mystic | a44d7397ca2486a37cfbc6cd473037b204a5fe4678303dd2f187c814c85f25db

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edacb614f4d4ad4a3dd9e9d5ad37ba56d1e7d49ddad0b14ca3ce632b0a820f95.exe
Size

1.7MB
MD5

88f98b925e9d4ae94d234ad54e3504dd
SHA1

bff0cc91d6c961a3894f16f2577da501c3cea8db
SHA256

edacb614f4d4ad4a3dd9e9d5ad37ba56d1e7d49ddad0b14ca3ce632b0a820f95
SHA512

4f87a4643cdd29b02a9521a0e40f8e856cba671bdec0bf73ba990cb462eff82b59ffa7e6256c126b4862851783edf2b346e0f77c2c163f26847a59944e4f0889
SSDEEP

24576:PyOK+y3nec7jkb3FHoXlXfyvUSBD3QiCt1M9udFzT5Fbdz/n6cniPecd4gGMOG:ar+y3neoje1IBCjq3M0Pp/n6ctc4

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral21/memory/3948-35-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral21/memory/3948-38-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral21/memory/3948-36-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2zw289Jv.exe	family_redline
behavioral21/memory/4940-42-0x0000000000640000-0x000000000067E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

jD3Yb6ui.exeki5sW7WE.exeMh3Mx5lX.exeLK0Yb6fA.exe1tx61fY4.exe2zw289Jv.exe

pid process

1800 jD3Yb6ui.exe
3520 ki5sW7WE.exe
1020 Mh3Mx5lX.exe
2676 LK0Yb6fA.exe
3492 1tx61fY4.exe
4940 2zw289Jv.exe

pid	process
1800	jD3Yb6ui.exe
3520	ki5sW7WE.exe
1020	Mh3Mx5lX.exe
2676	LK0Yb6fA.exe
3492	1tx61fY4.exe
4940	2zw289Jv.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

edacb614f4d4ad4a3dd9e9d5ad37ba56d1e7d49ddad0b14ca3ce632b0a820f95.exejD3Yb6ui.exeki5sW7WE.exeMh3Mx5lX.exeLK0Yb6fA.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	edacb614f4d4ad4a3dd9e9d5ad37ba56d1e7d49ddad0b14ca3ce632b0a820f95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	jD3Yb6ui.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ki5sW7WE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Mh3Mx5lX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	LK0Yb6fA.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1tx61fY4.exe

description pid process target process

PID 3492 set thread context of 3948 3492 1tx61fY4.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1672 3492 WerFault.exe 1tx61fY4.exe

description	pid	process	target process
PID 3492 set thread context of 3948	3492	1tx61fY4.exe	AppLaunch.exe

pid	pid_target	process	target process
1672	3492	WerFault.exe	1tx61fY4.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

edacb614f4d4ad4a3dd9e9d5ad37ba56d1e7d49ddad0b14ca3ce632b0a820f95.exejD3Yb6ui.exeki5sW7WE.exeMh3Mx5lX.exeLK0Yb6fA.exe1tx61fY4.exe

description	pid	process	target process
PID 228 wrote to memory of 1800	228	edacb614f4d4ad4a3dd9e9d5ad37ba56d1e7d49ddad0b14ca3ce632b0a820f95.exe	jD3Yb6ui.exe
PID 228 wrote to memory of 1800	228	edacb614f4d4ad4a3dd9e9d5ad37ba56d1e7d49ddad0b14ca3ce632b0a820f95.exe	jD3Yb6ui.exe
PID 228 wrote to memory of 1800	228	edacb614f4d4ad4a3dd9e9d5ad37ba56d1e7d49ddad0b14ca3ce632b0a820f95.exe	jD3Yb6ui.exe
PID 1800 wrote to memory of 3520	1800	jD3Yb6ui.exe	ki5sW7WE.exe
PID 1800 wrote to memory of 3520	1800	jD3Yb6ui.exe	ki5sW7WE.exe
PID 1800 wrote to memory of 3520	1800	jD3Yb6ui.exe	ki5sW7WE.exe
PID 3520 wrote to memory of 1020	3520	ki5sW7WE.exe	Mh3Mx5lX.exe
PID 3520 wrote to memory of 1020	3520	ki5sW7WE.exe	Mh3Mx5lX.exe
PID 3520 wrote to memory of 1020	3520	ki5sW7WE.exe	Mh3Mx5lX.exe
PID 1020 wrote to memory of 2676	1020	Mh3Mx5lX.exe	LK0Yb6fA.exe
PID 1020 wrote to memory of 2676	1020	Mh3Mx5lX.exe	LK0Yb6fA.exe
PID 1020 wrote to memory of 2676	1020	Mh3Mx5lX.exe	LK0Yb6fA.exe
PID 2676 wrote to memory of 3492	2676	LK0Yb6fA.exe	1tx61fY4.exe
PID 2676 wrote to memory of 3492	2676	LK0Yb6fA.exe	1tx61fY4.exe
PID 2676 wrote to memory of 3492	2676	LK0Yb6fA.exe	1tx61fY4.exe
PID 3492 wrote to memory of 3948	3492	1tx61fY4.exe	AppLaunch.exe
PID 3492 wrote to memory of 3948	3492	1tx61fY4.exe	AppLaunch.exe
PID 3492 wrote to memory of 3948	3492	1tx61fY4.exe	AppLaunch.exe
PID 3492 wrote to memory of 3948	3492	1tx61fY4.exe	AppLaunch.exe
PID 3492 wrote to memory of 3948	3492	1tx61fY4.exe	AppLaunch.exe
PID 3492 wrote to memory of 3948	3492	1tx61fY4.exe	AppLaunch.exe
PID 3492 wrote to memory of 3948	3492	1tx61fY4.exe	AppLaunch.exe
PID 3492 wrote to memory of 3948	3492	1tx61fY4.exe	AppLaunch.exe
PID 3492 wrote to memory of 3948	3492	1tx61fY4.exe	AppLaunch.exe
PID 3492 wrote to memory of 3948	3492	1tx61fY4.exe	AppLaunch.exe
PID 2676 wrote to memory of 4940	2676	LK0Yb6fA.exe	2zw289Jv.exe
PID 2676 wrote to memory of 4940	2676	LK0Yb6fA.exe	2zw289Jv.exe
PID 2676 wrote to memory of 4940	2676	LK0Yb6fA.exe	2zw289Jv.exe

C:\Users\Admin\AppData\Local\Temp\edacb614f4d4ad4a3dd9e9d5ad37ba56d1e7d49ddad0b14ca3ce632b0a820f95.exe
"C:\Users\Admin\AppData\Local\Temp\edacb614f4d4ad4a3dd9e9d5ad37ba56d1e7d49ddad0b14ca3ce632b0a820f95.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:228
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jD3Yb6ui.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jD3Yb6ui.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki5sW7WE.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki5sW7WE.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3520
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Mh3Mx5lX.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Mh3Mx5lX.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1020
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LK0Yb6fA.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LK0Yb6fA.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1tx61fY4.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1tx61fY4.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 592
        7⤵
        Program crash
        
        PID:1672
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2zw289Jv.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2zw289Jv.exe
        6⤵
        Executes dropped EXE
        
        PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3492 -ip 3492
1⤵
PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jD3Yb6ui.exe

Filesize
1.6MB

MD5
127504ce3aba2143a2bb4c0de3e30b61

SHA1
d83afc4e9f02700f5ee40fc2811858631e67f1ea

SHA256
c81f9f93f5e97aa340db941176b744abf2bdb510408960c32d556ccf9971b99e

SHA512
ba8958563ad052f84939e7742149ed92a17678342ffa37a724cd224dda5ad9873c98037d6943144399bdca0faf3b0212db02633656b239074117d82e86c49074

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki5sW7WE.exe

Filesize
1.4MB

MD5
89c60d41528cc6dbb1f4542291078410

SHA1
5ca70210ebb3824005fea7f26c37eff465a87945

SHA256
b2fc168795d54f3a2c44cbc9d276126897905fa1d822da08c096ca99da221e4f

SHA512
007dea03503d7f58dba14f9a2e06a904c5e1acce9c444bc005ecab1d7f98a831c417504fed547c88bb1e3c7200c4a0c4ece81eb238c378b4e8211b609af77126

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Mh3Mx5lX.exe

Filesize
872KB

MD5
df28c701bd4dac767c618de9c912055e

SHA1
7d87b2125227e44e870ba4a5503eae852f24c51c

SHA256
4c235613afe6c61572986f03bef1373d262b40c192e3e687a0876577c8d9c841

SHA512
d26229198b74fd27b38708efcbe7df3feea3d34e4c8e623f9659f3fd26a55b3e258bbf1e961ea01b29d8ac5390a7b0d4f649cbdce4a8be3c1898e8172beed430

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LK0Yb6fA.exe

Filesize
676KB

MD5
87fd5d1c76cf3ee0e2277aed16011c3a

SHA1
02c1abc220191e8043a951f85dc8311883c8cdcd

SHA256
58b01c05f78b332bf2cd9bf021bf97d3db7274ccedc26bfdfbaf05ca3dcaac81

SHA512
0e2b6e4bb38a8a6840b826754fcab1778bc7979daba1e6eecc49bfbfb358bb1a1735252fc74bde2d2f9d33dfc2ef4f1ba601e28bf19ae2df3dd1b5ac703dac09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1tx61fY4.exe

Filesize
1.8MB

MD5
d94818de26bd9bda2fbb7e6bdf19cc6b

SHA1
8d0ce9fb9885de9f95ea87a8a481359d6f210187

SHA256
bfc19f355931f476b3f30fe4353c6a6a816393a72c17e61b3fdab4284867e7ec

SHA512
ec274a1658d4e493dac7ddd32f5a43e391d1541b10b4cef7bd3cfef60a27af797f258fadbf68ccda049631dc1a8edcfe4fb08de0a418d1764a0310858341be82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2zw289Jv.exe

Filesize
221KB

MD5
5b40772c1d4cf49d00a8be4a4be65541

SHA1
f223d988102f1db145a37b224bbdc20932895399

SHA256
ace0bccf673b97604bace6ad93a01496c9a547e35c77f3117dc5f41e2fa02287

SHA512
82d5a0e4b2178203b1d07a69877e7341084c1ec01e829c3ca2204d34d80d3c2fbcbd1d185a3edeec6af90342c714668be12d71b7945868e4bde01e713eea6b3a

Download Submit
memory/3948-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-42-0x0000000000640000-0x000000000067E000-memory.dmp

Filesize
248KB

Download
memory/4940-43-0x0000000007890000-0x0000000007E34000-memory.dmp

Filesize
5.6MB

Download
memory/4940-44-0x00000000073C0000-0x0000000007452000-memory.dmp

Filesize
584KB

Download
memory/4940-45-0x0000000002930000-0x000000000293A000-memory.dmp

Filesize
40KB

Download
memory/4940-46-0x0000000008460000-0x0000000008A78000-memory.dmp

Filesize
6.1MB

Download
memory/4940-47-0x0000000007750000-0x000000000785A000-memory.dmp

Filesize
1.0MB

Download
memory/4940-48-0x0000000007500000-0x0000000007512000-memory.dmp

Filesize
72KB

Download
memory/4940-49-0x0000000007680000-0x00000000076BC000-memory.dmp

Filesize
240KB

Download
memory/4940-50-0x00000000076C0000-0x000000000770C000-memory.dmp

Filesize
304KB

Download