mystic | a44d7397ca2486a37cfbc6cd473037b204a5fe4678303dd2f187c814c85f25db

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7ee230707772fd1bd9dd07f526c692dfe119bca41b2113cadfcd511a5416cd5.exe
Size

1.2MB
MD5

dbf8c4938f5d91edbe1397152cd798e4
SHA1

1504a1c541e719d2ee3632f75eda67df89dd2d6c
SHA256

e7ee230707772fd1bd9dd07f526c692dfe119bca41b2113cadfcd511a5416cd5
SHA512

7517f63dfa3127e89db5a4bf65013112f3c25990349beae782ecc77b5d7a091c71866ad1e70832e50aead3259d7632b064d55b299fa0938de1e230ddb80a0c2d
SSDEEP

24576:cyWfF+5tfwol4Y6uxAZNJTn8TH0SGujiVknqqIefUrobxH4g:Lu+51wit6uWNJM8ujrvffBxH4

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral17/memory/3024-38-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral17/memory/3024-36-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral17/memory/3024-35-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral17/files/0x000700000002342b-40.dat	family_redline
behavioral17/memory/1840-42-0x0000000000140000-0x000000000017E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
984	Fa0kC2JD.exe
1028	ky1ub7Su.exe
1352	WK3SV5rF.exe
3672	Dm7Lo8Hk.exe
2524	1Fi82yd4.exe
1840	2Rl386BO.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e7ee230707772fd1bd9dd07f526c692dfe119bca41b2113cadfcd511a5416cd5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Fa0kC2JD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ky1ub7Su.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	WK3SV5rF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Dm7Lo8Hk.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2524 set thread context of 3024	2524	1Fi82yd4.exe	88

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3288	2524	WerFault.exe	86

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 984	4668	e7ee230707772fd1bd9dd07f526c692dfe119bca41b2113cadfcd511a5416cd5.exe	82
PID 4668 wrote to memory of 984	4668	e7ee230707772fd1bd9dd07f526c692dfe119bca41b2113cadfcd511a5416cd5.exe	82
PID 4668 wrote to memory of 984	4668	e7ee230707772fd1bd9dd07f526c692dfe119bca41b2113cadfcd511a5416cd5.exe	82
PID 984 wrote to memory of 1028	984	Fa0kC2JD.exe	83
PID 984 wrote to memory of 1028	984	Fa0kC2JD.exe	83
PID 984 wrote to memory of 1028	984	Fa0kC2JD.exe	83
PID 1028 wrote to memory of 1352	1028	ky1ub7Su.exe	84
PID 1028 wrote to memory of 1352	1028	ky1ub7Su.exe	84
PID 1028 wrote to memory of 1352	1028	ky1ub7Su.exe	84
PID 1352 wrote to memory of 3672	1352	WK3SV5rF.exe	85
PID 1352 wrote to memory of 3672	1352	WK3SV5rF.exe	85
PID 1352 wrote to memory of 3672	1352	WK3SV5rF.exe	85
PID 3672 wrote to memory of 2524	3672	Dm7Lo8Hk.exe	86
PID 3672 wrote to memory of 2524	3672	Dm7Lo8Hk.exe	86
PID 3672 wrote to memory of 2524	3672	Dm7Lo8Hk.exe	86
PID 2524 wrote to memory of 3024	2524	1Fi82yd4.exe	88
PID 2524 wrote to memory of 3024	2524	1Fi82yd4.exe	88
PID 2524 wrote to memory of 3024	2524	1Fi82yd4.exe	88
PID 2524 wrote to memory of 3024	2524	1Fi82yd4.exe	88
PID 2524 wrote to memory of 3024	2524	1Fi82yd4.exe	88
PID 2524 wrote to memory of 3024	2524	1Fi82yd4.exe	88
PID 2524 wrote to memory of 3024	2524	1Fi82yd4.exe	88
PID 2524 wrote to memory of 3024	2524	1Fi82yd4.exe	88
PID 2524 wrote to memory of 3024	2524	1Fi82yd4.exe	88
PID 2524 wrote to memory of 3024	2524	1Fi82yd4.exe	88
PID 3672 wrote to memory of 1840	3672	Dm7Lo8Hk.exe	95
PID 3672 wrote to memory of 1840	3672	Dm7Lo8Hk.exe	95
PID 3672 wrote to memory of 1840	3672	Dm7Lo8Hk.exe	95

C:\Users\Admin\AppData\Local\Temp\e7ee230707772fd1bd9dd07f526c692dfe119bca41b2113cadfcd511a5416cd5.exe
"C:\Users\Admin\AppData\Local\Temp\e7ee230707772fd1bd9dd07f526c692dfe119bca41b2113cadfcd511a5416cd5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fa0kC2JD.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fa0kC2JD.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:984
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ky1ub7Su.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ky1ub7Su.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1028
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WK3SV5rF.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WK3SV5rF.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1352
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dm7Lo8Hk.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dm7Lo8Hk.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3672
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Fi82yd4.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Fi82yd4.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 616
        7⤵
        Program crash
        
        PID:3288
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Rl386BO.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Rl386BO.exe
        6⤵
        Executes dropped EXE
        
        PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2524 -ip 2524
1⤵
PID:4892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fa0kC2JD.exe

Filesize
1.0MB

MD5
cbfe57c7f64571e4db8a0794519145d1

SHA1
6a842d626114d856a3a6afd6484bcc5109e96111

SHA256
065c29b3d45f6c94f557b255bcd41408d81a672e23146db67c6e9a14c781412f

SHA512
bacf81fab36ac61dc04210e9dd2ab340cb7314e03d8b13fc77c6ce342fd69404478d482e787bf31b107725b253d10a6bdb83cac001de2a20cba979d915136631

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ky1ub7Su.exe

Filesize
879KB

MD5
4e83331089467d533859213969534c69

SHA1
eda502b6d74256409cb54c8f077cdbe1603f8a10

SHA256
9abeacac4b46d2b66ea5742ed727b0817fc3da761808cdc463ea9ff215c21cda

SHA512
cf013d774058a6ae137f2a9ee47480c71cf508d09f0383b64d4bce7ade6f6246689e4581c7feeddb9bf27a66ddd329e948777d1a02c849986cf4d4c94bd0e9b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WK3SV5rF.exe

Filesize
585KB

MD5
e9690d2c4887545f8d359b008022f0f9

SHA1
162ad41331f5009286a6a00b34e9dc8b80969deb

SHA256
aa966884775c6010f2322df4cc847fbb855aee4a111dc42de26cf8af4bec747c

SHA512
b33a225bda44009fe2039416f82f5274f2da4324ec6f365d91cc98be23c3c9eaf0cb49f719c63cf147b4b93baf2e4b3b9dd33d016512af24fc1b8532e386b219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dm7Lo8Hk.exe

Filesize
413KB

MD5
a61ed0973f2f67b383a23deec4373a25

SHA1
feabded3966d9f6b3a40926b3d61b1e864e72321

SHA256
5e075f8a3c0ea95a8a2e33928d55b9bb815d3a2229417ac19cdf451f69792ff0

SHA512
12ad5aa4b3cfcc4a171c0eb9918c56c41e0fe2d777f427b776832f577c1be5d38867ee36856ecfbeea2654fd6c50938144e429201c777e9c2d1a6145ef1996fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Fi82yd4.exe

Filesize
378KB

MD5
fa699c7a8e4c25ebbcc131a187c29030

SHA1
e2ece7ca7fde2ea2663acf2828a13eaaf75f3634

SHA256
f9978754dfa34a7c256c934d8f269656e055460c74e5d83d405db8c72da97d6d

SHA512
f56d09031d8b65f8cff581ad86c1857abfa7e500ed453f97bbc320e8608b784cb105cc895f290415c32aea1a6ed265fb46290d06d88ec6a6622a4d8425426943

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Rl386BO.exe

Filesize
221KB

MD5
5b1d002dd95df28163e0cb165f906962

SHA1
5bbdd968523e58cf26c790740863013fd061fdb8

SHA256
8af7c473dc9a1d4e04ea987626ed08d698942568de861dab6a123a03b72d6c28

SHA512
8d8b211534506811e3a4f9c53eb9f29f8851f66e41b165c80272fc3aeaabf94998a3c44cf0d02e165b9191ab553eca6aeb420c325abca5e34f549fdf5cec6526

Download Submit
memory/1840-42-0x0000000000140000-0x000000000017E000-memory.dmp

Filesize
248KB

Download
memory/1840-43-0x0000000007530000-0x0000000007AD4000-memory.dmp

Filesize
5.6MB

Download
memory/1840-44-0x0000000007040000-0x00000000070D2000-memory.dmp

Filesize
584KB

Download
memory/1840-45-0x0000000002490000-0x000000000249A000-memory.dmp

Filesize
40KB

Download
memory/1840-46-0x0000000008100000-0x0000000008718000-memory.dmp

Filesize
6.1MB

Download
memory/1840-47-0x00000000073A0000-0x00000000074AA000-memory.dmp

Filesize
1.0MB

Download
memory/1840-48-0x0000000007140000-0x0000000007152000-memory.dmp

Filesize
72KB

Download
memory/1840-49-0x00000000072D0000-0x000000000730C000-memory.dmp

Filesize
240KB

Download
memory/1840-50-0x0000000007310000-0x000000000735C000-memory.dmp

Filesize
304KB

Download
memory/3024-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3024-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3024-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads