mystic | 75edb521bbb0ae12b7c2c52fa6e3ed769f4e764e26b92ef2dc4d7cb78ed92fd9

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63e7ea0ef874b72273a3ea2e8d37753b642423f278258c8297d28ce3024ecc61.exe
Size

1.3MB
MD5

b15dc7860f40ea21d727ada21c858d78
SHA1

10bfa760f1a369aaaad29f09084d4c5a2ecd7c61
SHA256

63e7ea0ef874b72273a3ea2e8d37753b642423f278258c8297d28ce3024ecc61
SHA512

07b4a692a2db2e34c2ca0366e68a495021b4d7c799ebb49fae3f671e97d516f3e14edeb7a130a58bf4e4e3f73a2f4ecc379d2b498f762b20d173ee6b7de15ed8
SSDEEP

24576:Qy/hJhEvVPVCZ7m0CWm+hYWrvqfip2d69GPWFh31usKvGV:XfSVO7dyiYWbqfpVWssK+

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral7/memory/1544-35-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral7/memory/1544-38-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral7/memory/1544-37-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral7/files/0x000700000002343e-40.dat	family_redline
behavioral7/memory/2372-42-0x0000000000B90000-0x0000000000BCE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
4240	Xy8QL8na.exe
628	jk2Vf8sZ.exe
3740	Gz8aU8XG.exe
2164	xw7wG0jr.exe
4404	1Df40Nt9.exe
2372	2cG651bP.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Xy8QL8na.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	jk2Vf8sZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Gz8aU8XG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	xw7wG0jr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	63e7ea0ef874b72273a3ea2e8d37753b642423f278258c8297d28ce3024ecc61.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4404 set thread context of 1544	4404	1Df40Nt9.exe	91

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3892	4404	WerFault.exe	89

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4352 wrote to memory of 4240	4352	63e7ea0ef874b72273a3ea2e8d37753b642423f278258c8297d28ce3024ecc61.exe	84
PID 4352 wrote to memory of 4240	4352	63e7ea0ef874b72273a3ea2e8d37753b642423f278258c8297d28ce3024ecc61.exe	84
PID 4352 wrote to memory of 4240	4352	63e7ea0ef874b72273a3ea2e8d37753b642423f278258c8297d28ce3024ecc61.exe	84
PID 4240 wrote to memory of 628	4240	Xy8QL8na.exe	85
PID 4240 wrote to memory of 628	4240	Xy8QL8na.exe	85
PID 4240 wrote to memory of 628	4240	Xy8QL8na.exe	85
PID 628 wrote to memory of 3740	628	jk2Vf8sZ.exe	86
PID 628 wrote to memory of 3740	628	jk2Vf8sZ.exe	86
PID 628 wrote to memory of 3740	628	jk2Vf8sZ.exe	86
PID 3740 wrote to memory of 2164	3740	Gz8aU8XG.exe	87
PID 3740 wrote to memory of 2164	3740	Gz8aU8XG.exe	87
PID 3740 wrote to memory of 2164	3740	Gz8aU8XG.exe	87
PID 2164 wrote to memory of 4404	2164	xw7wG0jr.exe	89
PID 2164 wrote to memory of 4404	2164	xw7wG0jr.exe	89
PID 2164 wrote to memory of 4404	2164	xw7wG0jr.exe	89
PID 4404 wrote to memory of 1544	4404	1Df40Nt9.exe	91
PID 4404 wrote to memory of 1544	4404	1Df40Nt9.exe	91
PID 4404 wrote to memory of 1544	4404	1Df40Nt9.exe	91
PID 4404 wrote to memory of 1544	4404	1Df40Nt9.exe	91
PID 4404 wrote to memory of 1544	4404	1Df40Nt9.exe	91
PID 4404 wrote to memory of 1544	4404	1Df40Nt9.exe	91
PID 4404 wrote to memory of 1544	4404	1Df40Nt9.exe	91
PID 4404 wrote to memory of 1544	4404	1Df40Nt9.exe	91
PID 4404 wrote to memory of 1544	4404	1Df40Nt9.exe	91
PID 4404 wrote to memory of 1544	4404	1Df40Nt9.exe	91
PID 2164 wrote to memory of 2372	2164	xw7wG0jr.exe	96
PID 2164 wrote to memory of 2372	2164	xw7wG0jr.exe	96
PID 2164 wrote to memory of 2372	2164	xw7wG0jr.exe	96

C:\Users\Admin\AppData\Local\Temp\63e7ea0ef874b72273a3ea2e8d37753b642423f278258c8297d28ce3024ecc61.exe
"C:\Users\Admin\AppData\Local\Temp\63e7ea0ef874b72273a3ea2e8d37753b642423f278258c8297d28ce3024ecc61.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4352
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xy8QL8na.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xy8QL8na.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4240
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jk2Vf8sZ.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jk2Vf8sZ.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gz8aU8XG.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gz8aU8XG.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3740
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xw7wG0jr.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xw7wG0jr.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2164
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Df40Nt9.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Df40Nt9.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 592
        7⤵
        Program crash
        
        PID:3892
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2cG651bP.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2cG651bP.exe
        6⤵
        Executes dropped EXE
        
        PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4404 -ip 4404
1⤵
PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xy8QL8na.exe

Filesize
1.1MB

MD5
0e2b7a00dfc8a77beb3eb29772253f2d

SHA1
765576e2ae2ed8a2b8b251931049c553381d0064

SHA256
121a86e82fabef1fd0e51e7e2f7c05de8391d3ee16c10449ba51a8ae829b4570

SHA512
6021b7ede8af4d557634c1acac003ab1349d12c3560cce67868cb49ef8846c87f63c23d603728e8c6c3889e006ac8b2fbe35ffbfbc3aaabad98e87038e10dd31

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jk2Vf8sZ.exe

Filesize
947KB

MD5
ec690995b634ddc49df12be265aa426f

SHA1
34d99e2c55c8ad7c9ff6514b02ca507e1b9c5aa4

SHA256
475759890c8525ac5d13b23b7cf911575fd0a3fcfa455204a2da2f9bf786942d

SHA512
2dce1439f9019720633abe92be30d9a5990d4b2c53a5a3749306b7fba6d957c0a0e4c6b65541184ea41bd654c35be8ddd8eea9ba3abd26d04c6a4e81c90e2c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gz8aU8XG.exe

Filesize
645KB

MD5
b39590fd6b2a12968b65a25c0fe4f5f0

SHA1
fcdd1d4b96b0e4bb835b5f998288e7a4171c6fe1

SHA256
7a8faa64cfe6b647412c252955dc72093d423a014cc7f436ae685137ac2ba95c

SHA512
911c935174ea34ce7a3b21ef26de081c8d625d382f986123ae0bc277b8fcf4700d9184cf287b1f3d80cf6e1a65e946bd8ae68c2287561cefa20e792b6c94e8a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xw7wG0jr.exe

Filesize
449KB

MD5
46290c0b53a8217bda01bd510a38a8d3

SHA1
85a1de7ff89d422698768d441229e65f55cba88e

SHA256
ad28c4b0753c3919c855e407f0323bc927060f24c2cdb683d7cc392eb82a19f8

SHA512
8e56b8157ba75c602ff4ba24fd4e4a63d8f050f1270be0929ed92fb4e7b545537f4be7bdb2df51710e5681e4366c3868b617bb9eb0ffe2035a3d452220c947a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Df40Nt9.exe

Filesize
446KB

MD5
4ec364f4492ada0565a5b47bc297fe25

SHA1
c7ba7402b9e2848557df0f436fb3758f331861e3

SHA256
8de06038d075d45fe13d9ad2cd49c94727a3d45c3da696e5c790b4b45dbb8726

SHA512
f683f6d085a09fc561959eade281766ade498643f81da43e7acd05e59f1df87d9099fad6e564104a447dc36b0b66148dbe46c9c02e3d6036271f3b2358e38994

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2cG651bP.exe

Filesize
222KB

MD5
9e616b1461cd5f4cbd366aab6aad1f33

SHA1
6a4995847e050c3d75808a008d9f73a053cabcb8

SHA256
598b46561e1b8e350f5595c40b079b8a5933ec45f3d92da83488113b6a05fa62

SHA512
acf06ea6d722ee66c54965db5bcf7b0f56ff10623a3eaa100abdb7f5e7ab25294cf435b79c6896f9920145bbc1de80d67bad0e4dcd092c1745a674de685207ef

Download Submit
memory/1544-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-42-0x0000000000B90000-0x0000000000BCE000-memory.dmp

Filesize
248KB

Download
memory/2372-43-0x0000000007F60000-0x0000000008504000-memory.dmp

Filesize
5.6MB

Download
memory/2372-44-0x0000000007A90000-0x0000000007B22000-memory.dmp

Filesize
584KB

Download
memory/2372-45-0x0000000002F50000-0x0000000002F5A000-memory.dmp

Filesize
40KB

Download
memory/2372-46-0x0000000008B30000-0x0000000009148000-memory.dmp

Filesize
6.1MB

Download
memory/2372-47-0x0000000008510000-0x000000000861A000-memory.dmp

Filesize
1.0MB

Download
memory/2372-48-0x0000000007B80000-0x0000000007B92000-memory.dmp

Filesize
72KB

Download
memory/2372-49-0x0000000007C00000-0x0000000007C3C000-memory.dmp

Filesize
240KB

Download
memory/2372-50-0x0000000007C40000-0x0000000007C8C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads