mystic | 3c91163ea40ad7e35bac48ded16235cfe9003c914f570e27b4e2d7b3c9c46c05

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c15c0b27fca8b17175aa535d5bc1b804707b8bbce008e7a9e1fc93a2011ad5af.exe
Size

1.1MB
MD5

0d1dd7a94e962d7b64553270a85c57a8
SHA1

6b9abace5d34f86ee5d25270de8e5eea80ef7d77
SHA256

c15c0b27fca8b17175aa535d5bc1b804707b8bbce008e7a9e1fc93a2011ad5af
SHA512

54ad8d11b34e5233017546434ffcf5af61a042e487191126ed686693d72b6404e46a975d48e539f89243bca88055f652d2e6a000b5ee2533adbae1e5be30db23
SSDEEP

24576:yyCgoasgooeYfdvkUaLV9YCXMC7RgY51pZZeY/F33VCr2:Zhe0vk3jYC7RV51pTp34r

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral17/memory/2036-28-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral17/memory/2036-31-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral17/memory/2036-29-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2rS390Gi.exe	family_redline
behavioral17/memory/2128-35-0x0000000000780000-0x00000000007BE000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

Processes:

Lr9AL7ND.exesr3gl1jM.exekx0Uh6jz.exe1mW98DO5.exe2rS390Gi.exe

pid process

1140 Lr9AL7ND.exe
4716 sr3gl1jM.exe
4088 kx0Uh6jz.exe
1712 1mW98DO5.exe
2128 2rS390Gi.exe

pid	process
1140	Lr9AL7ND.exe
4716	sr3gl1jM.exe
4088	kx0Uh6jz.exe
1712	1mW98DO5.exe
2128	2rS390Gi.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c15c0b27fca8b17175aa535d5bc1b804707b8bbce008e7a9e1fc93a2011ad5af.exeLr9AL7ND.exesr3gl1jM.exekx0Uh6jz.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c15c0b27fca8b17175aa535d5bc1b804707b8bbce008e7a9e1fc93a2011ad5af.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Lr9AL7ND.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	sr3gl1jM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kx0Uh6jz.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1mW98DO5.exe

description pid process target process

PID 1712 set thread context of 2036 1712 1mW98DO5.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

756 1712 WerFault.exe 1mW98DO5.exe

description	pid	process	target process
PID 1712 set thread context of 2036	1712	1mW98DO5.exe	AppLaunch.exe

pid	pid_target	process	target process
756	1712	WerFault.exe	1mW98DO5.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

c15c0b27fca8b17175aa535d5bc1b804707b8bbce008e7a9e1fc93a2011ad5af.exeLr9AL7ND.exesr3gl1jM.exekx0Uh6jz.exe1mW98DO5.exe

description	pid	process	target process
PID 3820 wrote to memory of 1140	3820	c15c0b27fca8b17175aa535d5bc1b804707b8bbce008e7a9e1fc93a2011ad5af.exe	Lr9AL7ND.exe
PID 3820 wrote to memory of 1140	3820	c15c0b27fca8b17175aa535d5bc1b804707b8bbce008e7a9e1fc93a2011ad5af.exe	Lr9AL7ND.exe
PID 3820 wrote to memory of 1140	3820	c15c0b27fca8b17175aa535d5bc1b804707b8bbce008e7a9e1fc93a2011ad5af.exe	Lr9AL7ND.exe
PID 1140 wrote to memory of 4716	1140	Lr9AL7ND.exe	sr3gl1jM.exe
PID 1140 wrote to memory of 4716	1140	Lr9AL7ND.exe	sr3gl1jM.exe
PID 1140 wrote to memory of 4716	1140	Lr9AL7ND.exe	sr3gl1jM.exe
PID 4716 wrote to memory of 4088	4716	sr3gl1jM.exe	kx0Uh6jz.exe
PID 4716 wrote to memory of 4088	4716	sr3gl1jM.exe	kx0Uh6jz.exe
PID 4716 wrote to memory of 4088	4716	sr3gl1jM.exe	kx0Uh6jz.exe
PID 4088 wrote to memory of 1712	4088	kx0Uh6jz.exe	1mW98DO5.exe
PID 4088 wrote to memory of 1712	4088	kx0Uh6jz.exe	1mW98DO5.exe
PID 4088 wrote to memory of 1712	4088	kx0Uh6jz.exe	1mW98DO5.exe
PID 1712 wrote to memory of 2036	1712	1mW98DO5.exe	AppLaunch.exe
PID 1712 wrote to memory of 2036	1712	1mW98DO5.exe	AppLaunch.exe
PID 1712 wrote to memory of 2036	1712	1mW98DO5.exe	AppLaunch.exe
PID 1712 wrote to memory of 2036	1712	1mW98DO5.exe	AppLaunch.exe
PID 1712 wrote to memory of 2036	1712	1mW98DO5.exe	AppLaunch.exe
PID 1712 wrote to memory of 2036	1712	1mW98DO5.exe	AppLaunch.exe
PID 1712 wrote to memory of 2036	1712	1mW98DO5.exe	AppLaunch.exe
PID 1712 wrote to memory of 2036	1712	1mW98DO5.exe	AppLaunch.exe
PID 1712 wrote to memory of 2036	1712	1mW98DO5.exe	AppLaunch.exe
PID 1712 wrote to memory of 2036	1712	1mW98DO5.exe	AppLaunch.exe
PID 4088 wrote to memory of 2128	4088	kx0Uh6jz.exe	2rS390Gi.exe
PID 4088 wrote to memory of 2128	4088	kx0Uh6jz.exe	2rS390Gi.exe
PID 4088 wrote to memory of 2128	4088	kx0Uh6jz.exe	2rS390Gi.exe

C:\Users\Admin\AppData\Local\Temp\c15c0b27fca8b17175aa535d5bc1b804707b8bbce008e7a9e1fc93a2011ad5af.exe
"C:\Users\Admin\AppData\Local\Temp\c15c0b27fca8b17175aa535d5bc1b804707b8bbce008e7a9e1fc93a2011ad5af.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3820
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lr9AL7ND.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lr9AL7ND.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sr3gl1jM.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sr3gl1jM.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4716
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx0Uh6jz.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx0Uh6jz.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4088
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1mW98DO5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1mW98DO5.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1712
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2036
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 588
        6⤵
        Program crash
        
        PID:756
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2rS390Gi.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2rS390Gi.exe
        5⤵
        Executes dropped EXE
        
        PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1712 -ip 1712
1⤵
PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lr9AL7ND.exe

Filesize
936KB

MD5
ded12efc64f4556da67c3e8eed142734

SHA1
4b440de562a13d0f6b7793c7c43b2bc29ce88a38

SHA256
e3486ae5cc2aad5fc00b767037ca5548dfa025f153bc18e1f1d1a136b157bf5c

SHA512
d745fb30fbb1b63f312eb199dad496c4f6840a569b4967aeeec35f30ff9a13033c87f5c89efe1834b5209d85816c3d2bdfd1ae53aa56e4d0474aeaccc200d050

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sr3gl1jM.exe

Filesize
640KB

MD5
0da56039b0d3d13d8d711bc15a4d340d

SHA1
3a0dcbd196ae32467d9bb7e7a71ed7fe994811fa

SHA256
a6406155c8f1d82546030362ab98c9c41996518a474aa26547b398ef88cbe423

SHA512
ee47c54f1f66e72cfd6130b4809365fc941d34e9ae0af706c31eacb3da57ed78c117089fbbec7ef82a72ea991b4306cb92a8c76d6ba3b2834ea7949f3bd10b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kx0Uh6jz.exe

Filesize
444KB

MD5
42b5fac6a52dee3f30ac0cf9688ca0cb

SHA1
443e07baa5178f70ef1981f070ca7edbef3f037f

SHA256
56c90f296c99f48af75599697e12892896d35500fc2d59896ab7493cfa59b6d5

SHA512
51e2617a148bed005e1db09ebc5b24d60b0d3ffd662058d16f830c0fb1e3059e1e5f0bfb02ee1e9c5c310714d5b616162fa48428004cd44fb5c0ebb6d639e683

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1mW98DO5.exe

Filesize
423KB

MD5
843638948ed77d50f55c97fc25358a1c

SHA1
26a6597c806437a116217485f8f4787ffb22b19a

SHA256
4150ca48b7a924f8768e7d5864cb05d7ffdc8d22f34057f40f816491214c02d6

SHA512
ea32140ad7e902e568415cdebbceabbf56462b13de6c2624f368e5242ad385f207391065b21d58e32d1914d78120707d8a986299d18c2cc8997341d631d259c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2rS390Gi.exe

Filesize
221KB

MD5
4a1c95c5bee45ec414064451736322bb

SHA1
2fe500f9b9da8afc1d3357fcaf787e8a7a15fe6f

SHA256
3237394289316e4d82f9c24b4df1499aa9a7b4cd4ec36a30379eb5ccfb3cd693

SHA512
3ae856c16ddea7b6b72fe04d89b932d96ba3f59985ae0c2271d6bddcbbe5bce1bd5abd5e3a55636180b3d207abf084e60fd2937e918687432e43fbb017ca040b

Download Submit
memory/2036-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-35-0x0000000000780000-0x00000000007BE000-memory.dmp

Filesize
248KB

Download
memory/2128-36-0x0000000007AF0000-0x0000000008094000-memory.dmp

Filesize
5.6MB

Download
memory/2128-37-0x00000000075E0000-0x0000000007672000-memory.dmp

Filesize
584KB

Download
memory/2128-38-0x0000000004B90000-0x0000000004B9A000-memory.dmp

Filesize
40KB

Download
memory/2128-39-0x00000000086C0000-0x0000000008CD8000-memory.dmp

Filesize
6.1MB

Download
memory/2128-40-0x00000000078A0000-0x00000000079AA000-memory.dmp

Filesize
1.0MB

Download
memory/2128-41-0x00000000075A0000-0x00000000075B2000-memory.dmp

Filesize
72KB

Download
memory/2128-42-0x00000000077D0000-0x000000000780C000-memory.dmp

Filesize
240KB

Download
memory/2128-43-0x0000000007810000-0x000000000785C000-memory.dmp

Filesize
304KB

Download