mystic | c35b2a353f3f737fd5d522bda8150c7fe11a4c4773ad1702d174b480462784c6

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0feb2ba6d8db360600c65c0a9ff51f8124b12ca9b415bbfdedf54b559a9c672.exe
Size

937KB
MD5

9cb0d1e9df3d1720afc640d283626935
SHA1

96c1c2a73af255b93ad71afa9765ee4a39399062
SHA256

d0feb2ba6d8db360600c65c0a9ff51f8124b12ca9b415bbfdedf54b559a9c672
SHA512

b25dd4d624fcf6a244e27a23fb116718e16d6de76da01fabf4204261b3583841df037f1775d2d068f7836fa71e5bebedb834cc46cf4be3f8a6667c017efe5922
SSDEEP

24576:LyCaA28bWLsxVTbMV9/PI2flZUYwo9+KguBkflfO:+FxGQV9BfsuI

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral20/memory/2424-21-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral20/memory/2424-24-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral20/memory/2424-22-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2JB984ld.exe	family_redline
behavioral20/memory/4852-28-0x0000000000A90000-0x0000000000ACE000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

RP4EO0uk.exeFp9jH6fs.exe1UD43xq2.exe2JB984ld.exe

pid process

2080 RP4EO0uk.exe
1752 Fp9jH6fs.exe
3952 1UD43xq2.exe
4852 2JB984ld.exe

pid	process
2080	RP4EO0uk.exe
1752	Fp9jH6fs.exe
3952	1UD43xq2.exe
4852	2JB984ld.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d0feb2ba6d8db360600c65c0a9ff51f8124b12ca9b415bbfdedf54b559a9c672.exeRP4EO0uk.exeFp9jH6fs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d0feb2ba6d8db360600c65c0a9ff51f8124b12ca9b415bbfdedf54b559a9c672.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	RP4EO0uk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Fp9jH6fs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1UD43xq2.exe

description pid process target process

PID 3952 set thread context of 2424 3952 1UD43xq2.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4944 3952 WerFault.exe 1UD43xq2.exe

description	pid	process	target process
PID 3952 set thread context of 2424	3952	1UD43xq2.exe	AppLaunch.exe

pid	pid_target	process	target process
4944	3952	WerFault.exe	1UD43xq2.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

d0feb2ba6d8db360600c65c0a9ff51f8124b12ca9b415bbfdedf54b559a9c672.exeRP4EO0uk.exeFp9jH6fs.exe1UD43xq2.exe

description	pid	process	target process
PID 4604 wrote to memory of 2080	4604	d0feb2ba6d8db360600c65c0a9ff51f8124b12ca9b415bbfdedf54b559a9c672.exe	RP4EO0uk.exe
PID 4604 wrote to memory of 2080	4604	d0feb2ba6d8db360600c65c0a9ff51f8124b12ca9b415bbfdedf54b559a9c672.exe	RP4EO0uk.exe
PID 4604 wrote to memory of 2080	4604	d0feb2ba6d8db360600c65c0a9ff51f8124b12ca9b415bbfdedf54b559a9c672.exe	RP4EO0uk.exe
PID 2080 wrote to memory of 1752	2080	RP4EO0uk.exe	Fp9jH6fs.exe
PID 2080 wrote to memory of 1752	2080	RP4EO0uk.exe	Fp9jH6fs.exe
PID 2080 wrote to memory of 1752	2080	RP4EO0uk.exe	Fp9jH6fs.exe
PID 1752 wrote to memory of 3952	1752	Fp9jH6fs.exe	1UD43xq2.exe
PID 1752 wrote to memory of 3952	1752	Fp9jH6fs.exe	1UD43xq2.exe
PID 1752 wrote to memory of 3952	1752	Fp9jH6fs.exe	1UD43xq2.exe
PID 3952 wrote to memory of 2424	3952	1UD43xq2.exe	AppLaunch.exe
PID 3952 wrote to memory of 2424	3952	1UD43xq2.exe	AppLaunch.exe
PID 3952 wrote to memory of 2424	3952	1UD43xq2.exe	AppLaunch.exe
PID 3952 wrote to memory of 2424	3952	1UD43xq2.exe	AppLaunch.exe
PID 3952 wrote to memory of 2424	3952	1UD43xq2.exe	AppLaunch.exe
PID 3952 wrote to memory of 2424	3952	1UD43xq2.exe	AppLaunch.exe
PID 3952 wrote to memory of 2424	3952	1UD43xq2.exe	AppLaunch.exe
PID 3952 wrote to memory of 2424	3952	1UD43xq2.exe	AppLaunch.exe
PID 3952 wrote to memory of 2424	3952	1UD43xq2.exe	AppLaunch.exe
PID 3952 wrote to memory of 2424	3952	1UD43xq2.exe	AppLaunch.exe
PID 1752 wrote to memory of 4852	1752	Fp9jH6fs.exe	2JB984ld.exe
PID 1752 wrote to memory of 4852	1752	Fp9jH6fs.exe	2JB984ld.exe
PID 1752 wrote to memory of 4852	1752	Fp9jH6fs.exe	2JB984ld.exe

C:\Users\Admin\AppData\Local\Temp\d0feb2ba6d8db360600c65c0a9ff51f8124b12ca9b415bbfdedf54b559a9c672.exe
"C:\Users\Admin\AppData\Local\Temp\d0feb2ba6d8db360600c65c0a9ff51f8124b12ca9b415bbfdedf54b559a9c672.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4604

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RP4EO0uk.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RP4EO0uk.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fp9jH6fs.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fp9jH6fs.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1UD43xq2.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1UD43xq2.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 620
5⤵
- Program crash
PID:4944

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2JB984ld.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2JB984ld.exe
4⤵
- Executes dropped EXE
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3952 -ip 3952
1⤵
PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RP4EO0uk.exe

Filesize
640KB

MD5
32170dc5fc51018f5bfdb11bc16dc4c5

SHA1
cc8ba2c2f84c33932b231c0440493f297c7cfb24

SHA256
233408230759bdab6f654016fecb52c7a90bcafe32c48d3f0a7e9f87d515d4ef

SHA512
29d3fb093cf815e903a109e1f3b7425aab85827e7eb78752d59b45b355ca6400b682030ddd859a4eafc624118448055d7de391abd45749f1efd02b0d48697a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fp9jH6fs.exe

Filesize
444KB

MD5
0485efb83eba559df4d7b7f5ed9665f5

SHA1
1a5c05acc06751298cdbdf4ed975e98352875429

SHA256
11dbd650371088a4b30837ce17d018b52a6126c0edcbb994085e7bdd9c24e18c

SHA512
a4083995cbe83af95978295e1ffc4cb13b755f2fafacffc5a04be8028e35380b686847a808df544f9b3ded44e5a7f7a1185cc64cdb23ae1b2f5e3855ba6dc46e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1UD43xq2.exe

Filesize
423KB

MD5
22a557661610a25cec875469af6f38cc

SHA1
bdb1222171ac5149fd50923e22ca999a949dc527

SHA256
1abc12bed59657e99bdf8c3121a5aac157ad6deffd49249df017c627af694120

SHA512
fde4b904ca4babf8baf88e504ab3e79ced95f3ac056985bb08b9992d4faa308120c5b9e3db8ee945639ae476c7cf9c94d7b55f644c09f38495e4fc051f89f150

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2JB984ld.exe

Filesize
221KB

MD5
b5ed4cb0ccc0be55828b2c37b9c3698c

SHA1
644aa607c72b0f8e775e7a844d5206200a66f270

SHA256
d1aab003e3b3783121c1c7a4651bdfe24a9cfe923c80360934b86048d978f9e3

SHA512
47d1675145c71b3e0be8661ef2620f8d7d62c89555f0fa76db99e7fb249f06a7daed99da23f9ecb7e90aace519c55f4103f6ed3bbf32e84a710b5285355990e3

Download Submit
memory/2424-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-22-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4852-29-0x0000000007D10000-0x00000000082B4000-memory.dmp

Filesize
5.6MB

Download
memory/4852-28-0x0000000000A90000-0x0000000000ACE000-memory.dmp

Filesize
248KB

Download
memory/4852-30-0x0000000007810000-0x00000000078A2000-memory.dmp

Filesize
584KB

Download
memory/4852-31-0x0000000002C50000-0x0000000002C5A000-memory.dmp

Filesize
40KB

Download
memory/4852-32-0x00000000088E0000-0x0000000008EF8000-memory.dmp

Filesize
6.1MB

Download
memory/4852-33-0x0000000007B50000-0x0000000007C5A000-memory.dmp

Filesize
1.0MB

Download
memory/4852-34-0x0000000007A60000-0x0000000007A72000-memory.dmp

Filesize
72KB

Download
memory/4852-35-0x0000000007AC0000-0x0000000007AFC000-memory.dmp

Filesize
240KB

Download
memory/4852-36-0x0000000007B00000-0x0000000007B4C000-memory.dmp

Filesize
304KB

Download