mystic | 3c91163ea40ad7e35bac48ded16235cfe9003c914f570e27b4e2d7b3c9c46c05

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5645ed9dff35fefe6b0bc81a6383947c80bd191f23dd3516f6483675123a0efa.exe
Size

929KB
MD5

3ccf8d264d5121a41b62ae6db8110bf0
SHA1

a944f8f011db9917c142c44d8621f57737925f38
SHA256

5645ed9dff35fefe6b0bc81a6383947c80bd191f23dd3516f6483675123a0efa
SHA512

275a371f9ca64141e6ffa2b8cb3cebb4a7efad64a33fa92da372e9dc08688ea0209146ad649f15501b026951a3d54d0b343d0f738670d0f75121284bdc1cd5c2
SSDEEP

24576:4ys9bdFlXrQiUpE+kZML+2JSfl4xDE5jzC:/s9pFl7wBkG+9l4xDE

Score

10^/10

mystic redline luska infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

luska

77.91.124.55:19071

Attributes

auth_value
a6797888f51a88afbfd8854a79ac9357

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral8/memory/2572-28-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral8/memory/2572-31-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral8/memory/2572-29-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5760237.exe	family_redline
behavioral8/memory/3628-35-0x0000000000680000-0x00000000006B0000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

Processes:

x7092873.exex8815206.exex2522696.exeg1306451.exeh5760237.exe

pid process

2148 x7092873.exe
1536 x8815206.exe
4060 x2522696.exe
4208 g1306451.exe
3628 h5760237.exe

pid	process
2148	x7092873.exe
1536	x8815206.exe
4060	x2522696.exe
4208	g1306451.exe
3628	h5760237.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

x7092873.exex8815206.exex2522696.exe5645ed9dff35fefe6b0bc81a6383947c80bd191f23dd3516f6483675123a0efa.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7092873.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8815206.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x2522696.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5645ed9dff35fefe6b0bc81a6383947c80bd191f23dd3516f6483675123a0efa.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

g1306451.exe

description pid process target process

PID 4208 set thread context of 2572 4208 g1306451.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4500 4208 WerFault.exe g1306451.exe

description	pid	process	target process
PID 4208 set thread context of 2572	4208	g1306451.exe	AppLaunch.exe

pid	pid_target	process	target process
4500	4208	WerFault.exe	g1306451.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

5645ed9dff35fefe6b0bc81a6383947c80bd191f23dd3516f6483675123a0efa.exex7092873.exex8815206.exex2522696.exeg1306451.exe

description	pid	process	target process
PID 5088 wrote to memory of 2148	5088	5645ed9dff35fefe6b0bc81a6383947c80bd191f23dd3516f6483675123a0efa.exe	x7092873.exe
PID 5088 wrote to memory of 2148	5088	5645ed9dff35fefe6b0bc81a6383947c80bd191f23dd3516f6483675123a0efa.exe	x7092873.exe
PID 5088 wrote to memory of 2148	5088	5645ed9dff35fefe6b0bc81a6383947c80bd191f23dd3516f6483675123a0efa.exe	x7092873.exe
PID 2148 wrote to memory of 1536	2148	x7092873.exe	x8815206.exe
PID 2148 wrote to memory of 1536	2148	x7092873.exe	x8815206.exe
PID 2148 wrote to memory of 1536	2148	x7092873.exe	x8815206.exe
PID 1536 wrote to memory of 4060	1536	x8815206.exe	x2522696.exe
PID 1536 wrote to memory of 4060	1536	x8815206.exe	x2522696.exe
PID 1536 wrote to memory of 4060	1536	x8815206.exe	x2522696.exe
PID 4060 wrote to memory of 4208	4060	x2522696.exe	g1306451.exe
PID 4060 wrote to memory of 4208	4060	x2522696.exe	g1306451.exe
PID 4060 wrote to memory of 4208	4060	x2522696.exe	g1306451.exe
PID 4208 wrote to memory of 2572	4208	g1306451.exe	AppLaunch.exe
PID 4208 wrote to memory of 2572	4208	g1306451.exe	AppLaunch.exe
PID 4208 wrote to memory of 2572	4208	g1306451.exe	AppLaunch.exe
PID 4208 wrote to memory of 2572	4208	g1306451.exe	AppLaunch.exe
PID 4208 wrote to memory of 2572	4208	g1306451.exe	AppLaunch.exe
PID 4208 wrote to memory of 2572	4208	g1306451.exe	AppLaunch.exe
PID 4208 wrote to memory of 2572	4208	g1306451.exe	AppLaunch.exe
PID 4208 wrote to memory of 2572	4208	g1306451.exe	AppLaunch.exe
PID 4208 wrote to memory of 2572	4208	g1306451.exe	AppLaunch.exe
PID 4208 wrote to memory of 2572	4208	g1306451.exe	AppLaunch.exe
PID 4060 wrote to memory of 3628	4060	x2522696.exe	h5760237.exe
PID 4060 wrote to memory of 3628	4060	x2522696.exe	h5760237.exe
PID 4060 wrote to memory of 3628	4060	x2522696.exe	h5760237.exe

C:\Users\Admin\AppData\Local\Temp\5645ed9dff35fefe6b0bc81a6383947c80bd191f23dd3516f6483675123a0efa.exe
"C:\Users\Admin\AppData\Local\Temp\5645ed9dff35fefe6b0bc81a6383947c80bd191f23dd3516f6483675123a0efa.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7092873.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7092873.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8815206.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8815206.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2522696.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2522696.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4060
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1306451.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1306451.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4208
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2572
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 136
        6⤵
        Program crash
        
        PID:4500
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5760237.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5760237.exe
        5⤵
        Executes dropped EXE
        
        PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4208 -ip 4208
1⤵
PID:728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7092873.exe

Filesize
827KB

MD5
7533ca042131d7281c888bdc19dc1715

SHA1
b3fe1987f02b3c43ab35652dd0058803dccc881f

SHA256
a84c35dafc4aeb76eeed35e4002629ad4bf7082a10b121096200db9cfe24f9dd

SHA512
4519993e1f3a4835efaa5da81985520d9beeb1c670c52be502252e21d19780d27c3819fa68983ab2356a0798233cb00ac30870561945bdf61f9601aa18080d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8815206.exe

Filesize
555KB

MD5
1e00c7389014505215d8cfdfc5a1631d

SHA1
e4d592a506e734688375673ada896f8656ff8274

SHA256
1da1711dbccbb25ea99317d45968805cc4be4382b0989c7076ec670ee67153a0

SHA512
774a3348103656b9fd8c52fbc79c57ddbcc44bb99de532505f92ed3579654702a5b5f90d4f3c3db563e0dd02d9299baa78854f989553cfaeb934e662b441382c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2522696.exe

Filesize
390KB

MD5
97da09a7dad10f6c4f30e3f1ebb59497

SHA1
2b3ce8e7cf78b8020246f74a80175afc67d2849b

SHA256
6eb424c60f51acd78a7214359f34801a69b41057d355231c7c3cc5dd0b52c45c

SHA512
ba931baaa84bea00a20f23f86bf981643a6b4a7bbc7c9137e1b4d2a9db117cd360cd200cbd7671ea5d494dcb77b882ef816ddf575c099a9fbeb600cf88b74102

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1306451.exe

Filesize
356KB

MD5
9339634c259ed435a79a484833c8ba39

SHA1
bb56d856a9e70aad449c14f8fb11a646cceacf75

SHA256
b3b9401a134f63aba6688fc8a6ddf21d9be552fabaf88ee721a7618bd3af89f9

SHA512
e0701e4418d4b1ed5b3c29c654e3b24a050401fb7cb473fdc2c56a956db2e7c42d929d0bc199507000d7c5766c57367d389cbf6cd20bb5833b923db1027ee042

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5760237.exe

Filesize
174KB

MD5
f8aba8d6cd44a9b5ab2c36f68568520b

SHA1
b6910319273e7875040d88a8fcbb3165638932fe

SHA256
543eccb5cf6e1310fc31ea234989b9d7b1af6dca8415a12da23efec0340ef55c

SHA512
0c3ea3ec2f96e91d8adee61683b1f440551c6f383f4b1ca33f845ee2a323907b9ca4348c3267918c2cdb7ac05613efd0aced68e1a44180ab3e904d1f43981c8d

Download Submit
memory/2572-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2572-31-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2572-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3628-35-0x0000000000680000-0x00000000006B0000-memory.dmp

Filesize
192KB

Download
memory/3628-36-0x0000000001100000-0x0000000001106000-memory.dmp

Filesize
24KB

Download
memory/3628-37-0x00000000055D0000-0x0000000005BE8000-memory.dmp

Filesize
6.1MB

Download
memory/3628-38-0x00000000050D0000-0x00000000051DA000-memory.dmp

Filesize
1.0MB

Download
memory/3628-39-0x0000000005010000-0x0000000005022000-memory.dmp

Filesize
72KB

Download
memory/3628-40-0x0000000005070000-0x00000000050AC000-memory.dmp

Filesize
240KB

Download
memory/3628-41-0x00000000051E0000-0x000000000522C000-memory.dmp

Filesize
304KB

Download