mystic | 176abc5d4c53fc1397a77e15c4028591fc335ce9464a700eddd56742d55dd10d

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

262bcbb295c2330c7e75858027b884202657e03c12f0537ccae57764c7e90779.exe
Size

1.0MB
MD5

9d4c21e55871a79578ab62468bbce86c
SHA1

04324ce234dbeb79f9dc92d6fdafd3aa1e6a38cb
SHA256

262bcbb295c2330c7e75858027b884202657e03c12f0537ccae57764c7e90779
SHA512

b63e0f6ddbec19cde69a412b532fb31b639da5764cc7af14c9b0e08f98eaec83b58ddfe4a4fd8b9da9ca7ee248201d005356d869518953944c58f4a9ff833d0d
SSDEEP

24576:lyg54E9eWBaCmQjQf5t+dbpoDi7bDrptJT4:AcwnC5QGx7HrT

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral6/memory/4524-28-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral6/memory/4524-29-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral6/memory/4524-31-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral6/files/0x0007000000023432-33.dat	family_redline
behavioral6/memory/1420-35-0x00000000000D0000-0x000000000010E000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
4248	qX2KR2eo.exe
724	AC8eB3ti.exe
2308	Yi4Fj8Tb.exe
660	1Ry28uz5.exe
1420	2lq454mH.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	262bcbb295c2330c7e75858027b884202657e03c12f0537ccae57764c7e90779.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	qX2KR2eo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	AC8eB3ti.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Yi4Fj8Tb.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 660 set thread context of 4524	660	1Ry28uz5.exe	89

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1772	660	WerFault.exe	85

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 4248	852	262bcbb295c2330c7e75858027b884202657e03c12f0537ccae57764c7e90779.exe	82
PID 852 wrote to memory of 4248	852	262bcbb295c2330c7e75858027b884202657e03c12f0537ccae57764c7e90779.exe	82
PID 852 wrote to memory of 4248	852	262bcbb295c2330c7e75858027b884202657e03c12f0537ccae57764c7e90779.exe	82
PID 4248 wrote to memory of 724	4248	qX2KR2eo.exe	83
PID 4248 wrote to memory of 724	4248	qX2KR2eo.exe	83
PID 4248 wrote to memory of 724	4248	qX2KR2eo.exe	83
PID 724 wrote to memory of 2308	724	AC8eB3ti.exe	84
PID 724 wrote to memory of 2308	724	AC8eB3ti.exe	84
PID 724 wrote to memory of 2308	724	AC8eB3ti.exe	84
PID 2308 wrote to memory of 660	2308	Yi4Fj8Tb.exe	85
PID 2308 wrote to memory of 660	2308	Yi4Fj8Tb.exe	85
PID 2308 wrote to memory of 660	2308	Yi4Fj8Tb.exe	85
PID 660 wrote to memory of 4524	660	1Ry28uz5.exe	89
PID 660 wrote to memory of 4524	660	1Ry28uz5.exe	89
PID 660 wrote to memory of 4524	660	1Ry28uz5.exe	89
PID 660 wrote to memory of 4524	660	1Ry28uz5.exe	89
PID 660 wrote to memory of 4524	660	1Ry28uz5.exe	89
PID 660 wrote to memory of 4524	660	1Ry28uz5.exe	89
PID 660 wrote to memory of 4524	660	1Ry28uz5.exe	89
PID 660 wrote to memory of 4524	660	1Ry28uz5.exe	89
PID 660 wrote to memory of 4524	660	1Ry28uz5.exe	89
PID 660 wrote to memory of 4524	660	1Ry28uz5.exe	89
PID 2308 wrote to memory of 1420	2308	Yi4Fj8Tb.exe	94
PID 2308 wrote to memory of 1420	2308	Yi4Fj8Tb.exe	94
PID 2308 wrote to memory of 1420	2308	Yi4Fj8Tb.exe	94

C:\Users\Admin\AppData\Local\Temp\262bcbb295c2330c7e75858027b884202657e03c12f0537ccae57764c7e90779.exe
"C:\Users\Admin\AppData\Local\Temp\262bcbb295c2330c7e75858027b884202657e03c12f0537ccae57764c7e90779.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:852
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qX2KR2eo.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qX2KR2eo.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4248
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\AC8eB3ti.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\AC8eB3ti.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:724
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yi4Fj8Tb.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yi4Fj8Tb.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2308
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Ry28uz5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Ry28uz5.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:660
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4524
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 660 -s 612
        6⤵
        Program crash
        
        PID:1772
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2lq454mH.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2lq454mH.exe
        5⤵
        Executes dropped EXE
        
        PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 660 -ip 660
1⤵
PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qX2KR2eo.exe

Filesize
878KB

MD5
73455976fe29dda0ec08147df273a6d8

SHA1
de69b87171c7ddffd42477cfd0ff27134286d539

SHA256
9e96aa6f94c8e26f1a49b54814a358955ea564bbfeed63db5e28539d14e67f6c

SHA512
c089cf59f0990af75a89e05651335f77b77710cd8728349ef04300b5c0e986046ce19664509e516d33d8c33fd31a1a01646a8f08d6d4e45ca7edf0a1a922e637

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\AC8eB3ti.exe

Filesize
584KB

MD5
8044cdb804a4f851d01ce604d62e53f0

SHA1
6dd2f01b651cd0086e8283ff008b5d1bafdb667b

SHA256
7709634b6cfa55c26ec7abfc547e94d6262d328a34780ac54136900d91fc7a25

SHA512
9f55e1d12810c3a22961ecdeda1cd51ac9a4df8f0cd424dcccf68749b676ccdbaab05c0c067980fd549b8d6dc358b1c84784ac4f77f1958a2e8aa5098c3c2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Yi4Fj8Tb.exe

Filesize
412KB

MD5
f171476f815f6d30b080ee8515e559c7

SHA1
9f8738987b291328c7c01333695de1e66cf22ff5

SHA256
c673bc0d31248d0909bf0256db28e8691c536fc519f94de2967f059e754b89e0

SHA512
795cb4f5cb3220b548cf347785784eb7254292d0dc6c24aaf7bc9e4b9e11aa8e1cf6d55f609a55ef71c51f273474cf2f07d932e60df1d7fe50a34c389fcca4cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Ry28uz5.exe

Filesize
378KB

MD5
3487e35dfb3f0b20109093e6e63119f8

SHA1
2b952cc4cf21a428298405431c3acd7897d0df78

SHA256
65f17c7f30c7a6d53ebd95d379a0e28f86aeafb012a671c55658b8b29a93069b

SHA512
39f2fc2cee5a0a65e028d537d58e628cd8edc7b0a6f155a077ccaaf07f01eed9dc7be8cdfd691167b1e7930d429893d3b417778e553ba87de9921f364fa1e14b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2lq454mH.exe

Filesize
221KB

MD5
f39a595e1cc7fe2133045e4eb0a14a62

SHA1
983d31c0de46d6f3b00df8a38141a6157f3ec4da

SHA256
9bbe071b113aaef9b68df1a2340367b091c052ea396b2eed06af5fa98d4a2055

SHA512
5a9cab7733a8e7f84378ceda3bbe1f635afb6bbb48f1e760a74b5fed1afd39ef9aa1f37df696dd3a90adc85094bcf1808faa59f375705fda7462195b3cab36f0

Download Submit
memory/1420-39-0x00000000080E0000-0x00000000086F8000-memory.dmp

Filesize
6.1MB

Download
memory/1420-35-0x00000000000D0000-0x000000000010E000-memory.dmp

Filesize
248KB

Download
memory/1420-36-0x0000000007510000-0x0000000007AB4000-memory.dmp

Filesize
5.6MB

Download
memory/1420-37-0x0000000007000000-0x0000000007092000-memory.dmp

Filesize
584KB

Download
memory/1420-38-0x0000000004560000-0x000000000456A000-memory.dmp

Filesize
40KB

Download
memory/1420-40-0x0000000007380000-0x000000000748A000-memory.dmp

Filesize
1.0MB

Download
memory/1420-41-0x00000000070D0000-0x00000000070E2000-memory.dmp

Filesize
72KB

Download
memory/1420-42-0x0000000007130000-0x000000000716C000-memory.dmp

Filesize
240KB

Download
memory/1420-43-0x0000000007270000-0x00000000072BC000-memory.dmp

Filesize
304KB

Download
memory/4524-31-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4524-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4524-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads