mystic | c35b2a353f3f737fd5d522bda8150c7fe11a4c4773ad1702d174b480462784c6

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d9b9686dbe7185e907f691f010b2ffdd754b22bfd13757340c6d287bc7e459b.exe
Size

632KB
MD5

7c76b8ad44a15e0ef8a64d318ef72e67
SHA1

af73ae5bd202d0433efb35312d024cda7516e3a2
SHA256

7d9b9686dbe7185e907f691f010b2ffdd754b22bfd13757340c6d287bc7e459b
SHA512

66704ea4e9297d136ae38e726956757d4be424d693afa657cefcda3c611dfa2073d39092317fb61c63e31112679ae5cee25ebeb7a3d2c8c54aced1c04b5dfb0c
SSDEEP

12288:0Mr3y90j0USqlTi317bopPQy7m0v34EYrqVDjuo3wHIvWUOm7JIqH:7yeFlG31A3m0D3Vxw075H

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral14/memory/4064-14-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral14/memory/4064-16-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral14/memory/4064-18-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral14/memory/4064-15-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral14/files/0x00070000000233d7-19.dat	family_redline
behavioral14/memory/2452-22-0x00000000007B0000-0x00000000007EE000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
1496	An3ET1DH.exe
4604	1gA99lz3.exe
2452	2Pn997Fl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7d9b9686dbe7185e907f691f010b2ffdd754b22bfd13757340c6d287bc7e459b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	An3ET1DH.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4604 set thread context of 4064	4604	1gA99lz3.exe	84

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3440	4064	WerFault.exe	84
5088	4604	WerFault.exe	83

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3608 wrote to memory of 1496	3608	7d9b9686dbe7185e907f691f010b2ffdd754b22bfd13757340c6d287bc7e459b.exe	82
PID 3608 wrote to memory of 1496	3608	7d9b9686dbe7185e907f691f010b2ffdd754b22bfd13757340c6d287bc7e459b.exe	82
PID 3608 wrote to memory of 1496	3608	7d9b9686dbe7185e907f691f010b2ffdd754b22bfd13757340c6d287bc7e459b.exe	82
PID 1496 wrote to memory of 4604	1496	An3ET1DH.exe	83
PID 1496 wrote to memory of 4604	1496	An3ET1DH.exe	83
PID 1496 wrote to memory of 4604	1496	An3ET1DH.exe	83
PID 4604 wrote to memory of 4064	4604	1gA99lz3.exe	84
PID 4604 wrote to memory of 4064	4604	1gA99lz3.exe	84
PID 4604 wrote to memory of 4064	4604	1gA99lz3.exe	84
PID 4604 wrote to memory of 4064	4604	1gA99lz3.exe	84
PID 4604 wrote to memory of 4064	4604	1gA99lz3.exe	84
PID 4604 wrote to memory of 4064	4604	1gA99lz3.exe	84
PID 4604 wrote to memory of 4064	4604	1gA99lz3.exe	84
PID 4604 wrote to memory of 4064	4604	1gA99lz3.exe	84
PID 4604 wrote to memory of 4064	4604	1gA99lz3.exe	84
PID 4604 wrote to memory of 4064	4604	1gA99lz3.exe	84
PID 1496 wrote to memory of 2452	1496	An3ET1DH.exe	90
PID 1496 wrote to memory of 2452	1496	An3ET1DH.exe	90
PID 1496 wrote to memory of 2452	1496	An3ET1DH.exe	90

C:\Users\Admin\AppData\Local\Temp\7d9b9686dbe7185e907f691f010b2ffdd754b22bfd13757340c6d287bc7e459b.exe
"C:\Users\Admin\AppData\Local\Temp\7d9b9686dbe7185e907f691f010b2ffdd754b22bfd13757340c6d287bc7e459b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3608
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\An3ET1DH.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\An3ET1DH.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1gA99lz3.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1gA99lz3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4604
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4064
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 540
        5⤵
        Program crash
        
        PID:3440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 560
      4⤵
      Program crash
      PID:5088
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Pn997Fl.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Pn997Fl.exe
    3⤵
    - Executes dropped EXE
    PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4604 -ip 4604
1⤵
PID:868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4064 -ip 4064
1⤵
PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\An3ET1DH.exe

Filesize
436KB

MD5
b1bdf55b027708e6a757c098106f0ee3

SHA1
348ba62746930f731847edd49309f6638a04497a

SHA256
55c191f71ec54b9bed4b5e72c31c9abf3f5f1fd230120466fe6ab1b920c7264c

SHA512
1cd0d0b542989751f23aeebb60becdb300a6757b31aad4f3568893c5de95a8687e88aa8f5dda475f8f6ffe10c9b2dd1982c820fd93aa2f8786fdeafa063ef33a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1gA99lz3.exe

Filesize
405KB

MD5
6a6769c53b97b71bf395295ff9a60ae9

SHA1
5043a9e663a94d5dec8bcfd7c21b089de497c399

SHA256
3ea0e70f0f81c3f1d50d9f47b077592929fa19b54363e33d1cf93ddf99fbae77

SHA512
975d318315e96b6af27ba4f7a1a5e42f23b3bde9ff7bc3446e25d252d6b374d6d2e8e28edd7cde94a1a21fe73aa6d3899eb74f49d7769c6003b6397af15062c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Pn997Fl.exe

Filesize
221KB

MD5
fe0e132bd1caa0e1eb4a125b304a2a91

SHA1
116bbdd19c08d56ebc7d2a6106b166b983a04035

SHA256
ee1580c56a111f6c8b3d214d8a3d8c0abda95c134dc80ab2014454d794b92026

SHA512
aef28df6da2633093ba767c5240cc4345854f65fc7ba2fa0aeef24cd686fc46a6a87c8ef6a5a6e7f20f1bf4e06c49970d7b04b2d26943878aa536cfcce3613ff

Download Submit
memory/2452-27-0x0000000007AC0000-0x0000000007BCA000-memory.dmp

Filesize
1.0MB

Download
memory/2452-22-0x00000000007B0000-0x00000000007EE000-memory.dmp

Filesize
248KB

Download
memory/2452-23-0x0000000007C80000-0x0000000008224000-memory.dmp

Filesize
5.6MB

Download
memory/2452-24-0x00000000076D0000-0x0000000007762000-memory.dmp

Filesize
584KB

Download
memory/2452-25-0x0000000004CE0000-0x0000000004CEA000-memory.dmp

Filesize
40KB

Download
memory/2452-26-0x0000000008850000-0x0000000008E68000-memory.dmp

Filesize
6.1MB

Download
memory/2452-28-0x0000000007890000-0x00000000078A2000-memory.dmp

Filesize
72KB

Download
memory/2452-29-0x0000000007910000-0x000000000794C000-memory.dmp

Filesize
240KB

Download
memory/2452-30-0x0000000007950000-0x000000000799C000-memory.dmp

Filesize
304KB

Download
memory/4064-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads