mystic | 47889c48da4c5e390f10c04d8390b2c5d9f68bec127bf0e18bbe686b9079b922

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

867a7ac357adfff48d6fc2820efa7db93b3c2303fa2c5f2570c1760004b2a310.exe
Size

326KB
MD5

42a4c8166d06975d1d157539cf894c84
SHA1

2422d09a6f84c344d6559b1e3be233e37c465e36
SHA256

867a7ac357adfff48d6fc2820efa7db93b3c2303fa2c5f2570c1760004b2a310
SHA512

a48c64e57aca511432ff65afd4106ec969814ebe212a3ca8a8e3fee51bd8dd7d458800fce40773b99c4ed8f67cc1485a9276c0957a6c31a70a923834812be85e
SSDEEP

6144:KOy+bnr+7p0yN90QELmX6VOwPBIAy+hy8vlvZgRkajW19m76ya:iMrfy90hm+OnA4q2i107va

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral14/files/0x000a000000023440-6.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral14/files/0x0007000000023466-8.dat	family_redline
behavioral14/memory/4964-11-0x0000000000E40000-0x0000000000E7E000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

pid	Process
4240	1ir62mw1.exe
4964	2ct555vR.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	867a7ac357adfff48d6fc2820efa7db93b3c2303fa2c5f2570c1760004b2a310.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 4240	4840	867a7ac357adfff48d6fc2820efa7db93b3c2303fa2c5f2570c1760004b2a310.exe	83
PID 4840 wrote to memory of 4240	4840	867a7ac357adfff48d6fc2820efa7db93b3c2303fa2c5f2570c1760004b2a310.exe	83
PID 4840 wrote to memory of 4240	4840	867a7ac357adfff48d6fc2820efa7db93b3c2303fa2c5f2570c1760004b2a310.exe	83
PID 4840 wrote to memory of 4964	4840	867a7ac357adfff48d6fc2820efa7db93b3c2303fa2c5f2570c1760004b2a310.exe	85
PID 4840 wrote to memory of 4964	4840	867a7ac357adfff48d6fc2820efa7db93b3c2303fa2c5f2570c1760004b2a310.exe	85
PID 4840 wrote to memory of 4964	4840	867a7ac357adfff48d6fc2820efa7db93b3c2303fa2c5f2570c1760004b2a310.exe	85

C:\Users\Admin\AppData\Local\Temp\867a7ac357adfff48d6fc2820efa7db93b3c2303fa2c5f2570c1760004b2a310.exe
"C:\Users\Admin\AppData\Local\Temp\867a7ac357adfff48d6fc2820efa7db93b3c2303fa2c5f2570c1760004b2a310.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1ir62mw1.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1ir62mw1.exe
  2⤵
  - Executes dropped EXE
  PID:4240
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2ct555vR.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2ct555vR.exe
  2⤵
  - Executes dropped EXE
  PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1ir62mw1.exe

Filesize
190KB

MD5
a6656e3d6d06c8ce9cbb4b6952553c20

SHA1
af45103616dc896da5ee4268fd5f9483b5b97c1c

SHA256
fec303b128c44607654c078736b96d2762722f51b6c473dfe5415158fd83718b

SHA512
f53f2214d3f192a352b2a93c66d91988a41a5ab9dbf15edd62ea8ce38da8a732114e3c46526d4dc6f3132330913b1acb90fa11ff454a1520d117149a86678d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2ct555vR.exe

Filesize
221KB

MD5
e8d4e2571ee0551e55e404bee034a3c6

SHA1
c5b884ee72ab8696a52ac7a7c5d38799785cf379

SHA256
65e0939ef5508253049befcacaa987815ee47d3aec0f86061aa371ebbdb45bc5

SHA512
cb7045a185d293aff72ce660cf61d0869e42892134f7f908d0db53eaf4f0c4fada048e1860abdfaf0e67154bc408d63781362cf26959fa9129ab2165aa41bda8

Download Submit
memory/4964-10-0x000000007452E000-0x000000007452F000-memory.dmp

Filesize
4KB

Download
memory/4964-11-0x0000000000E40000-0x0000000000E7E000-memory.dmp

Filesize
248KB

Download
memory/4964-12-0x00000000080F0000-0x0000000008694000-memory.dmp

Filesize
5.6MB

Download
memory/4964-13-0x0000000007BE0000-0x0000000007C72000-memory.dmp

Filesize
584KB

Download
memory/4964-14-0x00000000051E0000-0x00000000051EA000-memory.dmp

Filesize
40KB

Download
memory/4964-15-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/4964-16-0x0000000008CC0000-0x00000000092D8000-memory.dmp

Filesize
6.1MB

Download
memory/4964-17-0x00000000086A0000-0x00000000087AA000-memory.dmp

Filesize
1.0MB

Download
memory/4964-18-0x0000000007CF0000-0x0000000007D02000-memory.dmp

Filesize
72KB

Download
memory/4964-19-0x0000000007E50000-0x0000000007E8C000-memory.dmp

Filesize
240KB

Download
memory/4964-20-0x0000000007EE0000-0x0000000007F2C000-memory.dmp

Filesize
304KB

Download
memory/4964-21-0x000000007452E000-0x000000007452F000-memory.dmp

Filesize
4KB

Download
memory/4964-22-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads