mystic | 75edb521bbb0ae12b7c2c52fa6e3ed769f4e764e26b92ef2dc4d7cb78ed92fd9

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4bd81eed44be3f83a4d778d3fe1bc914c1e5bca98bb8217707f964f5e0b0904.exe
Size

936KB
MD5

4440531ebafc2168c09d9f1564b9d79c
SHA1

63178757582dec4f3f7587693c46d8fefa6c3ad9
SHA256

b4bd81eed44be3f83a4d778d3fe1bc914c1e5bca98bb8217707f964f5e0b0904
SHA512

226e5a33ebe5aa1cd9a1dc3c2575e9413620591298d53cc5d7c8ceaefd8d81d494b8efe18d5f0b0c5f06f18d17a27f7130305224bea7922b476ff15576de7bad
SSDEEP

24576:jyapEYWP1adbcE7bMKOp64nxuY9JRKsSFfAZDZqS:2aBVdbF7bMKo3nx1bRKnON

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral14/memory/2112-21-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral14/memory/2112-24-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral14/memory/2112-22-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral14/files/0x00070000000233f8-26.dat	family_redline
behavioral14/memory/3908-28-0x00000000000A0000-0x00000000000DE000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
4652	Rj6Jo2HA.exe
4768	xw6ID6Nf.exe
2724	1sp91qL5.exe
3908	2XS953yc.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Rj6Jo2HA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	xw6ID6Nf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b4bd81eed44be3f83a4d778d3fe1bc914c1e5bca98bb8217707f964f5e0b0904.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2724 set thread context of 2112	2724	1sp91qL5.exe	84

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2440	2724	WerFault.exe	83

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 4652	3180	b4bd81eed44be3f83a4d778d3fe1bc914c1e5bca98bb8217707f964f5e0b0904.exe	81
PID 3180 wrote to memory of 4652	3180	b4bd81eed44be3f83a4d778d3fe1bc914c1e5bca98bb8217707f964f5e0b0904.exe	81
PID 3180 wrote to memory of 4652	3180	b4bd81eed44be3f83a4d778d3fe1bc914c1e5bca98bb8217707f964f5e0b0904.exe	81
PID 4652 wrote to memory of 4768	4652	Rj6Jo2HA.exe	82
PID 4652 wrote to memory of 4768	4652	Rj6Jo2HA.exe	82
PID 4652 wrote to memory of 4768	4652	Rj6Jo2HA.exe	82
PID 4768 wrote to memory of 2724	4768	xw6ID6Nf.exe	83
PID 4768 wrote to memory of 2724	4768	xw6ID6Nf.exe	83
PID 4768 wrote to memory of 2724	4768	xw6ID6Nf.exe	83
PID 2724 wrote to memory of 2112	2724	1sp91qL5.exe	84
PID 2724 wrote to memory of 2112	2724	1sp91qL5.exe	84
PID 2724 wrote to memory of 2112	2724	1sp91qL5.exe	84
PID 2724 wrote to memory of 2112	2724	1sp91qL5.exe	84
PID 2724 wrote to memory of 2112	2724	1sp91qL5.exe	84
PID 2724 wrote to memory of 2112	2724	1sp91qL5.exe	84
PID 2724 wrote to memory of 2112	2724	1sp91qL5.exe	84
PID 2724 wrote to memory of 2112	2724	1sp91qL5.exe	84
PID 2724 wrote to memory of 2112	2724	1sp91qL5.exe	84
PID 2724 wrote to memory of 2112	2724	1sp91qL5.exe	84
PID 4768 wrote to memory of 3908	4768	xw6ID6Nf.exe	88
PID 4768 wrote to memory of 3908	4768	xw6ID6Nf.exe	88
PID 4768 wrote to memory of 3908	4768	xw6ID6Nf.exe	88

C:\Users\Admin\AppData\Local\Temp\b4bd81eed44be3f83a4d778d3fe1bc914c1e5bca98bb8217707f964f5e0b0904.exe
"C:\Users\Admin\AppData\Local\Temp\b4bd81eed44be3f83a4d778d3fe1bc914c1e5bca98bb8217707f964f5e0b0904.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rj6Jo2HA.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rj6Jo2HA.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xw6ID6Nf.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xw6ID6Nf.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4768
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1sp91qL5.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1sp91qL5.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:2112
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 600
        5⤵
        Program crash
        
        PID:2440
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2XS953yc.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2XS953yc.exe
      4⤵
      Executes dropped EXE
      PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2724 -ip 2724
1⤵
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rj6Jo2HA.exe

Filesize
640KB

MD5
05865e49fff5de5a2220eccaadb11bf8

SHA1
177827e2060c489812981396f839a2d98697804f

SHA256
29f046f5dc9fb2071095e059016047bea66b710853a4772ca77f1882f8cc6ac5

SHA512
44b86006d241b10f674dd41122fdac8e9e80fce954a1b357b8c8f5ae993d5cba682f530a7507046586d4e4fec8316db8fc3b691c269944017a002b9c4233cc73

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xw6ID6Nf.exe

Filesize
444KB

MD5
dd569625edc1703419106a5e500b36f7

SHA1
534cd4d11fe15e08a4b30583ff663a25188ab882

SHA256
7868969ca5f9d1f46d3aa1ac69b7fd0b74f1e27f419455ecf857ade13082c98a

SHA512
a9eddbcfcc073c9964e50eff1eae4a93697903ea973ea09463f0d9a62b9c9ed1343b5fdf7a3250b5e78c5a948f62620e80f586e1865a66a56af56bf7b4481778

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1sp91qL5.exe

Filesize
423KB

MD5
15b11489dec895b8e28f9b8c5a4f3b70

SHA1
1547d0d01a90e171b8523c7f73129b88a8b5c4b5

SHA256
cca1f812a77db2eb8b228b9eb2a1c153a9f363a8bc95ae7b7d3b92f1924a1c2a

SHA512
e65d520860e4f536879de471d35a44d8b539041986eec77550a472b97f2feefe6a84ea60ba31ce46b3fee3bf56fd1fcf0ff01796da202921639c9135709820d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2XS953yc.exe

Filesize
221KB

MD5
bc9e5a32c0523b219e8608e63774678b

SHA1
7238b222485438e59e22902103908bbbb8b3c2dc

SHA256
631493ab647d0fad09a5b805e2906d9984b9196e8c755a65fff7d59abec02b31

SHA512
a5b1f0b97e8620fb1904fe88539adc61607d1931a13ae61824500dd2e2412fa5ef57093674aba94b8e6209e5fe33cc6ff39afba0b50273fdc923bfd8f606b691

Download Submit
memory/2112-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-22-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3908-29-0x00000000074E0000-0x0000000007A84000-memory.dmp

Filesize
5.6MB

Download
memory/3908-28-0x00000000000A0000-0x00000000000DE000-memory.dmp

Filesize
248KB

Download
memory/3908-30-0x0000000006FD0000-0x0000000007062000-memory.dmp

Filesize
584KB

Download
memory/3908-31-0x0000000002420000-0x000000000242A000-memory.dmp

Filesize
40KB

Download
memory/3908-32-0x00000000080B0000-0x00000000086C8000-memory.dmp

Filesize
6.1MB

Download
memory/3908-33-0x00000000072B0000-0x00000000073BA000-memory.dmp

Filesize
1.0MB

Download
memory/3908-34-0x00000000071A0000-0x00000000071B2000-memory.dmp

Filesize
72KB

Download
memory/3908-35-0x0000000007200000-0x000000000723C000-memory.dmp

Filesize
240KB

Download
memory/3908-36-0x0000000007240000-0x000000000728C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads