mystic | c35b2a353f3f737fd5d522bda8150c7fe11a4c4773ad1702d174b480462784c6

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78bd5cf504a3577dc9d7f80114d8adafdd8f12cb7f983f8814a107da3aca917c.exe
Size

937KB
MD5

a28659924b46bf84095e62a338b26aba
SHA1

e439aad00b7f690784c2171f0585b5b3ddb05739
SHA256

78bd5cf504a3577dc9d7f80114d8adafdd8f12cb7f983f8814a107da3aca917c
SHA512

ddec630ff1d87ed5ef7cbde855d6df4061508875cad5c1d45195e4e63627aee184c5d8ba78415d25c399dbed074107a726e4b0020cc202e4a90333ce631b33d4
SSDEEP

12288:jMryy90aFM01vEA4+L0KRbMPhcnJyFQJ9QMZMCGhAKbjISHSJXm/cHYj3u4U21ZG:hydpN1isbPQUxObfH6XV63u4px0

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral11/memory/3756-21-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral11/memory/3756-24-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral11/memory/3756-22-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral11/files/0x00070000000235fa-26.dat	family_redline
behavioral11/memory/2812-28-0x0000000000E00000-0x0000000000E3E000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
3680	OT0MY8yP.exe
1220	GB2UR6wo.exe
3952	1qD10yB6.exe
2812	2nU758Aj.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	78bd5cf504a3577dc9d7f80114d8adafdd8f12cb7f983f8814a107da3aca917c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	OT0MY8yP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	GB2UR6wo.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3952 set thread context of 3756	3952	1qD10yB6.exe	94

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3520	3952	WerFault.exe	92

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 3680	1880	78bd5cf504a3577dc9d7f80114d8adafdd8f12cb7f983f8814a107da3aca917c.exe	90
PID 1880 wrote to memory of 3680	1880	78bd5cf504a3577dc9d7f80114d8adafdd8f12cb7f983f8814a107da3aca917c.exe	90
PID 1880 wrote to memory of 3680	1880	78bd5cf504a3577dc9d7f80114d8adafdd8f12cb7f983f8814a107da3aca917c.exe	90
PID 3680 wrote to memory of 1220	3680	OT0MY8yP.exe	91
PID 3680 wrote to memory of 1220	3680	OT0MY8yP.exe	91
PID 3680 wrote to memory of 1220	3680	OT0MY8yP.exe	91
PID 1220 wrote to memory of 3952	1220	GB2UR6wo.exe	92
PID 1220 wrote to memory of 3952	1220	GB2UR6wo.exe	92
PID 1220 wrote to memory of 3952	1220	GB2UR6wo.exe	92
PID 3952 wrote to memory of 3756	3952	1qD10yB6.exe	94
PID 3952 wrote to memory of 3756	3952	1qD10yB6.exe	94
PID 3952 wrote to memory of 3756	3952	1qD10yB6.exe	94
PID 3952 wrote to memory of 3756	3952	1qD10yB6.exe	94
PID 3952 wrote to memory of 3756	3952	1qD10yB6.exe	94
PID 3952 wrote to memory of 3756	3952	1qD10yB6.exe	94
PID 3952 wrote to memory of 3756	3952	1qD10yB6.exe	94
PID 3952 wrote to memory of 3756	3952	1qD10yB6.exe	94
PID 3952 wrote to memory of 3756	3952	1qD10yB6.exe	94
PID 3952 wrote to memory of 3756	3952	1qD10yB6.exe	94
PID 1220 wrote to memory of 2812	1220	GB2UR6wo.exe	100
PID 1220 wrote to memory of 2812	1220	GB2UR6wo.exe	100
PID 1220 wrote to memory of 2812	1220	GB2UR6wo.exe	100

C:\Users\Admin\AppData\Local\Temp\78bd5cf504a3577dc9d7f80114d8adafdd8f12cb7f983f8814a107da3aca917c.exe
"C:\Users\Admin\AppData\Local\Temp\78bd5cf504a3577dc9d7f80114d8adafdd8f12cb7f983f8814a107da3aca917c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT0MY8yP.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT0MY8yP.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GB2UR6wo.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GB2UR6wo.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1220
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1qD10yB6.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1qD10yB6.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3952
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:3756
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 584
        5⤵
        Program crash
        
        PID:3520
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2nU758Aj.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2nU758Aj.exe
      4⤵
      Executes dropped EXE
      PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3952 -ip 3952
1⤵
PID:2088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3768,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=4272 /prefetch:8
1⤵
PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT0MY8yP.exe

Filesize
641KB

MD5
fc2f2894f3c2e3228df26f856663f999

SHA1
1047ad39c131b5a6ec9ad3600e2ee819667abaf0

SHA256
eb4104d5e27915d3462a10ae25f6a6a26fef559171cbfbbf2842416412861377

SHA512
0eed9caf4778196ae32a7e03ee8c55e3a1a601791606e1b0611b4a40fbbd8d86bf9cbce9d1292e016853ee890cd54953291961f7474bdb18cd8e1aa122d7467d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\GB2UR6wo.exe

Filesize
444KB

MD5
a79022d748e0cf20d178ae4ed16fb7b3

SHA1
fe782e90de0365d08e7564092ec90992a585e354

SHA256
9407e6ba10919ae36861491a4479992c17e42560e58c7e44f78a299be6cf2ab0

SHA512
7e07f2b4c7f5a9255742c53dee4cb66f92b11bc00a4e974ffb3ebf0f93733787b5a47feb04f49a1bd60c3ac61b3ea1c9310c2c017895cbe9e9bc8266eaa55cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1qD10yB6.exe

Filesize
423KB

MD5
a5e2683e76c128b0db141d5c45f04c8c

SHA1
3da50302fe356b2d54a31b490dfe4a96f995b91f

SHA256
b81bcd0c842296e60f40e79736407b1e9ea95c4decdcf784f162d2fc96744b22

SHA512
bbeee57eebadcfb63f8103cc7358c9e0d6c8373c21126764b3b49176141b3b9caca140f8f74befb310ef9685c29d9279c7da71e274832be9df9e4b7bdbad5596

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2nU758Aj.exe

Filesize
221KB

MD5
e164d0d631adc0d57cfc376660b59182

SHA1
389e3fd56e1510827ea117ffef9bfd160fbb0ae8

SHA256
8dc78ae91d4b3ebe7c324870ac8ef189827d49881e10ec479fc1808183af7d30

SHA512
92f9f45132517a2f3e07dd47cea2561775b0ebd0e54382e0e4e160d414121848f7711c33a9e267c91335a74fa5c0e016c66c0ff918375b31a3625c0757f1013a

Download Submit
memory/2812-33-0x00000000080C0000-0x00000000081CA000-memory.dmp

Filesize
1.0MB

Download
memory/2812-28-0x0000000000E00000-0x0000000000E3E000-memory.dmp

Filesize
248KB

Download
memory/2812-29-0x0000000008260000-0x0000000008804000-memory.dmp

Filesize
5.6MB

Download
memory/2812-30-0x0000000007D50000-0x0000000007DE2000-memory.dmp

Filesize
584KB

Download
memory/2812-31-0x00000000052B0000-0x00000000052BA000-memory.dmp

Filesize
40KB

Download
memory/2812-32-0x0000000008E30000-0x0000000009448000-memory.dmp

Filesize
6.1MB

Download
memory/2812-34-0x0000000007F00000-0x0000000007F12000-memory.dmp

Filesize
72KB

Download
memory/2812-35-0x0000000007F60000-0x0000000007F9C000-memory.dmp

Filesize
240KB

Download
memory/2812-36-0x0000000007FB0000-0x0000000007FFC000-memory.dmp

Filesize
304KB

Download
memory/3756-22-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3756-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3756-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads