mystic | 8445a1735f8a4bcbb8dc692a63e96b516afc7f4632ac63689f7cdde2aa8de329

General

Target

NEAS.37e556cc6b44a626b018f8688bda06a0_JC.exe
Size

934KB
MD5

37e556cc6b44a626b018f8688bda06a0
SHA1

eadbabad68cd9ef1f60bf1878637910027ce2435
SHA256

8445a1735f8a4bcbb8dc692a63e96b516afc7f4632ac63689f7cdde2aa8de329
SHA512

e7da4ef2d75023b3e978c619e0bcfda34f9bb2bde34f4046c842e43b09fff6e6ca1b097f77b06d0edc864dd56d21d892ff99af04b4282f0724134999c8b83912
SSDEEP

24576:6yZychi6MZCxusOMPdeNn7oNQVaraOIk3:BZycYZzCkn52I

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

C2

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2372-21-0x0000000000400000-0x0000000000433000-memory.dmp	family_mystic
behavioral1/memory/2372-22-0x0000000000400000-0x0000000000433000-memory.dmp	family_mystic
behavioral1/memory/2372-23-0x0000000000400000-0x0000000000433000-memory.dmp	family_mystic
behavioral1/memory/2372-25-0x0000000000400000-0x0000000000433000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2oA495HX.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2oA495HX.exe	family_redline
behavioral1/memory/1948-29-0x0000000000920000-0x000000000095E000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

ZL1db4Lc.exeaQ3So0Ib.exe1Xn79dd1.exe2oA495HX.exe

pid process

2120 ZL1db4Lc.exe
3088 aQ3So0Ib.exe
1980 1Xn79dd1.exe
1948 2oA495HX.exe

pid	process
2120	ZL1db4Lc.exe
3088	aQ3So0Ib.exe
1980	1Xn79dd1.exe
1948	2oA495HX.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

aQ3So0Ib.exeNEAS.37e556cc6b44a626b018f8688bda06a0_JC.exeZL1db4Lc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	aQ3So0Ib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.37e556cc6b44a626b018f8688bda06a0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ZL1db4Lc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1Xn79dd1.exe

description pid process target process

PID 1980 set thread context of 2372 1980 1Xn79dd1.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3788 2372 WerFault.exe AppLaunch.exe
1076 1980 WerFault.exe 1Xn79dd1.exe

description	pid	process	target process
PID 1980 set thread context of 2372	1980	1Xn79dd1.exe	AppLaunch.exe

pid	pid_target	process	target process
3788	2372	WerFault.exe	AppLaunch.exe
1076	1980	WerFault.exe	1Xn79dd1.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

NEAS.37e556cc6b44a626b018f8688bda06a0_JC.exeZL1db4Lc.exeaQ3So0Ib.exe1Xn79dd1.exe

description	pid	process	target process
PID 3616 wrote to memory of 2120	3616	NEAS.37e556cc6b44a626b018f8688bda06a0_JC.exe	ZL1db4Lc.exe
PID 3616 wrote to memory of 2120	3616	NEAS.37e556cc6b44a626b018f8688bda06a0_JC.exe	ZL1db4Lc.exe
PID 3616 wrote to memory of 2120	3616	NEAS.37e556cc6b44a626b018f8688bda06a0_JC.exe	ZL1db4Lc.exe
PID 2120 wrote to memory of 3088	2120	ZL1db4Lc.exe	aQ3So0Ib.exe
PID 2120 wrote to memory of 3088	2120	ZL1db4Lc.exe	aQ3So0Ib.exe
PID 2120 wrote to memory of 3088	2120	ZL1db4Lc.exe	aQ3So0Ib.exe
PID 3088 wrote to memory of 1980	3088	aQ3So0Ib.exe	1Xn79dd1.exe
PID 3088 wrote to memory of 1980	3088	aQ3So0Ib.exe	1Xn79dd1.exe
PID 3088 wrote to memory of 1980	3088	aQ3So0Ib.exe	1Xn79dd1.exe
PID 1980 wrote to memory of 2372	1980	1Xn79dd1.exe	AppLaunch.exe
PID 1980 wrote to memory of 2372	1980	1Xn79dd1.exe	AppLaunch.exe
PID 1980 wrote to memory of 2372	1980	1Xn79dd1.exe	AppLaunch.exe
PID 1980 wrote to memory of 2372	1980	1Xn79dd1.exe	AppLaunch.exe
PID 1980 wrote to memory of 2372	1980	1Xn79dd1.exe	AppLaunch.exe
PID 1980 wrote to memory of 2372	1980	1Xn79dd1.exe	AppLaunch.exe
PID 1980 wrote to memory of 2372	1980	1Xn79dd1.exe	AppLaunch.exe
PID 1980 wrote to memory of 2372	1980	1Xn79dd1.exe	AppLaunch.exe
PID 1980 wrote to memory of 2372	1980	1Xn79dd1.exe	AppLaunch.exe
PID 1980 wrote to memory of 2372	1980	1Xn79dd1.exe	AppLaunch.exe
PID 3088 wrote to memory of 1948	3088	aQ3So0Ib.exe	2oA495HX.exe
PID 3088 wrote to memory of 1948	3088	aQ3So0Ib.exe	2oA495HX.exe
PID 3088 wrote to memory of 1948	3088	aQ3So0Ib.exe	2oA495HX.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.37e556cc6b44a626b018f8688bda06a0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.37e556cc6b44a626b018f8688bda06a0_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3616

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZL1db4Lc.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZL1db4Lc.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2120

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aQ3So0Ib.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aQ3So0Ib.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3088

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Xn79dd1.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Xn79dd1.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 540
6⤵
- Program crash
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 592
5⤵
- Program crash
PID:1076

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2oA495HX.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2oA495HX.exe
4⤵
- Executes dropped EXE
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1980 -ip 1980
1⤵
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2372 -ip 2372
1⤵
PID:3272

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZL1db4Lc.exe
Filesize
639KB

MD5
cb0fa4adf1ece6fa6a1d23d7c421d23a

SHA1
9f1075100e17ed0c892e9794b021e2aaa2601d5b

SHA256
fbb5b8c8cb77cd99893e6b893f2bfe897666439b6292d4706196d3af928e7de7

SHA512
b3f77bfa62fd4224f102ff296b5e7fe2b2f3c81ad34a1d210883fa65a318bcdd0bf9027447e40c328e45ad96a90735b55921147c945e350837c47117d3fdd6dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZL1db4Lc.exe
Filesize
639KB

MD5
cb0fa4adf1ece6fa6a1d23d7c421d23a

SHA1
9f1075100e17ed0c892e9794b021e2aaa2601d5b

SHA256
fbb5b8c8cb77cd99893e6b893f2bfe897666439b6292d4706196d3af928e7de7

SHA512
b3f77bfa62fd4224f102ff296b5e7fe2b2f3c81ad34a1d210883fa65a318bcdd0bf9027447e40c328e45ad96a90735b55921147c945e350837c47117d3fdd6dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aQ3So0Ib.exe
Filesize
443KB

MD5
8ecdc622356f400a02bc8df3e87608c1

SHA1
f6c8508703ad917558c932dce0db0a956e5ba5f6

SHA256
7f97a4890eed703282f8f93c4d10b7fb6cc20a21fcf84810f0b7299a0a56b93f

SHA512
1c27c01110683de1e0999988f8b98384bbe77aa1a4d3baffc90053e1ff14177d06b1abfbf27b3133730a701b903bfc730adc88d796cde04f95b08dd4763512f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aQ3So0Ib.exe
Filesize
443KB

MD5
8ecdc622356f400a02bc8df3e87608c1

SHA1
f6c8508703ad917558c932dce0db0a956e5ba5f6

SHA256
7f97a4890eed703282f8f93c4d10b7fb6cc20a21fcf84810f0b7299a0a56b93f

SHA512
1c27c01110683de1e0999988f8b98384bbe77aa1a4d3baffc90053e1ff14177d06b1abfbf27b3133730a701b903bfc730adc88d796cde04f95b08dd4763512f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Xn79dd1.exe
Filesize
422KB

MD5
5078f44dfb03614e6d3da53e467528e8

SHA1
a848b953595eacfc436bb782166897aff3557414

SHA256
2fea49e805daa9c87e0ab1060d6d457dba045864827ff041226a11e34a60d337

SHA512
f93431c215712b20cb20a9380174ac62289f04d0f4ade3cf6cb06d93bde72304ec1e605032736d3418635acda3f42def66d98d7165f84591db837feecc7456a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Xn79dd1.exe
Filesize
422KB

MD5
5078f44dfb03614e6d3da53e467528e8

SHA1
a848b953595eacfc436bb782166897aff3557414

SHA256
2fea49e805daa9c87e0ab1060d6d457dba045864827ff041226a11e34a60d337

SHA512
f93431c215712b20cb20a9380174ac62289f04d0f4ade3cf6cb06d93bde72304ec1e605032736d3418635acda3f42def66d98d7165f84591db837feecc7456a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2oA495HX.exe
Filesize
221KB

MD5
c24604bca103e8d343e8660612bf37c3

SHA1
1e37a61422600f8096609bdfa0eb0bf1011f558e

SHA256
52cfd36a47584086df218cfa23dd34bd3ec7a278f579b711c86a46684bbb72f8

SHA512
b70dea049e972b9a6d496ad794bae070b4d388ed93dc2a1eabd99ce47cb2873a7002a3256ef9b2af007f2a0814eee6fbbe1b5f70678338a2eac85338d1100203

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2oA495HX.exe
Filesize
221KB

MD5
c24604bca103e8d343e8660612bf37c3

SHA1
1e37a61422600f8096609bdfa0eb0bf1011f558e

SHA256
52cfd36a47584086df218cfa23dd34bd3ec7a278f579b711c86a46684bbb72f8

SHA512
b70dea049e972b9a6d496ad794bae070b4d388ed93dc2a1eabd99ce47cb2873a7002a3256ef9b2af007f2a0814eee6fbbe1b5f70678338a2eac85338d1100203

Download Submit
memory/1948-35-0x0000000008790000-0x0000000008DA8000-memory.dmp

Filesize
6.1MB

Download
memory/1948-34-0x0000000007890000-0x000000000789A000-memory.dmp

Filesize
40KB

Download
memory/1948-41-0x0000000007910000-0x0000000007920000-memory.dmp

Filesize
64KB

Download
memory/1948-40-0x00000000740B0000-0x0000000074860000-memory.dmp

Filesize
7.7MB

Download
memory/1948-30-0x00000000740B0000-0x0000000074860000-memory.dmp

Filesize
7.7MB

Download
memory/1948-29-0x0000000000920000-0x000000000095E000-memory.dmp

Filesize
248KB

Download
memory/1948-31-0x0000000007BC0000-0x0000000008164000-memory.dmp

Filesize
5.6MB

Download
memory/1948-32-0x00000000076F0000-0x0000000007782000-memory.dmp

Filesize
584KB

Download
memory/1948-33-0x0000000007910000-0x0000000007920000-memory.dmp

Filesize
64KB

Download
memory/1948-39-0x0000000007A10000-0x0000000007A5C000-memory.dmp

Filesize
304KB

Download
memory/1948-38-0x00000000079D0000-0x0000000007A0C000-memory.dmp

Filesize
240KB

Download
memory/1948-36-0x0000000007AB0000-0x0000000007BBA000-memory.dmp

Filesize
1.0MB

Download
memory/1948-37-0x0000000007970000-0x0000000007982000-memory.dmp

Filesize
72KB

Download
memory/2372-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-22-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-23-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads