mystic | 60fcc3045e1b1073753937ff8c184c464a45ea76225a406024335c07f898cf7b

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6c6e2b36cc534a5768d98292b94e03e95b6ecccd57823d6099475b213bcdc88.exe
Size

1.3MB
MD5

cc07fdc9cfb6929cb13c54068f89e17f
SHA1

efee85b22b066cbe59dfd90e7b010eceacc764e0
SHA256

c6c6e2b36cc534a5768d98292b94e03e95b6ecccd57823d6099475b213bcdc88
SHA512

f2d3c6a2c98aaa41803c27bf800b7c8de2537ac460057f0cc1d9a35f56d3fa0255b0a37ef6e4e522a16b4a856ad327aca66449f8e6be1ebb90ba62307b757780
SSDEEP

24576:myI4sj4b7MX2hW2NjE7B8YaZqITgWfjN9+njDVUVEhMBj3bOoTA:1LmE7M2djE7mYwIENqSEhgj3SoT

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral18/files/0x0008000000023434-33.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral18/files/0x0007000000023435-36.dat	family_redline
behavioral18/memory/4492-38-0x0000000000FB0000-0x0000000000FEE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
4332	RG5jz3px.exe
2112	Jc4pf5GP.exe
4028	sM1vY2Rl.exe
4712	fV9VW3Jy.exe
4924	1Zd21aG1.exe
4492	2dB798yG.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c6c6e2b36cc534a5768d98292b94e03e95b6ecccd57823d6099475b213bcdc88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	RG5jz3px.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Jc4pf5GP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	sM1vY2Rl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	fV9VW3Jy.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 4332	2212	c6c6e2b36cc534a5768d98292b94e03e95b6ecccd57823d6099475b213bcdc88.exe	82
PID 2212 wrote to memory of 4332	2212	c6c6e2b36cc534a5768d98292b94e03e95b6ecccd57823d6099475b213bcdc88.exe	82
PID 2212 wrote to memory of 4332	2212	c6c6e2b36cc534a5768d98292b94e03e95b6ecccd57823d6099475b213bcdc88.exe	82
PID 4332 wrote to memory of 2112	4332	RG5jz3px.exe	83
PID 4332 wrote to memory of 2112	4332	RG5jz3px.exe	83
PID 4332 wrote to memory of 2112	4332	RG5jz3px.exe	83
PID 2112 wrote to memory of 4028	2112	Jc4pf5GP.exe	84
PID 2112 wrote to memory of 4028	2112	Jc4pf5GP.exe	84
PID 2112 wrote to memory of 4028	2112	Jc4pf5GP.exe	84
PID 4028 wrote to memory of 4712	4028	sM1vY2Rl.exe	85
PID 4028 wrote to memory of 4712	4028	sM1vY2Rl.exe	85
PID 4028 wrote to memory of 4712	4028	sM1vY2Rl.exe	85
PID 4712 wrote to memory of 4924	4712	fV9VW3Jy.exe	86
PID 4712 wrote to memory of 4924	4712	fV9VW3Jy.exe	86
PID 4712 wrote to memory of 4924	4712	fV9VW3Jy.exe	86
PID 4712 wrote to memory of 4492	4712	fV9VW3Jy.exe	87
PID 4712 wrote to memory of 4492	4712	fV9VW3Jy.exe	87
PID 4712 wrote to memory of 4492	4712	fV9VW3Jy.exe	87

C:\Users\Admin\AppData\Local\Temp\c6c6e2b36cc534a5768d98292b94e03e95b6ecccd57823d6099475b213bcdc88.exe
"C:\Users\Admin\AppData\Local\Temp\c6c6e2b36cc534a5768d98292b94e03e95b6ecccd57823d6099475b213bcdc88.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RG5jz3px.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RG5jz3px.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Jc4pf5GP.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Jc4pf5GP.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sM1vY2Rl.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sM1vY2Rl.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4028
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\fV9VW3Jy.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\fV9VW3Jy.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4712
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zd21aG1.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zd21aG1.exe
        6⤵
        Executes dropped EXE
        
        PID:4924
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2dB798yG.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2dB798yG.exe
        6⤵
        Executes dropped EXE
        
        PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RG5jz3px.exe

Filesize
1.2MB

MD5
65b189d440c94747183be1d6eda59b32

SHA1
df0b0e29c57acc221966b1c794075e08f7a0a1cc

SHA256
e6ed77e165ac3650ef32a361863dd71b6a57718810892552b6c6e70ad724e0ea

SHA512
ef08248237192610a067fee347b4816058aea8d82ae02827dcd15746dd3114d8c25c1c7f176fbbe2bf52a17024a2154035b5035e971caaf2c031444da2717768

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Jc4pf5GP.exe

Filesize
1.0MB

MD5
c70ad50489c3bde19b42a3467a8ae06e

SHA1
7d66e38b32f76d1492072b520e48046678f2dad8

SHA256
c44f4c7b2b3d61d5d91bbd45f66dc7e68eff1f99bd688406a2718843af02fc42

SHA512
6d8b57d226959cb8fde4ed01a67f1cd466d089949394a49e33aff35b3afdfcb7dded288383347205261e4f4c2fe41106172df74199f2a51b5bc3607c1ad49dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sM1vY2Rl.exe

Filesize
522KB

MD5
9719ab6fc1db1c724181b4cab3d8a88c

SHA1
729563b13c3fe9c8a7a070b2ca1f8c228b240cad

SHA256
f729446e7312a8678ab54b119fd2e71e1cfe5a5ff616d388e90b45494dab0eba

SHA512
d265f93e2260b9588346a9a94faf71e52aabc573969e5ece2aeea6641b1208fb9f758cf907326e81f40944abfd45288e6dd24f20d77e66ccdd523ef16dc0fbfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\fV9VW3Jy.exe

Filesize
326KB

MD5
a2901832bd1995475f9acad1d13e06ba

SHA1
7e25f57bfd4a5746ce394a266a08439bc9b67d75

SHA256
681e2b0ca4abaddb0f3c5e6dee3083948faed8d8ae3c41ff641b70c55c12dac7

SHA512
1d1529f1474fad2d4ae5c077bb6e1c5125c6e51102e947d68f9f611508cf376f4456587a71db3ab744f91968830f2e57c2bb6d04f56901d74703d55fa899f7a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zd21aG1.exe

Filesize
190KB

MD5
a6656e3d6d06c8ce9cbb4b6952553c20

SHA1
af45103616dc896da5ee4268fd5f9483b5b97c1c

SHA256
fec303b128c44607654c078736b96d2762722f51b6c473dfe5415158fd83718b

SHA512
f53f2214d3f192a352b2a93c66d91988a41a5ab9dbf15edd62ea8ce38da8a732114e3c46526d4dc6f3132330913b1acb90fa11ff454a1520d117149a86678d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2dB798yG.exe

Filesize
221KB

MD5
a1b6c5d2d119f9b8c507012ad951b127

SHA1
cff6e7546c81bd7278683ffb1fba1a509cca1bcb

SHA256
6199eec3b1ca81db539a7275fbeda54c59ab5dd32c0d280861d685ba238bec0e

SHA512
b380b069ca433800c20d516d9b6a09ac2261326656d925f28f09b01390e209188af7e0c9f31cbb69bc767e2e4d6f14ae1e9be872a8dfb154d591bc69cfda1b80

Download Submit
memory/4492-38-0x0000000000FB0000-0x0000000000FEE000-memory.dmp

Filesize
248KB

Download
memory/4492-39-0x00000000083E0000-0x0000000008984000-memory.dmp

Filesize
5.6MB

Download
memory/4492-40-0x0000000007ED0000-0x0000000007F62000-memory.dmp

Filesize
584KB

Download
memory/4492-41-0x0000000003360000-0x000000000336A000-memory.dmp

Filesize
40KB

Download
memory/4492-44-0x00000000080A0000-0x00000000080B2000-memory.dmp

Filesize
72KB

Download
memory/4492-45-0x0000000008100000-0x000000000813C000-memory.dmp

Filesize
240KB

Download
memory/4492-43-0x0000000008260000-0x000000000836A000-memory.dmp

Filesize
1.0MB

Download
memory/4492-42-0x0000000008FB0000-0x00000000095C8000-memory.dmp

Filesize
6.1MB

Download
memory/4492-46-0x0000000008150000-0x000000000819C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads