mystic | 8f7ecfcea350d8e91e6bb9083833f37b57aa78d15022b68c407055e2463bd982

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5fdef2b38d6a927d590cbceb6a8c3f4e278c41ce01d872925603603cd7d0bc0a.exe
Size

547KB
MD5

ff3fc3b57f2e1ef457d7ce7e7c273716
SHA1

54b6241c92f97be696ae599391a2ce0dfe9e7e44
SHA256

5fdef2b38d6a927d590cbceb6a8c3f4e278c41ce01d872925603603cd7d0bc0a
SHA512

e198c3d34f25cc5f2c24286b4e5a5de944322f3fdd4746c364ddcde0835129e7cdbda89d8166f2ce2590744aa35e5deaef0528107031387ba6d2edda2b0a5c63
SSDEEP

12288:JMrgy905aKrXt7d3Hl/HtIlrQItcqbfA:xyNKzddXl/6rVCwA

Score

10^/10

mystic redline luate infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

luate

77.91.124.55:19071

Attributes

auth_value
e45cd419aba6c9d372088ffe5629308b

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral7/memory/2856-14-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral7/memory/2856-18-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral7/memory/2856-16-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral7/memory/2856-15-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2394542.exe	family_redline
behavioral7/memory/2476-22-0x0000000000CB0000-0x0000000000CE0000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

x5392284.exeg4953753.exeh2394542.exe

pid process

3576 x5392284.exe
2612 g4953753.exe
2476 h2394542.exe

pid	process
3576	x5392284.exe
2612	g4953753.exe
2476	h2394542.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5fdef2b38d6a927d590cbceb6a8c3f4e278c41ce01d872925603603cd7d0bc0a.exex5392284.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5fdef2b38d6a927d590cbceb6a8c3f4e278c41ce01d872925603603cd7d0bc0a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5392284.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

g4953753.exe

description pid process target process

PID 2612 set thread context of 2856 2612 g4953753.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1052 2612 WerFault.exe g4953753.exe
2360 2856 WerFault.exe AppLaunch.exe

description	pid	process	target process
PID 2612 set thread context of 2856	2612	g4953753.exe	AppLaunch.exe

pid	pid_target	process	target process
1052	2612	WerFault.exe	g4953753.exe
2360	2856	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

5fdef2b38d6a927d590cbceb6a8c3f4e278c41ce01d872925603603cd7d0bc0a.exex5392284.exeg4953753.exe

description	pid	process	target process
PID 4952 wrote to memory of 3576	4952	5fdef2b38d6a927d590cbceb6a8c3f4e278c41ce01d872925603603cd7d0bc0a.exe	x5392284.exe
PID 4952 wrote to memory of 3576	4952	5fdef2b38d6a927d590cbceb6a8c3f4e278c41ce01d872925603603cd7d0bc0a.exe	x5392284.exe
PID 4952 wrote to memory of 3576	4952	5fdef2b38d6a927d590cbceb6a8c3f4e278c41ce01d872925603603cd7d0bc0a.exe	x5392284.exe
PID 3576 wrote to memory of 2612	3576	x5392284.exe	g4953753.exe
PID 3576 wrote to memory of 2612	3576	x5392284.exe	g4953753.exe
PID 3576 wrote to memory of 2612	3576	x5392284.exe	g4953753.exe
PID 2612 wrote to memory of 3156	2612	g4953753.exe	AppLaunch.exe
PID 2612 wrote to memory of 3156	2612	g4953753.exe	AppLaunch.exe
PID 2612 wrote to memory of 3156	2612	g4953753.exe	AppLaunch.exe
PID 2612 wrote to memory of 1256	2612	g4953753.exe	AppLaunch.exe
PID 2612 wrote to memory of 1256	2612	g4953753.exe	AppLaunch.exe
PID 2612 wrote to memory of 1256	2612	g4953753.exe	AppLaunch.exe
PID 2612 wrote to memory of 2856	2612	g4953753.exe	AppLaunch.exe
PID 2612 wrote to memory of 2856	2612	g4953753.exe	AppLaunch.exe
PID 2612 wrote to memory of 2856	2612	g4953753.exe	AppLaunch.exe
PID 2612 wrote to memory of 2856	2612	g4953753.exe	AppLaunch.exe
PID 2612 wrote to memory of 2856	2612	g4953753.exe	AppLaunch.exe
PID 2612 wrote to memory of 2856	2612	g4953753.exe	AppLaunch.exe
PID 2612 wrote to memory of 2856	2612	g4953753.exe	AppLaunch.exe
PID 2612 wrote to memory of 2856	2612	g4953753.exe	AppLaunch.exe
PID 2612 wrote to memory of 2856	2612	g4953753.exe	AppLaunch.exe
PID 2612 wrote to memory of 2856	2612	g4953753.exe	AppLaunch.exe
PID 3576 wrote to memory of 2476	3576	x5392284.exe	h2394542.exe
PID 3576 wrote to memory of 2476	3576	x5392284.exe	h2394542.exe
PID 3576 wrote to memory of 2476	3576	x5392284.exe	h2394542.exe

C:\Users\Admin\AppData\Local\Temp\5fdef2b38d6a927d590cbceb6a8c3f4e278c41ce01d872925603603cd7d0bc0a.exe
"C:\Users\Admin\AppData\Local\Temp\5fdef2b38d6a927d590cbceb6a8c3f4e278c41ce01d872925603603cd7d0bc0a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4952

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5392284.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5392284.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3576

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4953753.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4953753.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:3156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:1256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:2856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 540
5⤵
- Program crash
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 604
4⤵
- Program crash
PID:1052

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2394542.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2394542.exe
3⤵
- Executes dropped EXE
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2856 -ip 2856
1⤵
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2612 -ip 2612
1⤵
PID:4280

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5392284.exe
Filesize
381KB

MD5
d9a69262f6e89052240d96531cce6e40

SHA1
676bfa0847f1df213d77730526b0b2da0bfe52c6

SHA256
26bd29130b9fe73fae25b9c746fe0e340c54806f98362f004aab36cf2dde5cfb

SHA512
ec302a26541857fd32be602be4b461e673fd51ed3e27806c995ad57f9b1266ae11edb40d5f3570803ee2c1bad94364b3a2d4fc4220b480dbc7a199e0672a91d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4953753.exe
Filesize
346KB

MD5
bb7e58fc7793b5aaa83dd824e2310bae

SHA1
51da0f82095eed6e4a57bb01f410cfaed927ea87

SHA256
14046248663fec768b4be6b4cc31e292413c61ce562a15790a9bc07d52572468

SHA512
7cfcf8a455a4e5801dae484c73625351c4e6fbf3a9e5ee46bbc8d42548c01305b3977cdd10f1647edc418ceda39a160329edc89e9a8193314b7826f93c7f8c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2394542.exe
Filesize
174KB

MD5
b5651381dd0d132d2d75b4b126622d1c

SHA1
b6eac550e778a7a5d325a48278784acbdab6cd0c

SHA256
6f59b8113505dd48834c657a57667217e69f89baffca98e92444488bbdfdc822

SHA512
0564b525d4b39110f6803a2ecfe22d580205cca067df2fb13bf04cf70666d5d13af9efe660710d1bfd1a7053d34a01c6cc18938b894a8a973f65f33e5fa13dbf

Download Submit
memory/2476-24-0x0000000005CE0000-0x00000000062F8000-memory.dmp

Filesize
6.1MB

Download
memory/2476-22-0x0000000000CB0000-0x0000000000CE0000-memory.dmp

Filesize
192KB

Download
memory/2476-23-0x00000000015B0000-0x00000000015B6000-memory.dmp

Filesize
24KB

Download
memory/2476-25-0x00000000057D0000-0x00000000058DA000-memory.dmp

Filesize
1.0MB

Download
memory/2476-26-0x0000000005530000-0x0000000005542000-memory.dmp

Filesize
72KB

Download
memory/2476-27-0x00000000056C0000-0x00000000056FC000-memory.dmp

Filesize
240KB

Download
memory/2476-28-0x0000000005700000-0x000000000574C000-memory.dmp

Filesize
304KB

Download
memory/2856-16-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2856-15-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2856-18-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2856-14-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download