mystic | 8ee265740e734e664a806025412118c1398e5fd5de8de7844c913c144f497faa

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

637e68df5f54ed9e5e7de1cee4157ff3be2efe7d01c49ab8ce67a2dcefb470fc.exe
Size

937KB
MD5

341be5311fd3e445027b944c6cd4adb0
SHA1

2ab8fbbcb9c37d9a6419b35933bbe2fe66562bae
SHA256

637e68df5f54ed9e5e7de1cee4157ff3be2efe7d01c49ab8ce67a2dcefb470fc
SHA512

ede31ca7a634e39a45fcb8eab771fef2e8fe9628f92e4cd223fad8eab92e04e0db876e23368ed903acdd0d6020eb901990ccbe3a61b54b8a678f98e2ab48c07a
SSDEEP

12288:ZMrGy90ZFPeq0D7LLDORdNwOQ/fftX8C6mpcNKNN6chuXfuG4oQTlm6BVOpK53o:7y4eq0fn6zNwO6R6SN6co2GwlmZpQ3o

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral4/memory/4824-21-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral4/memory/4824-24-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral4/memory/4824-22-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral4/files/0x0007000000023421-27.dat	family_redline
behavioral4/memory/4200-28-0x00000000001B0000-0x00000000001EE000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
4124	re7hu4SY.exe
3784	qQ2Gh6HC.exe
3896	1il77NP4.exe
4200	2Ib806Ti.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	qQ2Gh6HC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	637e68df5f54ed9e5e7de1cee4157ff3be2efe7d01c49ab8ce67a2dcefb470fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	re7hu4SY.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3896 set thread context of 4824	3896	1il77NP4.exe	86

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1708	3896	WerFault.exe	85

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 4124	4204	637e68df5f54ed9e5e7de1cee4157ff3be2efe7d01c49ab8ce67a2dcefb470fc.exe	83
PID 4204 wrote to memory of 4124	4204	637e68df5f54ed9e5e7de1cee4157ff3be2efe7d01c49ab8ce67a2dcefb470fc.exe	83
PID 4204 wrote to memory of 4124	4204	637e68df5f54ed9e5e7de1cee4157ff3be2efe7d01c49ab8ce67a2dcefb470fc.exe	83
PID 4124 wrote to memory of 3784	4124	re7hu4SY.exe	84
PID 4124 wrote to memory of 3784	4124	re7hu4SY.exe	84
PID 4124 wrote to memory of 3784	4124	re7hu4SY.exe	84
PID 3784 wrote to memory of 3896	3784	qQ2Gh6HC.exe	85
PID 3784 wrote to memory of 3896	3784	qQ2Gh6HC.exe	85
PID 3784 wrote to memory of 3896	3784	qQ2Gh6HC.exe	85
PID 3896 wrote to memory of 4824	3896	1il77NP4.exe	86
PID 3896 wrote to memory of 4824	3896	1il77NP4.exe	86
PID 3896 wrote to memory of 4824	3896	1il77NP4.exe	86
PID 3896 wrote to memory of 4824	3896	1il77NP4.exe	86
PID 3896 wrote to memory of 4824	3896	1il77NP4.exe	86
PID 3896 wrote to memory of 4824	3896	1il77NP4.exe	86
PID 3896 wrote to memory of 4824	3896	1il77NP4.exe	86
PID 3896 wrote to memory of 4824	3896	1il77NP4.exe	86
PID 3896 wrote to memory of 4824	3896	1il77NP4.exe	86
PID 3896 wrote to memory of 4824	3896	1il77NP4.exe	86
PID 3784 wrote to memory of 4200	3784	qQ2Gh6HC.exe	90
PID 3784 wrote to memory of 4200	3784	qQ2Gh6HC.exe	90
PID 3784 wrote to memory of 4200	3784	qQ2Gh6HC.exe	90

C:\Users\Admin\AppData\Local\Temp\637e68df5f54ed9e5e7de1cee4157ff3be2efe7d01c49ab8ce67a2dcefb470fc.exe
"C:\Users\Admin\AppData\Local\Temp\637e68df5f54ed9e5e7de1cee4157ff3be2efe7d01c49ab8ce67a2dcefb470fc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\re7hu4SY.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\re7hu4SY.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4124
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qQ2Gh6HC.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qQ2Gh6HC.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3784
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1il77NP4.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1il77NP4.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3896
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:4824
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 608
        5⤵
        Program crash
        
        PID:1708
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Ib806Ti.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Ib806Ti.exe
      4⤵
      Executes dropped EXE
      PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3896 -ip 3896
1⤵
PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\re7hu4SY.exe

Filesize
641KB

MD5
5a1c2448da849201ed2e5bbc440ff5fb

SHA1
912a0792dde5f445954c3ad1a1ddd8afb0bd5e8d

SHA256
32d97953350082e578e1fa1515479e203f331ee9772a058c08ee7fbf4fbc8557

SHA512
957fd89634ef7e9101a74526448d7a83fd0ed5cbd0ce845c5976794c419b2215c964a8dded4dbf03733855de2ce4859cafaeb38efb365334bee5f62329c08f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qQ2Gh6HC.exe

Filesize
444KB

MD5
43ee0b83a2884fae195be5f6672a69f5

SHA1
a22bb349a95b490248a046c6dfdeddc82c34aa90

SHA256
089a4a542813a20d334bfa7ed3d83af449824049e6bde1c6a7c56ec6672214f7

SHA512
14fa044661e8384d823bfd97e8bbc41ceb71c0ed3394eb92114b1fb92e67760fd1eac44a35fb5e023cd4059a6c4a3e907cd1bf5adbf34497fb272877555e5550

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1il77NP4.exe

Filesize
423KB

MD5
5ac361448d4bc054e4f7acf341df5130

SHA1
30f01d3a1e65776dfb816aad96ca0e6aae8a8886

SHA256
6df68953d52dfb422c55baca720e570ac4ad2649b8e55d918051e25e3319b76b

SHA512
8ce133c20fbf1682f529af2bdc943e9459d40874a4dbb0f1befb88e4cef15ca4138f69acd83e89103de67150d1fbfcc7d41ce9c5f749f5572bb64080182d6c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Ib806Ti.exe

Filesize
221KB

MD5
80e45222ef4d085f542fe044e32844fd

SHA1
2d7bedc4190ec0deeecbcf270f7407865d8074e8

SHA256
0f433a5d9cf9e76a474109ff4086ace9792327eb924583fe6b39047031b34c7f

SHA512
d36c4c28cc1c7cf99abde3c37f7f2e050eaa1a18dae3cc74bd692c0f6dabe614aa26b917ba5f03443991cb6e784fbb2492c173917adcb1cb668822bee553c94b

Download Submit
memory/4200-33-0x0000000007420000-0x000000000752A000-memory.dmp

Filesize
1.0MB

Download
memory/4200-28-0x00000000001B0000-0x00000000001EE000-memory.dmp

Filesize
248KB

Download
memory/4200-29-0x0000000007640000-0x0000000007BE4000-memory.dmp

Filesize
5.6MB

Download
memory/4200-30-0x0000000007090000-0x0000000007122000-memory.dmp

Filesize
584KB

Download
memory/4200-31-0x00000000025C0000-0x00000000025CA000-memory.dmp

Filesize
40KB

Download
memory/4200-32-0x0000000008210000-0x0000000008828000-memory.dmp

Filesize
6.1MB

Download
memory/4200-34-0x00000000071B0000-0x00000000071C2000-memory.dmp

Filesize
72KB

Download
memory/4200-35-0x0000000007310000-0x000000000734C000-memory.dmp

Filesize
240KB

Download
memory/4200-36-0x0000000007350000-0x000000000739C000-memory.dmp

Filesize
304KB

Download
memory/4824-22-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads