mystic | 692e82b585be9ac7cc8c88f2eeb475fcf42fed96a7b5572934f45018a5f7f2d1

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f2f269e1f9905fb92ad987badd2a5b73d7a44e072d374b4e040c95e30b5c69a.exe
Size

912KB
MD5

5f4de66cb9b1568753b8a44fad14b23e
SHA1

e2c294ab014a574e4b8ea8d65f2ae46af5f3713e
SHA256

5f2f269e1f9905fb92ad987badd2a5b73d7a44e072d374b4e040c95e30b5c69a
SHA512

acd31c122a20e8a77ab2f170f783679a2924d1dc958b32f384474590a0ea90c525976ce1c7ccd5be82098d2cee90bbfc9293ebae89a86fe3919ee929cd2265e0
SSDEEP

12288:hMrMy9025kLy2eMdZp7L5QvRc/3aVqtmikIDH3qh5LAYUKEnIqHF+x7SB/h5vs6:FyT5tAf5Qk3CqtwUa/LAHn1HF+1SB1

Score

10^/10

mystic redline luate infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

luate

77.91.124.55:19071

Attributes

auth_value
e45cd419aba6c9d372088ffe5629308b

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral6/memory/5860-28-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral6/memory/5860-31-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral6/memory/5860-29-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2779192.exe	family_redline
behavioral6/memory/1044-35-0x0000000000720000-0x0000000000750000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

Processes:

x9609062.exex3537467.exex4553268.exeg7015082.exeh2779192.exe

pid process

2672 x9609062.exe
1392 x3537467.exe
4556 x4553268.exe
4036 g7015082.exe
1044 h2779192.exe

pid	process
2672	x9609062.exe
1392	x3537467.exe
4556	x4553268.exe
4036	g7015082.exe
1044	h2779192.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5f2f269e1f9905fb92ad987badd2a5b73d7a44e072d374b4e040c95e30b5c69a.exex9609062.exex3537467.exex4553268.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5f2f269e1f9905fb92ad987badd2a5b73d7a44e072d374b4e040c95e30b5c69a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9609062.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3537467.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x4553268.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

g7015082.exe

description pid process target process

PID 4036 set thread context of 5860 4036 g7015082.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4564 4036 WerFault.exe g7015082.exe

description	pid	process	target process
PID 4036 set thread context of 5860	4036	g7015082.exe	AppLaunch.exe

pid	pid_target	process	target process
4564	4036	WerFault.exe	g7015082.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

5f2f269e1f9905fb92ad987badd2a5b73d7a44e072d374b4e040c95e30b5c69a.exex9609062.exex3537467.exex4553268.exeg7015082.exe

description	pid	process	target process
PID 4552 wrote to memory of 2672	4552	5f2f269e1f9905fb92ad987badd2a5b73d7a44e072d374b4e040c95e30b5c69a.exe	x9609062.exe
PID 4552 wrote to memory of 2672	4552	5f2f269e1f9905fb92ad987badd2a5b73d7a44e072d374b4e040c95e30b5c69a.exe	x9609062.exe
PID 4552 wrote to memory of 2672	4552	5f2f269e1f9905fb92ad987badd2a5b73d7a44e072d374b4e040c95e30b5c69a.exe	x9609062.exe
PID 2672 wrote to memory of 1392	2672	x9609062.exe	x3537467.exe
PID 2672 wrote to memory of 1392	2672	x9609062.exe	x3537467.exe
PID 2672 wrote to memory of 1392	2672	x9609062.exe	x3537467.exe
PID 1392 wrote to memory of 4556	1392	x3537467.exe	x4553268.exe
PID 1392 wrote to memory of 4556	1392	x3537467.exe	x4553268.exe
PID 1392 wrote to memory of 4556	1392	x3537467.exe	x4553268.exe
PID 4556 wrote to memory of 4036	4556	x4553268.exe	g7015082.exe
PID 4556 wrote to memory of 4036	4556	x4553268.exe	g7015082.exe
PID 4556 wrote to memory of 4036	4556	x4553268.exe	g7015082.exe
PID 4036 wrote to memory of 5860	4036	g7015082.exe	AppLaunch.exe
PID 4036 wrote to memory of 5860	4036	g7015082.exe	AppLaunch.exe
PID 4036 wrote to memory of 5860	4036	g7015082.exe	AppLaunch.exe
PID 4036 wrote to memory of 5860	4036	g7015082.exe	AppLaunch.exe
PID 4036 wrote to memory of 5860	4036	g7015082.exe	AppLaunch.exe
PID 4036 wrote to memory of 5860	4036	g7015082.exe	AppLaunch.exe
PID 4036 wrote to memory of 5860	4036	g7015082.exe	AppLaunch.exe
PID 4036 wrote to memory of 5860	4036	g7015082.exe	AppLaunch.exe
PID 4036 wrote to memory of 5860	4036	g7015082.exe	AppLaunch.exe
PID 4036 wrote to memory of 5860	4036	g7015082.exe	AppLaunch.exe
PID 4556 wrote to memory of 1044	4556	x4553268.exe	h2779192.exe
PID 4556 wrote to memory of 1044	4556	x4553268.exe	h2779192.exe
PID 4556 wrote to memory of 1044	4556	x4553268.exe	h2779192.exe

C:\Users\Admin\AppData\Local\Temp\5f2f269e1f9905fb92ad987badd2a5b73d7a44e072d374b4e040c95e30b5c69a.exe
"C:\Users\Admin\AppData\Local\Temp\5f2f269e1f9905fb92ad987badd2a5b73d7a44e072d374b4e040c95e30b5c69a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4552

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9609062.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9609062.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2672

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3537467.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3537467.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1392

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4553268.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4553268.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4556

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7015082.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7015082.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:5860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 156
6⤵
- Program crash
PID:4564

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2779192.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2779192.exe
5⤵
- Executes dropped EXE
PID:1044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4036 -ip 4036
1⤵
PID:5364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9609062.exe
Filesize
810KB

MD5
66f7f8baa8e1ae254d925d449c8e3c53

SHA1
ed6c763314fb4123d472e6b5528056505761e79c

SHA256
dda98b7031f2c6d93883b6412395567def11c58eb7ec49a23783187c8f88b0d2

SHA512
4108b3774a162430c09e1bd71bfce56e71854b1871d7eb3061a948ae5ed3b8511f530af9b28bbdf24054a5881b862b4e623a0d04c81a1de709ff1571658de14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3537467.exe
Filesize
547KB

MD5
2a9a0f177a18efc4637d0fd3899e0a27

SHA1
112d8b5d3e840eb9be5043cbf9a371560403dc76

SHA256
4c1096497fe933093803640bfebddbce9349f21741e627f51650ab6fafdb4c59

SHA512
f362fd8c1104f25a6b7e6277c981335ce021de18f125b3051ed5e2d08a2a1cc541ccfcfda5465c3c9ae08555fac3b1af19154c9c4eb52eca00251e31bc7aa30a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4553268.exe
Filesize
381KB

MD5
faa93c16778a1368d978b6102a4e3da8

SHA1
25bd3a9bbd31743cf5fbb5c0fd00251af74cb326

SHA256
6bd4b1c650e8a3770f508e4aa6e8468e6d1d6f2872fd51974f2d7b857a5ffe50

SHA512
d9c2637e28c5e0cc051d98b6ab364ecdd109e3cc870520554eee6a67229bb0c5e9ad5908741f4b9d1add5f31a02ff6268fe99817bd55e7b1ecfee35d687c66a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7015082.exe
Filesize
346KB

MD5
07fde6b1142b5ed94e1eee5acec4f438

SHA1
1557ed8a1f8e8ca8a53cbad2adb5b087c84ab581

SHA256
e74cee163ea262850a9925f6ff1ee63415d0c26ee75b45f9395aa8c36c938b5d

SHA512
0e91c2a62062e9d1f5ce2fad436956f39b117d7789da91fbc586539162f87842017157036cb1eab9910fbf5a014c146a1062bb8e880b90a7cd0c2ed25e409a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2779192.exe
Filesize
174KB

MD5
bc9f0aa9d56d5695f7a12e8b50ec383f

SHA1
a4b1a4586098e52860a88bd72d4096cea5f4e0a6

SHA256
7dba4fdbffbfec09028375424ac35e581d60c8f9d1c9c7c7a17815c0d500f23e

SHA512
e863353a5ef207448ede278331775d86813593e334ca38d46d1f3cdfac74a0493889b409b1bc8eccbd31be05f2a3d11b53194283a40a979b6eb57642594102f7

Download Submit
memory/1044-36-0x0000000005040000-0x0000000005046000-memory.dmp

Filesize
24KB

Download
memory/1044-35-0x0000000000720000-0x0000000000750000-memory.dmp

Filesize
192KB

Download
memory/1044-37-0x0000000005720000-0x0000000005D38000-memory.dmp

Filesize
6.1MB

Download
memory/1044-38-0x0000000005210000-0x000000000531A000-memory.dmp

Filesize
1.0MB

Download
memory/1044-39-0x00000000050A0000-0x00000000050B2000-memory.dmp

Filesize
72KB

Download
memory/1044-40-0x0000000005140000-0x000000000517C000-memory.dmp

Filesize
240KB

Download
memory/1044-41-0x0000000005180000-0x00000000051CC000-memory.dmp

Filesize
304KB

Download
memory/5860-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5860-31-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5860-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download