0x000000000032E000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

Processes:

ow7vx3aI.exeVu5Po2Oe.exeiS9Ud0nM.exe1Qx86ey7.exe2GF834dy.exe

pid process

232 ow7vx3aI.exe
3544 Vu5Po2Oe.exe
3216 iS9Ud0nM.exe
5016 1Qx86ey7.exe
2572 2GF834dy.exe

pid	process
232	ow7vx3aI.exe
3544	Vu5Po2Oe.exe
3216	iS9Ud0nM.exe
5016	1Qx86ey7.exe
2572	2GF834dy.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NEAS.30b1d024147aa37722a8a7ce9a1e9570.exeow7vx3aI.exeVu5Po2Oe.exeiS9Ud0nM.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.30b1d024147aa37722a8a7ce9a1e9570.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ow7vx3aI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Vu5Po2Oe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	iS9Ud0nM.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1Qx86ey7.exe

description pid process target process

PID 5016 set thread context of 4808 5016 1Qx86ey7.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2924 5016 WerFault.exe 1Qx86ey7.exe
2896 4808 WerFault.exe AppLaunch.exe

description	pid	process	target process
PID 5016 set thread context of 4808	5016	1Qx86ey7.exe	AppLaunch.exe

pid	pid_target	process	target process
2924	5016	WerFault.exe	1Qx86ey7.exe
2896	4808	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

NEAS.30b1d024147aa37722a8a7ce9a1e9570.exeow7vx3aI.exeVu5Po2Oe.exeiS9Ud0nM.exe1Qx86ey7.exe

description	pid	process	target process
PID 4452 wrote to memory of 232	4452	NEAS.30b1d024147aa37722a8a7ce9a1e9570.exe	ow7vx3aI.exe
PID 4452 wrote to memory of 232	4452	NEAS.30b1d024147aa37722a8a7ce9a1e9570.exe	ow7vx3aI.exe
PID 4452 wrote to memory of 232	4452	NEAS.30b1d024147aa37722a8a7ce9a1e9570.exe	ow7vx3aI.exe
PID 232 wrote to memory of 3544	232	ow7vx3aI.exe	Vu5Po2Oe.exe
PID 232 wrote to memory of 3544	232	ow7vx3aI.exe	Vu5Po2Oe.exe
PID 232 wrote to memory of 3544	232	ow7vx3aI.exe	Vu5Po2Oe.exe
PID 3544 wrote to memory of 3216	3544	Vu5Po2Oe.exe	iS9Ud0nM.exe
PID 3544 wrote to memory of 3216	3544	Vu5Po2Oe.exe	iS9Ud0nM.exe
PID 3544 wrote to memory of 3216	3544	Vu5Po2Oe.exe	iS9Ud0nM.exe
PID 3216 wrote to memory of 5016	3216	iS9Ud0nM.exe	1Qx86ey7.exe
PID 3216 wrote to memory of 5016	3216	iS9Ud0nM.exe	1Qx86ey7.exe
PID 3216 wrote to memory of 5016	3216	iS9Ud0nM.exe	1Qx86ey7.exe
PID 5016 wrote to memory of 4808	5016	1Qx86ey7.exe	AppLaunch.exe
PID 5016 wrote to memory of 4808	5016	1Qx86ey7.exe	AppLaunch.exe
PID 5016 wrote to memory of 4808	5016	1Qx86ey7.exe	AppLaunch.exe
PID 5016 wrote to memory of 4808	5016	1Qx86ey7.exe	AppLaunch.exe
PID 5016 wrote to memory of 4808	5016	1Qx86ey7.exe	AppLaunch.exe
PID 5016 wrote to memory of 4808	5016	1Qx86ey7.exe	AppLaunch.exe
PID 5016 wrote to memory of 4808	5016	1Qx86ey7.exe	AppLaunch.exe
PID 5016 wrote to memory of 4808	5016	1Qx86ey7.exe	AppLaunch.exe
PID 5016 wrote to memory of 4808	5016	1Qx86ey7.exe	AppLaunch.exe
PID 5016 wrote to memory of 4808	5016	1Qx86ey7.exe	AppLaunch.exe
PID 3216 wrote to memory of 2572	3216	iS9Ud0nM.exe	2GF834dy.exe
PID 3216 wrote to memory of 2572	3216	iS9Ud0nM.exe	2GF834dy.exe
PID 3216 wrote to memory of 2572	3216	iS9Ud0nM.exe	2GF834dy.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.30b1d024147aa37722a8a7ce9a1e9570.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.30b1d024147aa37722a8a7ce9a1e9570.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4452

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ow7vx3aI.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ow7vx3aI.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:232

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vu5Po2Oe.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vu5Po2Oe.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3544

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iS9Ud0nM.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iS9Ud0nM.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3216

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Qx86ey7.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Qx86ey7.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 540
7⤵
- Program crash
PID:2896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 236
6⤵
- Program crash
PID:2924

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2GF834dy.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2GF834dy.exe
5⤵
- Executes dropped EXE
PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5016 -ip 5016
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4808 -ip 4808
1⤵
PID:3044

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ow7vx3aI.exe
Filesize
936KB

MD5
77ff7e83375074c4d0bc85202b4e7be0

SHA1
4c7b4438017b056331abe84479393177cebd00ec

SHA256
122d299be58fe5b4b3fb06b491d50461ca02e4eb8f710de840e47178d5866d10

SHA512
e80e67d2094a4f77780dfc6a0873880910188e057706f16bc8c5a60399bd4292c41b1fbd9be6b0a75a346166d4ff7b13a42a6d68cf2077e755f4b3f152419910

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ow7vx3aI.exe
Filesize
936KB

MD5
77ff7e83375074c4d0bc85202b4e7be0

SHA1
4c7b4438017b056331abe84479393177cebd00ec

SHA256
122d299be58fe5b4b3fb06b491d50461ca02e4eb8f710de840e47178d5866d10

SHA512
e80e67d2094a4f77780dfc6a0873880910188e057706f16bc8c5a60399bd4292c41b1fbd9be6b0a75a346166d4ff7b13a42a6d68cf2077e755f4b3f152419910

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vu5Po2Oe.exe
Filesize
641KB

MD5
33866bf56942e84402d6065c392c3f08

SHA1
66cc530ac4ee632704b4cf103676543066e9b953

SHA256
5e089291756e2d75947c01a743a0668be834a337934ab2794324c460395a2aff

SHA512
d90e41e22748a8c70213a85d826611e361bb5e888b3cbc295aebf6380194a75d3ddb1d40362a5b25b6c487e03e2932d7a7f2cb1f0964341f5b236bbb1a14f5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vu5Po2Oe.exe
Filesize
641KB

MD5
33866bf56942e84402d6065c392c3f08

SHA1
66cc530ac4ee632704b4cf103676543066e9b953

SHA256
5e089291756e2d75947c01a743a0668be834a337934ab2794324c460395a2aff

SHA512
d90e41e22748a8c70213a85d826611e361bb5e888b3cbc295aebf6380194a75d3ddb1d40362a5b25b6c487e03e2932d7a7f2cb1f0964341f5b236bbb1a14f5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iS9Ud0nM.exe
Filesize
444KB

MD5
16605f65d5ab8197b766a1cbe6aa5096

SHA1
09fab68d3bd0a1fad0655af0653ca9a8a6587b9f

SHA256
99a532ef73e312636a9804a1a00337d073852594266e4deca22033d3363fa105

SHA512
88ae224bf86c50fe0db3d2c7154cc865db77c2d810c6e5402f4b7e01393a0bda1c44d7047172954cf24283e373349ff75f23beda4d711054a95a3f04ecece3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iS9Ud0nM.exe
Filesize
444KB

MD5
16605f65d5ab8197b766a1cbe6aa5096

SHA1
09fab68d3bd0a1fad0655af0653ca9a8a6587b9f

SHA256
99a532ef73e312636a9804a1a00337d073852594266e4deca22033d3363fa105

SHA512
88ae224bf86c50fe0db3d2c7154cc865db77c2d810c6e5402f4b7e01393a0bda1c44d7047172954cf24283e373349ff75f23beda4d711054a95a3f04ecece3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Qx86ey7.exe
Filesize
423KB

MD5
a1166e4a80d05011bcfefe57d8a57260

SHA1
9ea8719cbcc5414d257670f82edd0e9a70a0c0af

SHA256
7ab72b7260c23375f014efebb6f93dd5cec449a701a1803809b9a5d7f2e3d866

SHA512
48b4290b3b437b2216728e1e3c5d31813a062ca94c907eaf991d0ddb83574c633bf7b1ab5ab99a921ac7884321d5db795db8904a64fd373bfa258b62c0383961

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Qx86ey7.exe
Filesize
423KB

MD5
a1166e4a80d05011bcfefe57d8a57260

SHA1
9ea8719cbcc5414d257670f82edd0e9a70a0c0af

SHA256
7ab72b7260c23375f014efebb6f93dd5cec449a701a1803809b9a5d7f2e3d866

SHA512
48b4290b3b437b2216728e1e3c5d31813a062ca94c907eaf991d0ddb83574c633bf7b1ab5ab99a921ac7884321d5db795db8904a64fd373bfa258b62c0383961

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2GF834dy.exe
Filesize
221KB

MD5
02e94efff7dd22bb9fa6a029bba1de76

SHA1
64e79892f4b6f28ba03f7764e9f7dbb1523a1bf2

SHA256
568c211e421e41c7db6809bdc93d909bd4b90cc33d0327b7a85950e965d3f300

SHA512
484e0be7fe97db495958c63ea3ed5f157cec75fd6e6c5a3cb5d8f7bd618c6285d320aea4d9c30b5c0e5c5ffc6026a3c4a6ef658fd073a7388c0601a2d604aaa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2GF834dy.exe
Filesize
221KB

MD5
02e94efff7dd22bb9fa6a029bba1de76

SHA1
64e79892f4b6f28ba03f7764e9f7dbb1523a1bf2

SHA256
568c211e421e41c7db6809bdc93d909bd4b90cc33d0327b7a85950e965d3f300

SHA512
484e0be7fe97db495958c63ea3ed5f157cec75fd6e6c5a3cb5d8f7bd618c6285d320aea4d9c30b5c0e5c5ffc6026a3c4a6ef658fd073a7388c0601a2d604aaa3

Download Submit
memory/2572-39-0x0000000007250000-0x00000000072E2000-memory.dmp

Filesize
584KB

Download
memory/2572-36-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/2572-40-0x0000000007490000-0x00000000074A0000-memory.dmp

Filesize
64KB

Download
memory/2572-48-0x0000000007490000-0x00000000074A0000-memory.dmp

Filesize
64KB

Download
memory/2572-41-0x0000000007210000-0x000000000721A000-memory.dmp

Filesize
40KB

Download
memory/2572-37-0x00000000002F0000-0x000000000032E000-memory.dmp

Filesize
248KB

Download
memory/2572-38-0x0000000007760000-0x0000000007D04000-memory.dmp

Filesize
5.6MB

Download
memory/2572-42-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/2572-47-0x0000000007540000-0x000000000758C000-memory.dmp

Filesize
304KB

Download
memory/2572-46-0x0000000007500000-0x000000000753C000-memory.dmp

Filesize
240KB

Download
memory/2572-45-0x00000000074A0000-0x00000000074B2000-memory.dmp

Filesize
72KB

Download
memory/2572-43-0x0000000008330000-0x0000000008948000-memory.dmp

Filesize
6.1MB

Download
memory/2572-44-0x00000000075B0000-0x00000000076BA000-memory.dmp

Filesize
1.0MB

Download
memory/4808-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-30-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download