mystic | c73495ac15edf243436755d8956653e0beb40278879b02b57909e6ed4003158b

General

Target

NEAS.f254b436b94b988732d2dc398f365270.exe
Size

379KB
MD5

f254b436b94b988732d2dc398f365270
SHA1

e3f0ef723e8cfd9e023120c2f3d7f80faa256a8b
SHA256

c73495ac15edf243436755d8956653e0beb40278879b02b57909e6ed4003158b
SHA512

9468f200c29e854c15703c45990654eb77f3f3a73af34f9a6691c7399aab892f796eb6f10342b8b078a0f906db66a0a25c5bb5d3e12457b730418fe15c7aef82
SSDEEP

6144:K6y+bnr+fp0yN90QEpmyGN/8wUGvYo8B6194oQWnD6ykQD7tStzpsZEdOXFJmHvg:WMr3y90DSRv38FhwLkQDp+sEQVJmHvg

Score

10^/10

mystic redline luate infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

luate

C2

77.91.124.55:19071

Attributes

auth_value
e45cd419aba6c9d372088ffe5629308b

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/5084-7-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral1/memory/5084-8-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral1/memory/5084-9-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral1/memory/5084-11-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
3184	g8793607.exe
1176	h4787744.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.f254b436b94b988732d2dc398f365270.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3184 set thread context of 5084	3184	g8793607.exe	90

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4080	3184	WerFault.exe	87
564	5084	WerFault.exe	90

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 3184	4596	NEAS.f254b436b94b988732d2dc398f365270.exe	87
PID 4596 wrote to memory of 3184	4596	NEAS.f254b436b94b988732d2dc398f365270.exe	87
PID 4596 wrote to memory of 3184	4596	NEAS.f254b436b94b988732d2dc398f365270.exe	87
PID 3184 wrote to memory of 1988	3184	g8793607.exe	89
PID 3184 wrote to memory of 1988	3184	g8793607.exe	89
PID 3184 wrote to memory of 1988	3184	g8793607.exe	89
PID 3184 wrote to memory of 5084	3184	g8793607.exe	90
PID 3184 wrote to memory of 5084	3184	g8793607.exe	90
PID 3184 wrote to memory of 5084	3184	g8793607.exe	90
PID 3184 wrote to memory of 5084	3184	g8793607.exe	90
PID 3184 wrote to memory of 5084	3184	g8793607.exe	90
PID 3184 wrote to memory of 5084	3184	g8793607.exe	90
PID 3184 wrote to memory of 5084	3184	g8793607.exe	90
PID 3184 wrote to memory of 5084	3184	g8793607.exe	90
PID 3184 wrote to memory of 5084	3184	g8793607.exe	90
PID 3184 wrote to memory of 5084	3184	g8793607.exe	90
PID 4596 wrote to memory of 1176	4596	NEAS.f254b436b94b988732d2dc398f365270.exe	98
PID 4596 wrote to memory of 1176	4596	NEAS.f254b436b94b988732d2dc398f365270.exe	98
PID 4596 wrote to memory of 1176	4596	NEAS.f254b436b94b988732d2dc398f365270.exe	98

C:\Users\Admin\AppData\Local\Temp\NEAS.f254b436b94b988732d2dc398f365270.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f254b436b94b988732d2dc398f365270.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8793607.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8793607.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3184
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:1988
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:5084
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 540
      4⤵
      Program crash
      PID:564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 588
    3⤵
    - Program crash
    PID:4080
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h4787744.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h4787744.exe
  2⤵
  - Executes dropped EXE
  PID:1176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3184 -ip 3184
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5084 -ip 5084
1⤵
PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8793607.exe

Filesize
350KB

MD5
68837c6699827737c155072e08406c6d

SHA1
26233544f92fcdfcfd3da0bdcebbaca3846a94bb

SHA256
60848d121648155cb1a0d3c244ef18032026567f93e573d853fe294973f50cce

SHA512
0399a7d0926e6fcc5970e9db43f6ef66bddeb3f2005821d6d5d5b2e3baa1fbbe90ecf910ec9ccd8a814e7c8e4877b3377b9e744921c2cce283a1eb366fb75f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8793607.exe

Filesize
350KB

MD5
68837c6699827737c155072e08406c6d

SHA1
26233544f92fcdfcfd3da0bdcebbaca3846a94bb

SHA256
60848d121648155cb1a0d3c244ef18032026567f93e573d853fe294973f50cce

SHA512
0399a7d0926e6fcc5970e9db43f6ef66bddeb3f2005821d6d5d5b2e3baa1fbbe90ecf910ec9ccd8a814e7c8e4877b3377b9e744921c2cce283a1eb366fb75f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h4787744.exe

Filesize
174KB

MD5
d0be99c23ff34cd2200ee5aedd1d9dc7

SHA1
17a1dc6e89fa9ebbb913375c382f4a9d16808b58

SHA256
6987aa7fb4b143cdf7bd1cae83b86801761b2fe818dfa97e80bf02f1ebe80e93

SHA512
e82f219fc3f36e2c6f9af1bf27494bed497c2f937d243d50c5085e993f703782bf11dba4c932d8c3040ad2a5042d6e8433cbf4e11d93dcf8f6755a34c11a5ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h4787744.exe

Filesize
174KB

MD5
d0be99c23ff34cd2200ee5aedd1d9dc7

SHA1
17a1dc6e89fa9ebbb913375c382f4a9d16808b58

SHA256
6987aa7fb4b143cdf7bd1cae83b86801761b2fe818dfa97e80bf02f1ebe80e93

SHA512
e82f219fc3f36e2c6f9af1bf27494bed497c2f937d243d50c5085e993f703782bf11dba4c932d8c3040ad2a5042d6e8433cbf4e11d93dcf8f6755a34c11a5ca1

Download Submit
memory/1176-19-0x00000000052A0000-0x00000000053AA000-memory.dmp

Filesize
1.0MB

Download
memory/1176-18-0x00000000057B0000-0x0000000005DC8000-memory.dmp

Filesize
6.1MB

Download
memory/1176-25-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/1176-24-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/1176-15-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/1176-16-0x00000000007C0000-0x00000000007F0000-memory.dmp

Filesize
192KB

Download
memory/1176-17-0x00000000050E0000-0x00000000050E6000-memory.dmp

Filesize
24KB

Download
memory/1176-23-0x0000000005210000-0x000000000525C000-memory.dmp

Filesize
304KB

Download
memory/1176-22-0x00000000051D0000-0x000000000520C000-memory.dmp

Filesize
240KB

Download
memory/1176-20-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/1176-21-0x0000000005140000-0x0000000005152000-memory.dmp

Filesize
72KB

Download
memory/5084-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5084-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5084-8-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5084-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads