mystic | ffe8fa0cf1ed446eeb9dc6eef440d6e2121396f13b66e26a431adcd9f2d605e3

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bd57c625c8696f13dca81e807695648802ac535fabc2f383ee13c655c34c21b.exe
Size

1.3MB
MD5

9f8904e90d15b821ffc35d9795dc6946
SHA1

6759026a0967a377c9a3001a534d2deb09985334
SHA256

0bd57c625c8696f13dca81e807695648802ac535fabc2f383ee13c655c34c21b
SHA512

8ae810835229d81e7a31bb3ae802c4360af9f910fe735d71ca770399e840fcd59ff3a5c184c7b7d5232a8375ab815b820317d2cbad993127409ac04c6503367d
SSDEEP

24576:6yk5vFfu8pOEPcqhEdVpbkxeEAFoNrOjs2UFWBLM/k/UI:BuvO4hYpEAFo1P2lxpU

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3236-35-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/3236-38-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/3236-37-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CP508aj.exe	family_redline
behavioral1/memory/3352-42-0x0000000000D80000-0x0000000000DBE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

MQ3Qu7gd.exeZa3IL1Tw.execD0aa2Sr.exeXD6bR2Pf.exe1rK73YS4.exe2CP508aj.exe

pid process

232 MQ3Qu7gd.exe
3128 Za3IL1Tw.exe
1636 cD0aa2Sr.exe
1620 XD6bR2Pf.exe
1108 1rK73YS4.exe
3352 2CP508aj.exe

pid	process
232	MQ3Qu7gd.exe
3128	Za3IL1Tw.exe
1636	cD0aa2Sr.exe
1620	XD6bR2Pf.exe
1108	1rK73YS4.exe
3352	2CP508aj.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0bd57c625c8696f13dca81e807695648802ac535fabc2f383ee13c655c34c21b.exeMQ3Qu7gd.exeZa3IL1Tw.execD0aa2Sr.exeXD6bR2Pf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0bd57c625c8696f13dca81e807695648802ac535fabc2f383ee13c655c34c21b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	MQ3Qu7gd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Za3IL1Tw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	cD0aa2Sr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	XD6bR2Pf.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1rK73YS4.exe

description pid process target process

PID 1108 set thread context of 3236 1108 1rK73YS4.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2540 1108 WerFault.exe 1rK73YS4.exe

description	pid	process	target process
PID 1108 set thread context of 3236	1108	1rK73YS4.exe	AppLaunch.exe

pid	pid_target	process	target process
2540	1108	WerFault.exe	1rK73YS4.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

0bd57c625c8696f13dca81e807695648802ac535fabc2f383ee13c655c34c21b.exeMQ3Qu7gd.exeZa3IL1Tw.execD0aa2Sr.exeXD6bR2Pf.exe1rK73YS4.exe

description	pid	process	target process
PID 940 wrote to memory of 232	940	0bd57c625c8696f13dca81e807695648802ac535fabc2f383ee13c655c34c21b.exe	MQ3Qu7gd.exe
PID 940 wrote to memory of 232	940	0bd57c625c8696f13dca81e807695648802ac535fabc2f383ee13c655c34c21b.exe	MQ3Qu7gd.exe
PID 940 wrote to memory of 232	940	0bd57c625c8696f13dca81e807695648802ac535fabc2f383ee13c655c34c21b.exe	MQ3Qu7gd.exe
PID 232 wrote to memory of 3128	232	MQ3Qu7gd.exe	Za3IL1Tw.exe
PID 232 wrote to memory of 3128	232	MQ3Qu7gd.exe	Za3IL1Tw.exe
PID 232 wrote to memory of 3128	232	MQ3Qu7gd.exe	Za3IL1Tw.exe
PID 3128 wrote to memory of 1636	3128	Za3IL1Tw.exe	cD0aa2Sr.exe
PID 3128 wrote to memory of 1636	3128	Za3IL1Tw.exe	cD0aa2Sr.exe
PID 3128 wrote to memory of 1636	3128	Za3IL1Tw.exe	cD0aa2Sr.exe
PID 1636 wrote to memory of 1620	1636	cD0aa2Sr.exe	XD6bR2Pf.exe
PID 1636 wrote to memory of 1620	1636	cD0aa2Sr.exe	XD6bR2Pf.exe
PID 1636 wrote to memory of 1620	1636	cD0aa2Sr.exe	XD6bR2Pf.exe
PID 1620 wrote to memory of 1108	1620	XD6bR2Pf.exe	1rK73YS4.exe
PID 1620 wrote to memory of 1108	1620	XD6bR2Pf.exe	1rK73YS4.exe
PID 1620 wrote to memory of 1108	1620	XD6bR2Pf.exe	1rK73YS4.exe
PID 1108 wrote to memory of 3236	1108	1rK73YS4.exe	AppLaunch.exe
PID 1108 wrote to memory of 3236	1108	1rK73YS4.exe	AppLaunch.exe
PID 1108 wrote to memory of 3236	1108	1rK73YS4.exe	AppLaunch.exe
PID 1108 wrote to memory of 3236	1108	1rK73YS4.exe	AppLaunch.exe
PID 1108 wrote to memory of 3236	1108	1rK73YS4.exe	AppLaunch.exe
PID 1108 wrote to memory of 3236	1108	1rK73YS4.exe	AppLaunch.exe
PID 1108 wrote to memory of 3236	1108	1rK73YS4.exe	AppLaunch.exe
PID 1108 wrote to memory of 3236	1108	1rK73YS4.exe	AppLaunch.exe
PID 1108 wrote to memory of 3236	1108	1rK73YS4.exe	AppLaunch.exe
PID 1108 wrote to memory of 3236	1108	1rK73YS4.exe	AppLaunch.exe
PID 1620 wrote to memory of 3352	1620	XD6bR2Pf.exe	2CP508aj.exe
PID 1620 wrote to memory of 3352	1620	XD6bR2Pf.exe	2CP508aj.exe
PID 1620 wrote to memory of 3352	1620	XD6bR2Pf.exe	2CP508aj.exe

C:\Users\Admin\AppData\Local\Temp\0bd57c625c8696f13dca81e807695648802ac535fabc2f383ee13c655c34c21b.exe
"C:\Users\Admin\AppData\Local\Temp\0bd57c625c8696f13dca81e807695648802ac535fabc2f383ee13c655c34c21b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:940

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MQ3Qu7gd.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MQ3Qu7gd.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:232

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Za3IL1Tw.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Za3IL1Tw.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3128

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cD0aa2Sr.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cD0aa2Sr.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\XD6bR2Pf.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\XD6bR2Pf.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1rK73YS4.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1rK73YS4.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 592
7⤵
- Program crash
PID:2540

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CP508aj.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CP508aj.exe
6⤵
- Executes dropped EXE
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1108 -ip 1108
1⤵
PID:4376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MQ3Qu7gd.exe

Filesize
1.1MB

MD5
84dbb51685bd282149cdf930a11cda9d

SHA1
f1f89348ee7c9fd8e0a4e377c8089a147db39b67

SHA256
ba184ce34abb97cfd64941d987cff86de4060636fdfc87cbf49e3abf3a96854d

SHA512
8a557d4e14002750279341dc38a72eb3878b4ccce52e00bbc5d4eb165b07ada3c6b79da93647868d3eb58784cb566daa8d5d4c0b2b01d57e7e386cf418a450a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Za3IL1Tw.exe

Filesize
952KB

MD5
38a08a81d1bbaf8121391f82133dd890

SHA1
d52fbc7d005a09794f2415fd84480af23d1dd86a

SHA256
1787527bd38603dc53c14440244f1c241c31a214a6b1fa3490279b88da1cae1b

SHA512
1cd0220ad326d3d1ae737db89937cd289a41afa28b969a754f225c02eecef0e53d3a3191b16e49085de2d8c02853ed752f9d82c87c9586e605acf763954ccd06

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cD0aa2Sr.exe

Filesize
647KB

MD5
50f7a0f61c82640a85aa34f97094e6de

SHA1
3d7c321188fbe0eb0065d4305e6bd8cf56e789a8

SHA256
733f9c37562e1eca8c20f77f1d68bd97dafd54f2cfb8c7246d12c5e5563b8fab

SHA512
07e354b1629650b66e070b8938a46da310d341b051cab02c11585c228cf7a64d0bea47ff807570ec218cc701f0bae379f5cfa918eae7b43620329fc9ff14320c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\XD6bR2Pf.exe

Filesize
451KB

MD5
970afad831edc89b613d1dbda4ac88d3

SHA1
5ee5af442c1732e6468ef792a58c63e0756eced8

SHA256
d6dec15fd36d4066419d37649e43368992f4fc2c3ea06c894cb98b693504fd6b

SHA512
d24e5e0365356fb99ff25ebef85062b0f39640e73f1e89b4a0be19376a5c16642ec4f9dc78f27a1861c6d6578a4c3d3d52f434947eb3053938608ba1f6cf90f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1rK73YS4.exe

Filesize
448KB

MD5
1b07355c19b6142eab00b2847a458185

SHA1
d63f07b46620a75b39adfff88014b8c021a91e44

SHA256
8863398077e459bf8efc333876409996d91ee9af08ef85bfe37695800020292b

SHA512
c5b7470c472a4792fc2fde5c746a6cb63889e813ecc79e355387f8a9cf19360fb9cb41edc6adaeb05e82461e258809ffcab03d78a9a9240c0db69d208f8c2403

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CP508aj.exe

Filesize
222KB

MD5
66168c2f0abd384a49e6f540f6fb43b4

SHA1
2b8bbe4ed27dc69ab4e4a405ae7b1f157bd3369b

SHA256
6c3d46f067804bf1216955b4c6540413fb479c674f5e19a9d2d224a4aeee8d04

SHA512
6f4c95a043210b8fd6c7df748b4ffdd3f65c63acb3ee70a051a9a71ab569f18de6b717ad97d9a5f10fcd3d3036b2a77937b0043f1478138d72d4cd2c65d227a3

Download Submit
memory/3236-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3236-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3236-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3352-42-0x0000000000D80000-0x0000000000DBE000-memory.dmp

Filesize
248KB

Download
memory/3352-43-0x00000000080C0000-0x0000000008664000-memory.dmp

Filesize
5.6MB

Download
memory/3352-44-0x0000000007BB0000-0x0000000007C42000-memory.dmp

Filesize
584KB

Download
memory/3352-45-0x0000000002FB0000-0x0000000002FBA000-memory.dmp

Filesize
40KB

Download
memory/3352-46-0x0000000008C90000-0x00000000092A8000-memory.dmp

Filesize
6.1MB

Download
memory/3352-47-0x0000000007E90000-0x0000000007F9A000-memory.dmp

Filesize
1.0MB

Download
memory/3352-48-0x0000000007D40000-0x0000000007D52000-memory.dmp

Filesize
72KB

Download
memory/3352-49-0x0000000007DC0000-0x0000000007DFC000-memory.dmp

Filesize
240KB

Download
memory/3352-50-0x0000000007E00000-0x0000000007E4C000-memory.dmp

Filesize
304KB

Download