mystic | 60fcc3045e1b1073753937ff8c184c464a45ea76225a406024335c07f898cf7b

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8db1b8c1b564daa7faeb55ace7fba1d91c0794df89a04d3780af99dc7b4fb985.exe
Size

640KB
MD5

4b646e3a5b0d464bd2dd95b4ad4d8977
SHA1

256215a229468629466dee3f35ad1f34f28c34d8
SHA256

8db1b8c1b564daa7faeb55ace7fba1d91c0794df89a04d3780af99dc7b4fb985
SHA512

60937a5c1a3eab4a92c9a9fb88f26aba988e35aa5861e560b6be9ea01e5325d7667e5de80a12c5cb2bcc5aa63139c8736e18d9aec0f55be0e386c78aad2cd958
SSDEEP

12288:LMr8y90Pyww+7czLvofHDnghQT+xvqbQm35iE7c+l9PG0ZIyK:nymIzinghQTXliE7c+lZ5Ix

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral11/memory/2576-18-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral11/memory/2576-16-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral11/memory/2576-15-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral11/memory/2576-14-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral11/files/0x0007000000023408-20.dat	family_redline
behavioral11/memory/3000-22-0x0000000000180000-0x00000000001BE000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
2284	Cm2ei9IH.exe
3736	1ND86mC6.exe
3000	2Ym386to.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8db1b8c1b564daa7faeb55ace7fba1d91c0794df89a04d3780af99dc7b4fb985.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Cm2ei9IH.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3736 set thread context of 2576	3736	1ND86mC6.exe	85

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2148	2576	WerFault.exe	85
1948	3736	WerFault.exe	83

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 2284	1016	8db1b8c1b564daa7faeb55ace7fba1d91c0794df89a04d3780af99dc7b4fb985.exe	82
PID 1016 wrote to memory of 2284	1016	8db1b8c1b564daa7faeb55ace7fba1d91c0794df89a04d3780af99dc7b4fb985.exe	82
PID 1016 wrote to memory of 2284	1016	8db1b8c1b564daa7faeb55ace7fba1d91c0794df89a04d3780af99dc7b4fb985.exe	82
PID 2284 wrote to memory of 3736	2284	Cm2ei9IH.exe	83
PID 2284 wrote to memory of 3736	2284	Cm2ei9IH.exe	83
PID 2284 wrote to memory of 3736	2284	Cm2ei9IH.exe	83
PID 3736 wrote to memory of 2576	3736	1ND86mC6.exe	85
PID 3736 wrote to memory of 2576	3736	1ND86mC6.exe	85
PID 3736 wrote to memory of 2576	3736	1ND86mC6.exe	85
PID 3736 wrote to memory of 2576	3736	1ND86mC6.exe	85
PID 3736 wrote to memory of 2576	3736	1ND86mC6.exe	85
PID 3736 wrote to memory of 2576	3736	1ND86mC6.exe	85
PID 3736 wrote to memory of 2576	3736	1ND86mC6.exe	85
PID 3736 wrote to memory of 2576	3736	1ND86mC6.exe	85
PID 3736 wrote to memory of 2576	3736	1ND86mC6.exe	85
PID 3736 wrote to memory of 2576	3736	1ND86mC6.exe	85
PID 2284 wrote to memory of 3000	2284	Cm2ei9IH.exe	93
PID 2284 wrote to memory of 3000	2284	Cm2ei9IH.exe	93
PID 2284 wrote to memory of 3000	2284	Cm2ei9IH.exe	93

C:\Users\Admin\AppData\Local\Temp\8db1b8c1b564daa7faeb55ace7fba1d91c0794df89a04d3780af99dc7b4fb985.exe
"C:\Users\Admin\AppData\Local\Temp\8db1b8c1b564daa7faeb55ace7fba1d91c0794df89a04d3780af99dc7b4fb985.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cm2ei9IH.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cm2ei9IH.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ND86mC6.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ND86mC6.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3736
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2576
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 540
        5⤵
        Program crash
        
        PID:2148
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 572
      4⤵
      Program crash
      PID:1948
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Ym386to.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Ym386to.exe
    3⤵
    - Executes dropped EXE
    PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3736 -ip 3736
1⤵
PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2576 -ip 2576
1⤵
PID:4220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cm2ei9IH.exe

Filesize
444KB

MD5
e75367a7f91da661be25b32507df5e9a

SHA1
32f36818ad62056d2ad1563acf976cdbeae54350

SHA256
da0328aa23177ca586f7fa32345a55cba104b5e4bebb7662ef73387f54b40e85

SHA512
351decacd006388b476cf5f36d7646b18ea23b9b0533928ff0a3837566744ef20ac23eb51d8b97f02211a6171b35d89ca371e0796879d985baed13dd364e41ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ND86mC6.exe

Filesize
423KB

MD5
dac14faabaeb1102198b735e979ca06c

SHA1
edbd52a612f27123d6e780a11191c3617f7ebe29

SHA256
05d8455fc78df1631db55fa8f14b979c106082037602bb35de9feae662f65c8f

SHA512
437856b18f90a3c6524b8c62444d2d432c2f233371edaddd42d4ba5ab7980d29a39088fba94897a28767fc293a6307e14c6c037c505177e30e90a59a8dc27f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Ym386to.exe

Filesize
221KB

MD5
aaa48cb6d7993eeaf0ed8b4a0744a561

SHA1
f7ab1b63e97dfde785ae8ddfc5d202171c7e5ec4

SHA256
97b2d32686534e12e8747214fe5c6a928947c57150cf957dd6c7d0c21621d793

SHA512
d32c59f942b71b27bc9c46cb9ae4cfba00581ff6bb1dd921ba9264bdf76de234c4f459b2202829606b58cf04d6fc0cae9fd6dbd88279e8688f1fa03ff3a5bfc9

Download Submit
memory/2576-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-23-0x0000000007580000-0x0000000007B24000-memory.dmp

Filesize
5.6MB

Download
memory/3000-22-0x0000000000180000-0x00000000001BE000-memory.dmp

Filesize
248KB

Download
memory/3000-24-0x0000000007070000-0x0000000007102000-memory.dmp

Filesize
584KB

Download
memory/3000-25-0x00000000045F0000-0x00000000045FA000-memory.dmp

Filesize
40KB

Download
memory/3000-26-0x0000000008150000-0x0000000008768000-memory.dmp

Filesize
6.1MB

Download
memory/3000-27-0x0000000007370000-0x000000000747A000-memory.dmp

Filesize
1.0MB

Download
memory/3000-28-0x0000000007270000-0x0000000007282000-memory.dmp

Filesize
72KB

Download
memory/3000-29-0x00000000072D0000-0x000000000730C000-memory.dmp

Filesize
240KB

Download
memory/3000-30-0x0000000007310000-0x000000000735C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads