mystic | 0a1e584362c5c329dcf83ec9453e7f2d553237d69d8c183bafaa2929bc8e4b99

General

Target

0a1e584362c5c329dcf83ec9453e7f2d553237d69d8c183bafaa2929bc8e4b99.exe
Size

517KB
MD5

2bf4dd15fd808607503f8e2295a4dfb3
SHA1

ee540aba9d5ad740e85f6e20feb2cf6c37081c04
SHA256

0a1e584362c5c329dcf83ec9453e7f2d553237d69d8c183bafaa2929bc8e4b99
SHA512

6ba761f676170ccf4f89706d30e3afe464d261861ce0d85811b40254a5baaa708deea9a92e6bcb2680923c8cbb462fa05e95de0edc674ba0b01f417a4614da39
SSDEEP

12288:GMrWy90kj3M0SlLAzzIvPeT42BiNuA09NZkmuzOF+Q8U7:4yVj9zkuHiz09gmD+Q8U7

Score

10^/10

mystic redline luska infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

luska

C2

77.91.124.55:19071

Attributes

auth_value
a6797888f51a88afbfd8854a79ac9357

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/4668-14-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral1/memory/4668-15-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral1/memory/4668-16-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral1/memory/4668-18-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00070000000233f0-19.dat	family_redline
behavioral1/memory/1564-22-0x0000000000700000-0x0000000000730000-memory.dmp	family_redline

Detects executables packed with ConfuserEx Mod 2 IoCs

resource	yara_rule
behavioral1/files/0x00070000000233f0-19.dat	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1564-22-0x0000000000700000-0x0000000000730000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx

Executes dropped EXE 3 IoCs

pid	Process
2992	x3678646.exe
648	g4838518.exe
1564	h2476054.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0a1e584362c5c329dcf83ec9453e7f2d553237d69d8c183bafaa2929bc8e4b99.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3678646.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 648 set thread context of 4668	648	g4838518.exe	88

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1136	648	WerFault.exe	85
4736	4668	WerFault.exe	88

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2992	3016	0a1e584362c5c329dcf83ec9453e7f2d553237d69d8c183bafaa2929bc8e4b99.exe	84
PID 3016 wrote to memory of 2992	3016	0a1e584362c5c329dcf83ec9453e7f2d553237d69d8c183bafaa2929bc8e4b99.exe	84
PID 3016 wrote to memory of 2992	3016	0a1e584362c5c329dcf83ec9453e7f2d553237d69d8c183bafaa2929bc8e4b99.exe	84
PID 2992 wrote to memory of 648	2992	x3678646.exe	85
PID 2992 wrote to memory of 648	2992	x3678646.exe	85
PID 2992 wrote to memory of 648	2992	x3678646.exe	85
PID 648 wrote to memory of 4668	648	g4838518.exe	88
PID 648 wrote to memory of 4668	648	g4838518.exe	88
PID 648 wrote to memory of 4668	648	g4838518.exe	88
PID 648 wrote to memory of 4668	648	g4838518.exe	88
PID 648 wrote to memory of 4668	648	g4838518.exe	88
PID 648 wrote to memory of 4668	648	g4838518.exe	88
PID 648 wrote to memory of 4668	648	g4838518.exe	88
PID 648 wrote to memory of 4668	648	g4838518.exe	88
PID 648 wrote to memory of 4668	648	g4838518.exe	88
PID 648 wrote to memory of 4668	648	g4838518.exe	88
PID 2992 wrote to memory of 1564	2992	x3678646.exe	96
PID 2992 wrote to memory of 1564	2992	x3678646.exe	96
PID 2992 wrote to memory of 1564	2992	x3678646.exe	96

C:\Users\Admin\AppData\Local\Temp\0a1e584362c5c329dcf83ec9453e7f2d553237d69d8c183bafaa2929bc8e4b99.exe
"C:\Users\Admin\AppData\Local\Temp\0a1e584362c5c329dcf83ec9453e7f2d553237d69d8c183bafaa2929bc8e4b99.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3678646.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3678646.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4838518.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4838518.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:648
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4668
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 540
        5⤵
        Program crash
        
        PID:4736
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 156
      4⤵
      Program crash
      PID:1136
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2476054.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2476054.exe
    3⤵
    - Executes dropped EXE
    PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 648 -ip 648
1⤵
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4668 -ip 4668
1⤵
PID:472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3678646.exe

Filesize
351KB

MD5
bc2cbd839aaa9c394181e1eeaf5e0582

SHA1
641502a69e0799b6f32e8fd84231865874d4ce8e

SHA256
c80b553af99f7b93a50fff3854894165d56ae8568f6f8c3f8311659c9b13f301

SHA512
7211991a538587ab04678cb27cee274f60f21e6206270b6cfd39720a69073de603952ce0ccd0b5e4e0fa3cd25829bc50a265e00643e8e090e50e3edbe0473500

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4838518.exe

Filesize
276KB

MD5
88bbee3ad4754efdd0648506fe24ead5

SHA1
99deaf501839e3559cd61a7c19024621d79108ef

SHA256
7b3981985d2c893109507f64804487b32bd9b4bca95800974eb4323e54c5f41b

SHA512
12b815f2f3116bee0aafadaf04d4129da56c269c86c20783404d6c3e20b6a28f5fb4c39b95b87ddbcc675847b9fbd6968998b84f4d371e54b101f4e1997f67f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2476054.exe

Filesize
174KB

MD5
cb34813940daea7d4168cd3c8d17b083

SHA1
675b6bd189e645ecb2cf23ea37b8be87eb3906cd

SHA256
1dac3ebf0d4184c69ef0c1ef50e8490206da2222a971bcc324086f23a00e8479

SHA512
cca5bcffab2d012911ea0ebd13f7a7c6e6af908185f9902ab5951544960dfa1d4ff35ea7d8f07db1f9194172b4158df3c3ea624a8353b20259051cc76a1ef843

Download Submit
memory/1564-27-0x00000000050C0000-0x00000000050D2000-memory.dmp

Filesize
72KB

Download
memory/1564-25-0x0000000005810000-0x0000000005E28000-memory.dmp

Filesize
6.1MB

Download
memory/1564-32-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/1564-31-0x0000000073D00000-0x00000000744B0000-memory.dmp

Filesize
7.7MB

Download
memory/1564-22-0x0000000000700000-0x0000000000730000-memory.dmp

Filesize
192KB

Download
memory/1564-23-0x0000000073D00000-0x00000000744B0000-memory.dmp

Filesize
7.7MB

Download
memory/1564-24-0x0000000002A20000-0x0000000002A26000-memory.dmp

Filesize
24KB

Download
memory/1564-30-0x0000000005270000-0x00000000052BC000-memory.dmp

Filesize
304KB

Download
memory/1564-26-0x0000000005300000-0x000000000540A000-memory.dmp

Filesize
1.0MB

Download
memory/1564-29-0x0000000005230000-0x000000000526C000-memory.dmp

Filesize
240KB

Download
memory/1564-28-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/4668-14-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4668-16-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4668-15-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4668-18-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads