mystic | 75edb521bbb0ae12b7c2c52fa6e3ed769f4e764e26b92ef2dc4d7cb78ed92fd9

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

537d35bac51656a3d24c96fd5d730dbd1b3aa1e40870063892a5c0f247669243.exe
Size

1.2MB
MD5

cd940c2af93b4093f92294507d63a84b
SHA1

829dbf34628ba466b4a3e47a892cfda952854fca
SHA256

537d35bac51656a3d24c96fd5d730dbd1b3aa1e40870063892a5c0f247669243
SHA512

d63b8ca3cd579dce5071950fb767654c9d5b167ca33986f946d992cabae02a6f01e1f6f5b1630d09cc4658927fa1bcae0799da649061e487f1fd0b2e3d764889
SSDEEP

24576:Gyqfq8S2gU9bBeRIEp1rkOWidPnEA+jO406CSVlOjo0pvn1ByeUU:V0jS9wBeRTOOPnEA+jOj66jokU

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral6/memory/876-35-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral6/memory/876-36-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral6/memory/876-38-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral6/files/0x0007000000023424-40.dat	family_redline
behavioral6/memory/4392-42-0x0000000000280000-0x00000000002BE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
1392	LE8Zm4sT.exe
4680	Rc6MA1Id.exe
636	Qt2Ol3Iq.exe
1856	lz2jI0yM.exe
2372	1dd03EH2.exe
4392	2la883OF.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	537d35bac51656a3d24c96fd5d730dbd1b3aa1e40870063892a5c0f247669243.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	LE8Zm4sT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Rc6MA1Id.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Qt2Ol3Iq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	lz2jI0yM.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2372 set thread context of 876	2372	1dd03EH2.exe	90

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1776	2372	WerFault.exe	88

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 1392	3628	537d35bac51656a3d24c96fd5d730dbd1b3aa1e40870063892a5c0f247669243.exe	83
PID 3628 wrote to memory of 1392	3628	537d35bac51656a3d24c96fd5d730dbd1b3aa1e40870063892a5c0f247669243.exe	83
PID 3628 wrote to memory of 1392	3628	537d35bac51656a3d24c96fd5d730dbd1b3aa1e40870063892a5c0f247669243.exe	83
PID 1392 wrote to memory of 4680	1392	LE8Zm4sT.exe	84
PID 1392 wrote to memory of 4680	1392	LE8Zm4sT.exe	84
PID 1392 wrote to memory of 4680	1392	LE8Zm4sT.exe	84
PID 4680 wrote to memory of 636	4680	Rc6MA1Id.exe	85
PID 4680 wrote to memory of 636	4680	Rc6MA1Id.exe	85
PID 4680 wrote to memory of 636	4680	Rc6MA1Id.exe	85
PID 636 wrote to memory of 1856	636	Qt2Ol3Iq.exe	86
PID 636 wrote to memory of 1856	636	Qt2Ol3Iq.exe	86
PID 636 wrote to memory of 1856	636	Qt2Ol3Iq.exe	86
PID 1856 wrote to memory of 2372	1856	lz2jI0yM.exe	88
PID 1856 wrote to memory of 2372	1856	lz2jI0yM.exe	88
PID 1856 wrote to memory of 2372	1856	lz2jI0yM.exe	88
PID 2372 wrote to memory of 876	2372	1dd03EH2.exe	90
PID 2372 wrote to memory of 876	2372	1dd03EH2.exe	90
PID 2372 wrote to memory of 876	2372	1dd03EH2.exe	90
PID 2372 wrote to memory of 876	2372	1dd03EH2.exe	90
PID 2372 wrote to memory of 876	2372	1dd03EH2.exe	90
PID 2372 wrote to memory of 876	2372	1dd03EH2.exe	90
PID 2372 wrote to memory of 876	2372	1dd03EH2.exe	90
PID 2372 wrote to memory of 876	2372	1dd03EH2.exe	90
PID 2372 wrote to memory of 876	2372	1dd03EH2.exe	90
PID 2372 wrote to memory of 876	2372	1dd03EH2.exe	90
PID 1856 wrote to memory of 4392	1856	lz2jI0yM.exe	96
PID 1856 wrote to memory of 4392	1856	lz2jI0yM.exe	96
PID 1856 wrote to memory of 4392	1856	lz2jI0yM.exe	96

C:\Users\Admin\AppData\Local\Temp\537d35bac51656a3d24c96fd5d730dbd1b3aa1e40870063892a5c0f247669243.exe
"C:\Users\Admin\AppData\Local\Temp\537d35bac51656a3d24c96fd5d730dbd1b3aa1e40870063892a5c0f247669243.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LE8Zm4sT.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LE8Zm4sT.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Rc6MA1Id.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Rc6MA1Id.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4680
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qt2Ol3Iq.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qt2Ol3Iq.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:636
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\lz2jI0yM.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\lz2jI0yM.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1856
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dd03EH2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dd03EH2.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 152
        7⤵
        Program crash
        
        PID:1776
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2la883OF.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2la883OF.exe
        6⤵
        Executes dropped EXE
        
        PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2372 -ip 2372
1⤵
PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LE8Zm4sT.exe

Filesize
1.0MB

MD5
15f4a81629332501e7e10ad9f28e5f9e

SHA1
adacafca1c125f37bf9b2d13c41b530394722c96

SHA256
7fe70a01e9af243854c9bed62da48c08ae425c8887480bd1036d8ba65f75c0db

SHA512
2c7d3d33d017134a224471a1921a83793f2b6e852f2c101c41487e757c54d497ec3936d58313766abf74634d97fc8dbe2a9744f7adf3bcba836a3f75832b6dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Rc6MA1Id.exe

Filesize
879KB

MD5
20b9ef869ab2105e6a7e02c0c14b884d

SHA1
13163bd729472ed2ead7c5e1bfe4c74e50e3f851

SHA256
df0799c11932186b5b84d042572f4e6f975f44bcfa5ec3fb938dd19bd7fda6c2

SHA512
c9a9282e36ca98db8eb0a89922cfc125fa872f3276e85aee8563256541a6aff55b44c431570c6bada304446c4b11d5e4444876ca2fc0bef1f4b193cc4db75203

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qt2Ol3Iq.exe

Filesize
585KB

MD5
55ba7bbfd5638df4bc12304da2101649

SHA1
a382829f782163e79d536708957f9ad30e240514

SHA256
f3b711385d9feeaed8e8b37318bad6338f34d5f8a717ccb71e254b46dbb201e2

SHA512
4c6f540c180e2da1b350f797b1e388560d38ae40014deef85867464b1f9658f22d5ebe0394a4183bd4146be50f6393b0dbbb5be10bc1ae1cc1af88739a245235

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\lz2jI0yM.exe

Filesize
413KB

MD5
988ec5e8224c1b9d6b119ce96e4b0694

SHA1
7d13948ba3a7d732b46d42e00647d0046ca5adfc

SHA256
9219979cedea955a7977f6af6761aaab52361c3c77ef439f291612d5f38ad58f

SHA512
0c60f4cc08586e7a799980237edf823bdcabc5f7950178faa5f4364d816dd944fbcff7eefb333307ff2b4d0cfc3cbf90261f8a48ce89cffcdcfe9928877d7f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dd03EH2.exe

Filesize
378KB

MD5
0ea5b0eb16f9e2a0023660fe7673e773

SHA1
631a6b9f00cd28c0bcf49266a5fa3174e902b236

SHA256
17192ee7a4342f742d03114ad3c1e52124308d549e43aa024c27bc5412a1d1b2

SHA512
2b9544d8602edc89fe181aee4b8675ad9b8f6aa960af780f66c00ad041cb011494d774f55219be6fbf2d52c108b1f2a548f820283e844575dc35bde4deacbd30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2la883OF.exe

Filesize
221KB

MD5
66102696b9c861a29fc72dbf88cb61fa

SHA1
04607d13d53fd47e123b76ecd6f09acf48ad82cb

SHA256
2bcc56c027d096bc5708e384083eb9838b19048b2bc3b7a46dcb1904381d217a

SHA512
c910537cc4797c239f44e069cc1ab7f618be128956f60a752e8672e52d03ef71316d036e7f937dd8e9d670dc99cdca2d8a9bdc9ccba60228de19802128f5c7d8

Download Submit
memory/876-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/876-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/876-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4392-42-0x0000000000280000-0x00000000002BE000-memory.dmp

Filesize
248KB

Download
memory/4392-43-0x0000000007530000-0x0000000007AD4000-memory.dmp

Filesize
5.6MB

Download
memory/4392-44-0x0000000007020000-0x00000000070B2000-memory.dmp

Filesize
584KB

Download
memory/4392-45-0x0000000004580000-0x000000000458A000-memory.dmp

Filesize
40KB

Download
memory/4392-47-0x0000000007AE0000-0x0000000007BEA000-memory.dmp

Filesize
1.0MB

Download
memory/4392-48-0x0000000007130000-0x0000000007142000-memory.dmp

Filesize
72KB

Download
memory/4392-46-0x0000000008100000-0x0000000008718000-memory.dmp

Filesize
6.1MB

Download
memory/4392-49-0x00000000072A0000-0x00000000072DC000-memory.dmp

Filesize
240KB

Download
memory/4392-50-0x00000000072E0000-0x000000000732C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads