mystic | 2dae798f2fcb49ad5f375700dcbe54c08e9cc5c25fe542ebd7939aa5f5f023aa

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b7ea12db629e57826906a92344722cd83a635004026635b2ca16c24e67dbde4.exe
Size

1.0MB
MD5

f2206ecbd7925d4420beb0cdb8223844
SHA1

1b90e925b97d351300ab32717d48dc2827bff943
SHA256

4b7ea12db629e57826906a92344722cd83a635004026635b2ca16c24e67dbde4
SHA512

cdc69caa57a79819d79f19eacfb0bbbc6127ae138e6c9fc3cd18206f75d9dab29b7a4b75379e278c2b9f3436d28feee843bf485d1226e7f74751808fb24af068
SSDEEP

24576:DyjJGg0XCjghLfa3DGYtq9QB9xNXooGF:Wjgg0yjghTaz1TX

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral8/files/0x000800000002344b-19.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral8/files/0x000700000002344c-22.dat	family_redline
behavioral8/memory/4392-24-0x0000000000570000-0x00000000005AE000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
3060	kI4hN1gl.exe
3160	kp6Rs9Fd.exe
3260	1Eg12Uy4.exe
4392	2MG857nU.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4b7ea12db629e57826906a92344722cd83a635004026635b2ca16c24e67dbde4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kI4hN1gl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kp6Rs9Fd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 3060	3096	4b7ea12db629e57826906a92344722cd83a635004026635b2ca16c24e67dbde4.exe	82
PID 3096 wrote to memory of 3060	3096	4b7ea12db629e57826906a92344722cd83a635004026635b2ca16c24e67dbde4.exe	82
PID 3096 wrote to memory of 3060	3096	4b7ea12db629e57826906a92344722cd83a635004026635b2ca16c24e67dbde4.exe	82
PID 3060 wrote to memory of 3160	3060	kI4hN1gl.exe	83
PID 3060 wrote to memory of 3160	3060	kI4hN1gl.exe	83
PID 3060 wrote to memory of 3160	3060	kI4hN1gl.exe	83
PID 3160 wrote to memory of 3260	3160	kp6Rs9Fd.exe	84
PID 3160 wrote to memory of 3260	3160	kp6Rs9Fd.exe	84
PID 3160 wrote to memory of 3260	3160	kp6Rs9Fd.exe	84
PID 3160 wrote to memory of 4392	3160	kp6Rs9Fd.exe	85
PID 3160 wrote to memory of 4392	3160	kp6Rs9Fd.exe	85
PID 3160 wrote to memory of 4392	3160	kp6Rs9Fd.exe	85

C:\Users\Admin\AppData\Local\Temp\4b7ea12db629e57826906a92344722cd83a635004026635b2ca16c24e67dbde4.exe
"C:\Users\Admin\AppData\Local\Temp\4b7ea12db629e57826906a92344722cd83a635004026635b2ca16c24e67dbde4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kI4hN1gl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kI4hN1gl.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp6Rs9Fd.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp6Rs9Fd.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3160
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Eg12Uy4.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Eg12Uy4.exe
      4⤵
      Executes dropped EXE
      PID:3260
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2MG857nU.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2MG857nU.exe
      4⤵
      Executes dropped EXE
      PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kI4hN1gl.exe

Filesize
522KB

MD5
acea3fb2d0ae0acc0f3a9065f235fa1c

SHA1
69ea4f8161da09b5fe3ee9a77586c30d8b77547a

SHA256
985fdd24a75709001252c234d84af9fd0c877754dd4ab203eeb3c69c97713f1e

SHA512
9604ed87590db98d8683b62ec37418a41d799488b5525e2110f45ac84345c21402d27d67715ee282f0209eee25ecc89ef71f4d97fc352e74cebd63ae4e327175

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp6Rs9Fd.exe

Filesize
326KB

MD5
38484213eb50ca3f80afe6415577d554

SHA1
858c4f9c5382d5e7f6ed115319a512d24dfc9f4b

SHA256
ddd211b4aab0182415da0e270affada33c05c3bcd054eafe08e436195faf71c3

SHA512
bc7649f09678dcdd68a1b13c47acd65b1547d3a9e6fba1da12c92d55bc4157a04262e9834392f693d0d829bfb185fcf62eaa9c6cb8bea591119e65a639dfe841

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Eg12Uy4.exe

Filesize
190KB

MD5
a6656e3d6d06c8ce9cbb4b6952553c20

SHA1
af45103616dc896da5ee4268fd5f9483b5b97c1c

SHA256
fec303b128c44607654c078736b96d2762722f51b6c473dfe5415158fd83718b

SHA512
f53f2214d3f192a352b2a93c66d91988a41a5ab9dbf15edd62ea8ce38da8a732114e3c46526d4dc6f3132330913b1acb90fa11ff454a1520d117149a86678d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2MG857nU.exe

Filesize
221KB

MD5
c629ad56663dd8b0668805bc7e91262b

SHA1
bd63322e5773285509dd7459c0c292fb385d4f63

SHA256
b159c9ec253d0d32752e4e90b38a633aae29d7d5688ddd11dba58976aa2f5f52

SHA512
aa555565ece19e2c6a427e846905226eccb1336b9d827ce77e3bf727724d54b4f5da68d8841ac8458b512f83cd5da25e0ffd7add4bd921b796c84552ec61aca2

Download Submit
memory/4392-24-0x0000000000570000-0x00000000005AE000-memory.dmp

Filesize
248KB

Download
memory/4392-25-0x00000000077A0000-0x0000000007D44000-memory.dmp

Filesize
5.6MB

Download
memory/4392-26-0x00000000072F0000-0x0000000007382000-memory.dmp

Filesize
584KB

Download
memory/4392-27-0x0000000004880000-0x000000000488A000-memory.dmp

Filesize
40KB

Download
memory/4392-28-0x0000000008370000-0x0000000008988000-memory.dmp

Filesize
6.1MB

Download
memory/4392-29-0x0000000007670000-0x000000000777A000-memory.dmp

Filesize
1.0MB

Download
memory/4392-30-0x0000000007520000-0x0000000007532000-memory.dmp

Filesize
72KB

Download
memory/4392-31-0x00000000075A0000-0x00000000075DC000-memory.dmp

Filesize
240KB

Download
memory/4392-32-0x00000000075E0000-0x000000000762C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads