mystic | 4ce71244da4dd5d9b0b7535c6b62aebf516adc87a36195170af93efa3a630b9f

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a.exe
Size

1.2MB
MD5

8baab3511bf3a99728edaba28284cd3c
SHA1

b935a0b20f20e0f296f67fec1e2aa1c57d9eda09
SHA256

3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a
SHA512

0ac0e6eedb7d6db2f1c383f74d8fcb32829ab7446025670905caf2ceb95bd089fc21e95aa8f00b37c29815c0fc49fbbcad3b9774633d1cffc9dc7ccf57b20b8d
SSDEEP

24576:3y9ILra17CLHayHuMfvmkZOgEopve3fN2o78WXgzCkB6:C9ky7CLRHuMfvmKHpvkV2lkIZB

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral7/memory/2948-35-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral7/memory/2948-38-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral7/memory/2948-36-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2tI389xr.exe	family_redline
behavioral7/memory/4736-42-0x0000000000C40000-0x0000000000C7E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

yu5Zx2kB.exeBy5WQ8iX.exeTG4Bs8cm.exeud9mP7ZB.exe1TN49Uv4.exe2tI389xr.exe

pid process

4152 yu5Zx2kB.exe
2316 By5WQ8iX.exe
692 TG4Bs8cm.exe
3924 ud9mP7ZB.exe
4116 1TN49Uv4.exe
4736 2tI389xr.exe

pid	process
4152	yu5Zx2kB.exe
2316	By5WQ8iX.exe
692	TG4Bs8cm.exe
3924	ud9mP7ZB.exe
4116	1TN49Uv4.exe
4736	2tI389xr.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a.exeyu5Zx2kB.exeBy5WQ8iX.exeTG4Bs8cm.exeud9mP7ZB.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	yu5Zx2kB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	By5WQ8iX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	TG4Bs8cm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	ud9mP7ZB.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1TN49Uv4.exe

description pid process target process

PID 4116 set thread context of 2948 4116 1TN49Uv4.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3156 4116 WerFault.exe 1TN49Uv4.exe

description	pid	process	target process
PID 4116 set thread context of 2948	4116	1TN49Uv4.exe	AppLaunch.exe

pid	pid_target	process	target process
3156	4116	WerFault.exe	1TN49Uv4.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a.exeyu5Zx2kB.exeBy5WQ8iX.exeTG4Bs8cm.exeud9mP7ZB.exe1TN49Uv4.exe

description	pid	process	target process
PID 1836 wrote to memory of 4152	1836	3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a.exe	yu5Zx2kB.exe
PID 1836 wrote to memory of 4152	1836	3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a.exe	yu5Zx2kB.exe
PID 1836 wrote to memory of 4152	1836	3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a.exe	yu5Zx2kB.exe
PID 4152 wrote to memory of 2316	4152	yu5Zx2kB.exe	By5WQ8iX.exe
PID 4152 wrote to memory of 2316	4152	yu5Zx2kB.exe	By5WQ8iX.exe
PID 4152 wrote to memory of 2316	4152	yu5Zx2kB.exe	By5WQ8iX.exe
PID 2316 wrote to memory of 692	2316	By5WQ8iX.exe	TG4Bs8cm.exe
PID 2316 wrote to memory of 692	2316	By5WQ8iX.exe	TG4Bs8cm.exe
PID 2316 wrote to memory of 692	2316	By5WQ8iX.exe	TG4Bs8cm.exe
PID 692 wrote to memory of 3924	692	TG4Bs8cm.exe	ud9mP7ZB.exe
PID 692 wrote to memory of 3924	692	TG4Bs8cm.exe	ud9mP7ZB.exe
PID 692 wrote to memory of 3924	692	TG4Bs8cm.exe	ud9mP7ZB.exe
PID 3924 wrote to memory of 4116	3924	ud9mP7ZB.exe	1TN49Uv4.exe
PID 3924 wrote to memory of 4116	3924	ud9mP7ZB.exe	1TN49Uv4.exe
PID 3924 wrote to memory of 4116	3924	ud9mP7ZB.exe	1TN49Uv4.exe
PID 4116 wrote to memory of 2948	4116	1TN49Uv4.exe	AppLaunch.exe
PID 4116 wrote to memory of 2948	4116	1TN49Uv4.exe	AppLaunch.exe
PID 4116 wrote to memory of 2948	4116	1TN49Uv4.exe	AppLaunch.exe
PID 4116 wrote to memory of 2948	4116	1TN49Uv4.exe	AppLaunch.exe
PID 4116 wrote to memory of 2948	4116	1TN49Uv4.exe	AppLaunch.exe
PID 4116 wrote to memory of 2948	4116	1TN49Uv4.exe	AppLaunch.exe
PID 4116 wrote to memory of 2948	4116	1TN49Uv4.exe	AppLaunch.exe
PID 4116 wrote to memory of 2948	4116	1TN49Uv4.exe	AppLaunch.exe
PID 4116 wrote to memory of 2948	4116	1TN49Uv4.exe	AppLaunch.exe
PID 4116 wrote to memory of 2948	4116	1TN49Uv4.exe	AppLaunch.exe
PID 3924 wrote to memory of 4736	3924	ud9mP7ZB.exe	2tI389xr.exe
PID 3924 wrote to memory of 4736	3924	ud9mP7ZB.exe	2tI389xr.exe
PID 3924 wrote to memory of 4736	3924	ud9mP7ZB.exe	2tI389xr.exe

C:\Users\Admin\AppData\Local\Temp\3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a.exe
"C:\Users\Admin\AppData\Local\Temp\3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1836

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yu5Zx2kB.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yu5Zx2kB.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4152

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\By5WQ8iX.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\By5WQ8iX.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2316

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TG4Bs8cm.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TG4Bs8cm.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:692

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ud9mP7ZB.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ud9mP7ZB.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3924

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1TN49Uv4.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1TN49Uv4.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 592
7⤵
- Program crash
PID:3156

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2tI389xr.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2tI389xr.exe
6⤵
- Executes dropped EXE
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4116 -ip 4116
1⤵
PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yu5Zx2kB.exe

Filesize
1.0MB

MD5
14912fe90c87f625293b7950c3737cf5

SHA1
8ee5a913e589fb2aeea1e66abe20353e229dabeb

SHA256
a01cf01c4a51f51d0aac0db4abd75da7c86dc3fe4eb4ced30e5a700f790b8c7f

SHA512
ff9d03a43f100b2d9729b1f13ef491cbd2a3fc22bf7771e47f05f1af30704ce5b84b01361b03daf79a6d5eac601c4a32247338057179b5f48464d8fb5e36cbbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\By5WQ8iX.exe

Filesize
878KB

MD5
b96d024dcec48f44b0e634a0d00b0223

SHA1
49c0257d1656bba562b78ec9ceef0a852bf0f9e2

SHA256
0db5661ebf50793bdeff7536da4cb9ffb340dd640bed042a0261bc85ed758014

SHA512
1ef86c93b05e3bf163272baefd31c44be913fbb0ae5c70469c7e70adfc697f11a0097ba1d6d6e5101087d99adc17a9d997db32c50dcd91f263944ee097042359

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TG4Bs8cm.exe

Filesize
585KB

MD5
595ba700772de93abca49bc60f72fd93

SHA1
0f3d73f972a990e96a2b7980ef39c64408c92cdb

SHA256
6c6f96047ea0811502e9b66c7c24fe647bf990fb1f36bac4c6eb7284d01130fb

SHA512
f21135fe826a515f9edae818359b96e7c90f30544822c792ade243b712420e787d419b2064a0c38afffadf30254e39fdddc4d196b77a1de04ca9d7aaa7678d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ud9mP7ZB.exe

Filesize
412KB

MD5
8cccf9dfbf727e134a0283c6db3108f1

SHA1
c7cfe5d37931b15213e6ed2e068d4c3d9ec35968

SHA256
235557ff9d81e1539021021a81ef33e5a19b68c4983212d98dbca367474a7025

SHA512
950b007c08420cc515dd021d6521ac7b94d29ae8b70fbcdefd1d1b6183862e141489d3a623ed40657d9d3244db4d853e159b24b12ff512a2c6968b88001e9b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1TN49Uv4.exe

Filesize
378KB

MD5
489492c387af0075b9d1a9bcdaae552c

SHA1
020850bcae1226a62dec53d9cd6111f5d47488ca

SHA256
c120782a83cd92cf61f248892c6243486b19e5193196aeac3fdb46c3aef027eb

SHA512
df327f7c12f5ce6ff2d3387cc4778fdceeedf7a073e2b4167fae37b87881b9bbef4a01b38ae8464e4f1a002bc55460986ce94c544b3e61c828fc90bb56281371

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2tI389xr.exe

Filesize
221KB

MD5
2aef8be54c8cb6e31931f4551c5a6b51

SHA1
ff7a407c5c036a306f04819777055d0a29e1da5d

SHA256
af529dbb38a191ff597cf3c0382f8641d8961a7efe18db5abd347a5b74186ad9

SHA512
c6f8013403d4638daa5b847c17820ea1bf0533bc8291e1fb0b5b2494af626965044c28631f9a553da15b95ab0717922ffd4f1b35dd45fdb8e441dcdbe1a83413

Download Submit
memory/2948-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2948-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2948-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4736-42-0x0000000000C40000-0x0000000000C7E000-memory.dmp

Filesize
248KB

Download
memory/4736-43-0x0000000007F00000-0x00000000084A4000-memory.dmp

Filesize
5.6MB

Download
memory/4736-44-0x00000000079F0000-0x0000000007A82000-memory.dmp

Filesize
584KB

Download
memory/4736-45-0x0000000002FA0000-0x0000000002FAA000-memory.dmp

Filesize
40KB

Download
memory/4736-46-0x0000000008AD0000-0x00000000090E8000-memory.dmp

Filesize
6.1MB

Download
memory/4736-47-0x0000000007DB0000-0x0000000007EBA000-memory.dmp

Filesize
1.0MB

Download
memory/4736-48-0x0000000007C00000-0x0000000007C12000-memory.dmp

Filesize
72KB

Download
memory/4736-49-0x0000000007C60000-0x0000000007C9C000-memory.dmp

Filesize
240KB

Download
memory/4736-50-0x0000000007CA0000-0x0000000007CEC000-memory.dmp

Filesize
304KB

Download