mystic | 1aa612c673e0e8506776c3b8740894f0947bb33bd7b5f22dc14212289801a024

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7a12f0dc9dc407d29a66722468c4b9454da42b9263e9602b9919c5ae6104684.exe
Size

627KB
MD5

36e91b40e20a163ac286b11ebfce0012
SHA1

4e9e67d22c5aa447c866960759aafd13587d4888
SHA256

a7a12f0dc9dc407d29a66722468c4b9454da42b9263e9602b9919c5ae6104684
SHA512

0b47ebc5b49c00554f1b1cb395176b7f49ee902ed019dcd6256b07db760931d668d729ac1a4d43086b745205dd2e45167ead2aadb584845858769f51aad2c630
SSDEEP

12288:qMriy90sni1MRJb5Vxc4sSz0w1eOuUN7X4W6ugUXwkP+/Nw4j9hxW8GwBheOdx3x:0yMkJHrsSIwEOuUNiugUXwkaNwM9hk8v

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral13/memory/4204-14-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral13/memory/4204-15-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral13/memory/4204-18-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral13/memory/4204-16-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral13/files/0x0007000000023456-20.dat	family_redline
behavioral13/memory/4644-22-0x0000000000070000-0x00000000000AE000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
964	qi0gR3qi.exe
3588	1mh07xv0.exe
4644	2oz301bL.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	qi0gR3qi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a7a12f0dc9dc407d29a66722468c4b9454da42b9263e9602b9919c5ae6104684.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3588 set thread context of 4204	3588	1mh07xv0.exe	86

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5024	4204	WerFault.exe	86
4584	3588	WerFault.exe	83

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 964	4144	a7a12f0dc9dc407d29a66722468c4b9454da42b9263e9602b9919c5ae6104684.exe	82
PID 4144 wrote to memory of 964	4144	a7a12f0dc9dc407d29a66722468c4b9454da42b9263e9602b9919c5ae6104684.exe	82
PID 4144 wrote to memory of 964	4144	a7a12f0dc9dc407d29a66722468c4b9454da42b9263e9602b9919c5ae6104684.exe	82
PID 964 wrote to memory of 3588	964	qi0gR3qi.exe	83
PID 964 wrote to memory of 3588	964	qi0gR3qi.exe	83
PID 964 wrote to memory of 3588	964	qi0gR3qi.exe	83
PID 3588 wrote to memory of 1632	3588	1mh07xv0.exe	85
PID 3588 wrote to memory of 1632	3588	1mh07xv0.exe	85
PID 3588 wrote to memory of 1632	3588	1mh07xv0.exe	85
PID 3588 wrote to memory of 4204	3588	1mh07xv0.exe	86
PID 3588 wrote to memory of 4204	3588	1mh07xv0.exe	86
PID 3588 wrote to memory of 4204	3588	1mh07xv0.exe	86
PID 3588 wrote to memory of 4204	3588	1mh07xv0.exe	86
PID 3588 wrote to memory of 4204	3588	1mh07xv0.exe	86
PID 3588 wrote to memory of 4204	3588	1mh07xv0.exe	86
PID 3588 wrote to memory of 4204	3588	1mh07xv0.exe	86
PID 3588 wrote to memory of 4204	3588	1mh07xv0.exe	86
PID 3588 wrote to memory of 4204	3588	1mh07xv0.exe	86
PID 3588 wrote to memory of 4204	3588	1mh07xv0.exe	86
PID 964 wrote to memory of 4644	964	qi0gR3qi.exe	94
PID 964 wrote to memory of 4644	964	qi0gR3qi.exe	94
PID 964 wrote to memory of 4644	964	qi0gR3qi.exe	94

C:\Users\Admin\AppData\Local\Temp\a7a12f0dc9dc407d29a66722468c4b9454da42b9263e9602b9919c5ae6104684.exe
"C:\Users\Admin\AppData\Local\Temp\a7a12f0dc9dc407d29a66722468c4b9454da42b9263e9602b9919c5ae6104684.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qi0gR3qi.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qi0gR3qi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1mh07xv0.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1mh07xv0.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3588
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1632
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4204
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 540
        5⤵
        Program crash
        
        PID:5024
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 556
      4⤵
      Program crash
      PID:4584
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2oz301bL.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2oz301bL.exe
    3⤵
    - Executes dropped EXE
    PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4204 -ip 4204
1⤵
PID:1176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3588 -ip 3588
1⤵
PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qi0gR3qi.exe

Filesize
431KB

MD5
37033e3e5cf801b9f483c0cf3a06293d

SHA1
7647858cab3d9bbe1522881f5e3fe1d2a9121bae

SHA256
e5243a192e88193845d6d5a009beb796c0503c68c88f15f7752ca96c2eb6fa6f

SHA512
c4576ccf3e557190345676f33349190b5f5ed4794a5339b830e4a9526c40a0eb5c2151e6405242c6c22970e7c972d24a9dd834757dd2430cf68430a63124f08c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1mh07xv0.exe

Filesize
392KB

MD5
9bf8c83f087aff1c848aaa84127c7976

SHA1
54f0dd511e44e84de2d0e797dca97b1da4b39ab2

SHA256
a3dad7203e79f299bb01385505ffd604456577ff0a5a2d4369396be26afbbfe1

SHA512
0beb2e9cee7f720f4460983dc3d85ce9e6c866b8f8358e750854cdfdad65ef81d28c7d8cd364f8794753aeef96cfee1fc6081b211f09d88b1bcfe05445a618f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2oz301bL.exe

Filesize
221KB

MD5
b57ffd5caa3749e4f8a78491c5cd58b8

SHA1
e5ec6e91f2aaba8451b9e332d5b1ef901427398a

SHA256
f507be978ea4fe55e74152b1da2f68286f2eb228d72941eec9df16ea2b78b509

SHA512
9d234833fe220eba7d4e649f80e865231629018782b5609f5b6b2902a940965eb6e9a5c426f7b391cf486cd72939e27832482919cd586f6dce37e86c6ef3fa34

Download Submit
memory/4204-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-23-0x00000000072D0000-0x0000000007874000-memory.dmp

Filesize
5.6MB

Download
memory/4644-22-0x0000000000070000-0x00000000000AE000-memory.dmp

Filesize
248KB

Download
memory/4644-24-0x0000000006E00000-0x0000000006E92000-memory.dmp

Filesize
584KB

Download
memory/4644-25-0x00000000043D0000-0x00000000043DA000-memory.dmp

Filesize
40KB

Download
memory/4644-26-0x0000000007EA0000-0x00000000084B8000-memory.dmp

Filesize
6.1MB

Download
memory/4644-27-0x0000000007130000-0x000000000723A000-memory.dmp

Filesize
1.0MB

Download
memory/4644-28-0x0000000007040000-0x0000000007052000-memory.dmp

Filesize
72KB

Download
memory/4644-29-0x00000000070A0000-0x00000000070DC000-memory.dmp

Filesize
240KB

Download
memory/4644-30-0x00000000070E0000-0x000000000712C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads