mystic | ffe8fa0cf1ed446eeb9dc6eef440d6e2121396f13b66e26a431adcd9f2d605e3

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e85c029067c6b16235fdcf9b3b93f0b3aef80462a8991420b61166786a76d31.exe
Size

640KB
MD5

9a4e8c74a4e6a5fc1c51c71d095af441
SHA1

04bffaef08e3fc153eddabea6f7047a01d83b7c4
SHA256

0e85c029067c6b16235fdcf9b3b93f0b3aef80462a8991420b61166786a76d31
SHA512

9d56d0f359693db3604dafdbd7415ef93fb0baa74652d59fadf914bf0a694fc50959f4c1d9d79a1cd620dca4ba0919b021ab2f93ca79a8ad5615c695d15216f4
SSDEEP

12288:VMrby90H7NiOMM6nEZofl1XRmT74so1UV3LpQPfNy5:uyzbZ7dhRy4F1U4Ny5

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/2924-14-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral2/memory/2924-17-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral2/memory/2924-18-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral2/memory/2924-15-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00070000000234ab-20.dat	family_redline
behavioral2/memory/2860-22-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
4152	Yh9kZ8zc.exe
1748	1ew65pW2.exe
2860	2Rs453cd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0e85c029067c6b16235fdcf9b3b93f0b3aef80462a8991420b61166786a76d31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Yh9kZ8zc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1748 set thread context of 2924	1748	1ew65pW2.exe	85

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1612	1748	WerFault.exe	83
1988	2924	WerFault.exe	85

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3696 wrote to memory of 4152	3696	0e85c029067c6b16235fdcf9b3b93f0b3aef80462a8991420b61166786a76d31.exe	82
PID 3696 wrote to memory of 4152	3696	0e85c029067c6b16235fdcf9b3b93f0b3aef80462a8991420b61166786a76d31.exe	82
PID 3696 wrote to memory of 4152	3696	0e85c029067c6b16235fdcf9b3b93f0b3aef80462a8991420b61166786a76d31.exe	82
PID 4152 wrote to memory of 1748	4152	Yh9kZ8zc.exe	83
PID 4152 wrote to memory of 1748	4152	Yh9kZ8zc.exe	83
PID 4152 wrote to memory of 1748	4152	Yh9kZ8zc.exe	83
PID 1748 wrote to memory of 2924	1748	1ew65pW2.exe	85
PID 1748 wrote to memory of 2924	1748	1ew65pW2.exe	85
PID 1748 wrote to memory of 2924	1748	1ew65pW2.exe	85
PID 1748 wrote to memory of 2924	1748	1ew65pW2.exe	85
PID 1748 wrote to memory of 2924	1748	1ew65pW2.exe	85
PID 1748 wrote to memory of 2924	1748	1ew65pW2.exe	85
PID 1748 wrote to memory of 2924	1748	1ew65pW2.exe	85
PID 1748 wrote to memory of 2924	1748	1ew65pW2.exe	85
PID 1748 wrote to memory of 2924	1748	1ew65pW2.exe	85
PID 1748 wrote to memory of 2924	1748	1ew65pW2.exe	85
PID 4152 wrote to memory of 2860	4152	Yh9kZ8zc.exe	93
PID 4152 wrote to memory of 2860	4152	Yh9kZ8zc.exe	93
PID 4152 wrote to memory of 2860	4152	Yh9kZ8zc.exe	93

C:\Users\Admin\AppData\Local\Temp\0e85c029067c6b16235fdcf9b3b93f0b3aef80462a8991420b61166786a76d31.exe
"C:\Users\Admin\AppData\Local\Temp\0e85c029067c6b16235fdcf9b3b93f0b3aef80462a8991420b61166786a76d31.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3696
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yh9kZ8zc.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yh9kZ8zc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4152
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ew65pW2.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ew65pW2.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2924
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 540
        5⤵
        Program crash
        
        PID:1988
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 572
      4⤵
      Program crash
      PID:1612
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Rs453cd.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Rs453cd.exe
    3⤵
    - Executes dropped EXE
    PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2924 -ip 2924
1⤵
PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1748 -ip 1748
1⤵
PID:4200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yh9kZ8zc.exe

Filesize
444KB

MD5
40d5fffe64a8bff00971c70f88f7e44b

SHA1
a0e7df23dcdbdbe814d8af0aaf84d1df37e4a8a2

SHA256
469e65eb452158a33cece74af8537059df2718da4c643f20f2503fec10350790

SHA512
d4bcdd6872c16d9817c861676ae3a46e3a40120fcd4fc9e79abd1168d714fbdc9b2c55463ffebb8b45fa9e01ac21a100bc58598acb954f3fe6655d6924dbf3a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ew65pW2.exe

Filesize
423KB

MD5
894d4805dc4c905f3868a91ae1676b75

SHA1
6ecbc1b344d7a3e8d2329a7843ad1181544d4f03

SHA256
11c8498e5a736e8f9dc611699322642dbf18bd2c7c5696bfe53b971c9bcf6222

SHA512
fb53b677fdefe6ecedda1ae6bc5ef35f5a91b4447991a072e715ff2a9a7a81bd9b88a9397dfafc34326b4c9fdf40374137f25222b2725bffc8ea3d54bac06c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Rs453cd.exe

Filesize
221KB

MD5
81db7db5ada0f0ae93ab0f1570fcd061

SHA1
49b32a6ba4abc2b2655013cf0c539c9158b71423

SHA256
2a47c5212f898d6c75f74663c6ac887b90b51e1f71376a602f5cffdb447a4ec2

SHA512
756da5ed9cafe75aa21767c94be749a36a734cb087984482b8e1c17600ab554d214484a6160d1cd24504e415842202a8323161bdcd8b447ae682bfbdb5296b99

Download Submit
memory/2860-27-0x00000000075D0000-0x00000000076DA000-memory.dmp

Filesize
1.0MB

Download
memory/2860-22-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2860-23-0x00000000077B0000-0x0000000007D54000-memory.dmp

Filesize
5.6MB

Download
memory/2860-24-0x0000000007300000-0x0000000007392000-memory.dmp

Filesize
584KB

Download
memory/2860-25-0x00000000027A0000-0x00000000027AA000-memory.dmp

Filesize
40KB

Download
memory/2860-26-0x0000000008380000-0x0000000008998000-memory.dmp

Filesize
6.1MB

Download
memory/2860-28-0x0000000007500000-0x0000000007512000-memory.dmp

Filesize
72KB

Download
memory/2860-29-0x0000000007560000-0x000000000759C000-memory.dmp

Filesize
240KB

Download
memory/2860-30-0x00000000076E0000-0x000000000772C000-memory.dmp

Filesize
304KB

Download
memory/2924-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads