mystic | d66c5907218da0e1082f3a1318226d1c5bab6bd1ebb57b034a817b4c35495ac8

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

708b7d578b1052d5139aa1c7696980dfbb558c7f9d79340c923242e497b33165.exe
Size

913KB
MD5

dca929d746fbc57599fd90882325f030
SHA1

c3374249560ea2019d57b288aef67906e1c5285e
SHA256

708b7d578b1052d5139aa1c7696980dfbb558c7f9d79340c923242e497b33165
SHA512

617458913f5dfb76ed23c605c772a8da48f6905df2f2b46077dc810310d29ba64a334a455f360b815eab93cbf2130fe84ec8177fe099775f45319f9ba0a0896a
SSDEEP

24576:YyS5nbWGFJT6uokW0rDd4Q1LG//kXs60r31PeC7:fS5rJ91rDqv/vhrlPeC

Score

10^/10

mystic redline luate infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

luate

77.91.124.55:19071

Attributes

auth_value
e45cd419aba6c9d372088ffe5629308b

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral9/memory/4872-31-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral9/memory/4872-29-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral9/memory/4872-28-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9973163.exe	family_redline
behavioral9/memory/2532-35-0x00000000004A0000-0x00000000004D0000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

Processes:

x6027404.exex8648009.exex7587581.exeg7829261.exeh9973163.exe

pid process

2972 x6027404.exe
760 x8648009.exe
1068 x7587581.exe
5008 g7829261.exe
2532 h9973163.exe

pid	process
2972	x6027404.exe
760	x8648009.exe
1068	x7587581.exe
5008	g7829261.exe
2532	h9973163.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

x7587581.exe708b7d578b1052d5139aa1c7696980dfbb558c7f9d79340c923242e497b33165.exex6027404.exex8648009.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x7587581.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	708b7d578b1052d5139aa1c7696980dfbb558c7f9d79340c923242e497b33165.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6027404.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8648009.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

g7829261.exe

description pid process target process

PID 5008 set thread context of 4872 5008 g7829261.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3824 5008 WerFault.exe g7829261.exe

description	pid	process	target process
PID 5008 set thread context of 4872	5008	g7829261.exe	AppLaunch.exe

pid	pid_target	process	target process
3824	5008	WerFault.exe	g7829261.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

708b7d578b1052d5139aa1c7696980dfbb558c7f9d79340c923242e497b33165.exex6027404.exex8648009.exex7587581.exeg7829261.exe

description	pid	process	target process
PID 4520 wrote to memory of 2972	4520	708b7d578b1052d5139aa1c7696980dfbb558c7f9d79340c923242e497b33165.exe	x6027404.exe
PID 4520 wrote to memory of 2972	4520	708b7d578b1052d5139aa1c7696980dfbb558c7f9d79340c923242e497b33165.exe	x6027404.exe
PID 4520 wrote to memory of 2972	4520	708b7d578b1052d5139aa1c7696980dfbb558c7f9d79340c923242e497b33165.exe	x6027404.exe
PID 2972 wrote to memory of 760	2972	x6027404.exe	x8648009.exe
PID 2972 wrote to memory of 760	2972	x6027404.exe	x8648009.exe
PID 2972 wrote to memory of 760	2972	x6027404.exe	x8648009.exe
PID 760 wrote to memory of 1068	760	x8648009.exe	x7587581.exe
PID 760 wrote to memory of 1068	760	x8648009.exe	x7587581.exe
PID 760 wrote to memory of 1068	760	x8648009.exe	x7587581.exe
PID 1068 wrote to memory of 5008	1068	x7587581.exe	g7829261.exe
PID 1068 wrote to memory of 5008	1068	x7587581.exe	g7829261.exe
PID 1068 wrote to memory of 5008	1068	x7587581.exe	g7829261.exe
PID 5008 wrote to memory of 4872	5008	g7829261.exe	AppLaunch.exe
PID 5008 wrote to memory of 4872	5008	g7829261.exe	AppLaunch.exe
PID 5008 wrote to memory of 4872	5008	g7829261.exe	AppLaunch.exe
PID 5008 wrote to memory of 4872	5008	g7829261.exe	AppLaunch.exe
PID 5008 wrote to memory of 4872	5008	g7829261.exe	AppLaunch.exe
PID 5008 wrote to memory of 4872	5008	g7829261.exe	AppLaunch.exe
PID 5008 wrote to memory of 4872	5008	g7829261.exe	AppLaunch.exe
PID 5008 wrote to memory of 4872	5008	g7829261.exe	AppLaunch.exe
PID 5008 wrote to memory of 4872	5008	g7829261.exe	AppLaunch.exe
PID 5008 wrote to memory of 4872	5008	g7829261.exe	AppLaunch.exe
PID 1068 wrote to memory of 2532	1068	x7587581.exe	h9973163.exe
PID 1068 wrote to memory of 2532	1068	x7587581.exe	h9973163.exe
PID 1068 wrote to memory of 2532	1068	x7587581.exe	h9973163.exe

C:\Users\Admin\AppData\Local\Temp\708b7d578b1052d5139aa1c7696980dfbb558c7f9d79340c923242e497b33165.exe
"C:\Users\Admin\AppData\Local\Temp\708b7d578b1052d5139aa1c7696980dfbb558c7f9d79340c923242e497b33165.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6027404.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6027404.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8648009.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8648009.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:760
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7587581.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7587581.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1068
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7829261.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7829261.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5008
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4872
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 156
        6⤵
        Program crash
        
        PID:3824
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9973163.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9973163.exe
        5⤵
        Executes dropped EXE
        
        PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 5008 -ip 5008
1⤵
PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6027404.exe

Filesize
811KB

MD5
0f07669b66ccd6f1c5b6963f5b2ae9c5

SHA1
7bc3abee80209cb52c6038384c68b08acb8f3409

SHA256
6411b0e276fb83489e6a1e08731c098ca266c966a559540423dc38dc9fc78a80

SHA512
4e18cc4b7253f7744c46b6c9ee9f49691de33caf68ced924c0bd63909a5ab760d4e00c423f1fe1c0d8ec5c83bbc5ea5db13647b359e577265ce0cae8205492a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8648009.exe

Filesize
547KB

MD5
937152ca3f53ce0c68efef8378127450

SHA1
0508eb52806c614292f04bc92c2024f2c6b84217

SHA256
7c03fd4242f4f647db931ae650423889bee86792511f847926e0251c2021e388

SHA512
8168ce723e016bafad741e3224df03761db8d6f95056c0042d2451fc03186a92a2c1aece4f82b108b0d85ba49d1a7215cd185ff053753f2d52e490e92e6812c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7587581.exe

Filesize
381KB

MD5
b0d4c42d0c0eeb5598e4c668adb22f40

SHA1
fa243292e93f73b013a14e722a3da2496c43c524

SHA256
4e4a2f964c1de3ff4cf11aed792c50f44f925c8a832f8541199ffb4d66c676c7

SHA512
a038bbd7a3e8033953da7ca2c3a3dbccd4f73c3cbb3a003e99b6aca84db3d2ecb538e81adc2e2551c3b760b903579634f3a9d06481b1cab7753af1f5e3b071f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7829261.exe

Filesize
346KB

MD5
b9430811c94b808e8a839ef6890dfe1b

SHA1
5cd0e206c73ab70af97f3321fc8a9510b47f0014

SHA256
7114377f2f4b5894838ed771629756d80d1b8f43e6f63ec40cd80b388e6e6b18

SHA512
4888c48ba0529f179903b7d5c3777dba750abbd8112afe8e4ca485a84fd1d84fd66a8c754d5c52e1265caa1266cd6ac1c670f8524abb4f91f820db2bdbf30681

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9973163.exe

Filesize
174KB

MD5
44aafdaf9e850b9a6dc4e45c4785ca43

SHA1
7cfb5cc8dc4061ac8255a0f4f65c3286bf42b767

SHA256
f6d36a04b311f0f39a0060d0a615cefb9e13fe90461b2dcd89e0a0757cc836d5

SHA512
534b568e5ff13f0b35761a3dcb9fc9a0f9188597af30472ef81eda4b9b83b095d702cc302eadae89dd84fb05cdbce501361cf096c4696a74448e0c1122744e8c

Download Submit
memory/2532-36-0x0000000002650000-0x0000000002656000-memory.dmp

Filesize
24KB

Download
memory/2532-35-0x00000000004A0000-0x00000000004D0000-memory.dmp

Filesize
192KB

Download
memory/2532-37-0x0000000005580000-0x0000000005B98000-memory.dmp

Filesize
6.1MB

Download
memory/2532-38-0x0000000005070000-0x000000000517A000-memory.dmp

Filesize
1.0MB

Download
memory/2532-39-0x0000000004F80000-0x0000000004F92000-memory.dmp

Filesize
72KB

Download
memory/2532-40-0x0000000004FE0000-0x000000000501C000-memory.dmp

Filesize
240KB

Download
memory/2532-41-0x0000000005020000-0x000000000506C000-memory.dmp

Filesize
304KB

Download
memory/4872-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4872-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4872-31-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download