mystic | 47889c48da4c5e390f10c04d8390b2c5d9f68bec127bf0e18bbe686b9079b922

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1821fe13b3b9c1fc3fe603dfd3668b199fd7d6f671e0f72b8a9fff5a38fd286.exe
Size

326KB
MD5

82258baf5fd7b18e47c8dd949b380183
SHA1

71a30fae26f446b7e5bab3f44e39aa7aac1b8c90
SHA256

c1821fe13b3b9c1fc3fe603dfd3668b199fd7d6f671e0f72b8a9fff5a38fd286
SHA512

d22f01b9ffb26a2dcf434e2e94b0d00228535f9493d83ac117b9d06f328ebd4ff53a3c7964eac5256d95651985a9973f763bb63c292d7021e7bcbf829e8ac713
SSDEEP

6144:Kqy+bnr+Jp0yN90QEJgX6VOwPBIAy+hy8vlvZgRkajW1HV6/1:SMrxy903g+OnA4q2i1161

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1uv05oe6.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Qx346vD.exe	family_redline
behavioral17/memory/3372-11-0x0000000000020000-0x000000000005E000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

Processes:

1uv05oe6.exe2Qx346vD.exe

pid process

2872 1uv05oe6.exe
3372 2Qx346vD.exe

pid	process
2872	1uv05oe6.exe
3372	2Qx346vD.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c1821fe13b3b9c1fc3fe603dfd3668b199fd7d6f671e0f72b8a9fff5a38fd286.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c1821fe13b3b9c1fc3fe603dfd3668b199fd7d6f671e0f72b8a9fff5a38fd286.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

c1821fe13b3b9c1fc3fe603dfd3668b199fd7d6f671e0f72b8a9fff5a38fd286.exe

description	pid	process	target process
PID 4480 wrote to memory of 2872	4480	c1821fe13b3b9c1fc3fe603dfd3668b199fd7d6f671e0f72b8a9fff5a38fd286.exe	1uv05oe6.exe
PID 4480 wrote to memory of 2872	4480	c1821fe13b3b9c1fc3fe603dfd3668b199fd7d6f671e0f72b8a9fff5a38fd286.exe	1uv05oe6.exe
PID 4480 wrote to memory of 2872	4480	c1821fe13b3b9c1fc3fe603dfd3668b199fd7d6f671e0f72b8a9fff5a38fd286.exe	1uv05oe6.exe
PID 4480 wrote to memory of 3372	4480	c1821fe13b3b9c1fc3fe603dfd3668b199fd7d6f671e0f72b8a9fff5a38fd286.exe	2Qx346vD.exe
PID 4480 wrote to memory of 3372	4480	c1821fe13b3b9c1fc3fe603dfd3668b199fd7d6f671e0f72b8a9fff5a38fd286.exe	2Qx346vD.exe
PID 4480 wrote to memory of 3372	4480	c1821fe13b3b9c1fc3fe603dfd3668b199fd7d6f671e0f72b8a9fff5a38fd286.exe	2Qx346vD.exe

C:\Users\Admin\AppData\Local\Temp\c1821fe13b3b9c1fc3fe603dfd3668b199fd7d6f671e0f72b8a9fff5a38fd286.exe
"C:\Users\Admin\AppData\Local\Temp\c1821fe13b3b9c1fc3fe603dfd3668b199fd7d6f671e0f72b8a9fff5a38fd286.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4480

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1uv05oe6.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1uv05oe6.exe
2⤵
- Executes dropped EXE
PID:2872

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Qx346vD.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Qx346vD.exe
2⤵
- Executes dropped EXE
PID:3372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1uv05oe6.exe

Filesize
190KB

MD5
a6656e3d6d06c8ce9cbb4b6952553c20

SHA1
af45103616dc896da5ee4268fd5f9483b5b97c1c

SHA256
fec303b128c44607654c078736b96d2762722f51b6c473dfe5415158fd83718b

SHA512
f53f2214d3f192a352b2a93c66d91988a41a5ab9dbf15edd62ea8ce38da8a732114e3c46526d4dc6f3132330913b1acb90fa11ff454a1520d117149a86678d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Qx346vD.exe

Filesize
221KB

MD5
5d0ac3dd6e980c49c7d7801f955e5d47

SHA1
12c30489bb3cade179bb0ae727c48f59092b3d10

SHA256
d5073e7629c7adfb27b082da4dceb037b28023a193373945a23935731ebd2642

SHA512
720d8a87e088e9a5f40c7b354fc31b303ccc54937f72b34aee369931d6fcb8ecdc6526d55b561ca0555b8996f12304f9589f088906e32d17f6bffddc36c566e0

Download Submit
memory/3372-10-0x00000000748CE000-0x00000000748CF000-memory.dmp

Filesize
4KB

Download
memory/3372-11-0x0000000000020000-0x000000000005E000-memory.dmp

Filesize
248KB

Download
memory/3372-12-0x00000000072D0000-0x0000000007874000-memory.dmp

Filesize
5.6MB

Download
memory/3372-13-0x0000000006DC0000-0x0000000006E52000-memory.dmp

Filesize
584KB

Download
memory/3372-14-0x0000000004360000-0x000000000436A000-memory.dmp

Filesize
40KB

Download
memory/3372-15-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/3372-16-0x0000000007EA0000-0x00000000084B8000-memory.dmp

Filesize
6.1MB

Download
memory/3372-17-0x0000000007880000-0x000000000798A000-memory.dmp

Filesize
1.0MB

Download
memory/3372-18-0x0000000007110000-0x0000000007122000-memory.dmp

Filesize
72KB

Download
memory/3372-19-0x00000000071A0000-0x00000000071DC000-memory.dmp

Filesize
240KB

Download
memory/3372-20-0x00000000071E0000-0x000000000722C000-memory.dmp

Filesize
304KB

Download
memory/3372-21-0x00000000748CE000-0x00000000748CF000-memory.dmp

Filesize
4KB

Download
memory/3372-22-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download