mystic | 3767bd9b929fb47ae3b158c424044d32b3c87ffb6efc8eb109dc1df9f3d9b053

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3e77f6d31ee37298332a8155798214c602890ab8954cc30261e7ff78e48f838.exe
Size

1.1MB
MD5

29f505918222d2923fa3bb617664ea33
SHA1

2b468ac0a3bb06e3d8fed347ae0cc227480c0fee
SHA256

b3e77f6d31ee37298332a8155798214c602890ab8954cc30261e7ff78e48f838
SHA512

e9904233debeb2f658b08d3bdc9dd08cb1540a7e4015c7576336ee2126616446a4f4e4c402901012ed829df199ad04055ae9536be144bab45ac24b6512086671
SSDEEP

24576:7yP+uO5OFQwmqtkMPHW6A0QbshuPVeRyHLqlHXo:uw5FR+lQbshKcyHLqlH

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral13/memory/4892-28-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral13/memory/4892-29-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral13/memory/4892-31-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2RW035Qh.exe	family_redline
behavioral13/memory/2752-35-0x0000000000BF0000-0x0000000000C2E000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

Processes:

hW4Hb0mU.exeKz7jr7Jt.exesm4CY4on.exe1Gd73Cl8.exe2RW035Qh.exe

pid process

4784 hW4Hb0mU.exe
4220 Kz7jr7Jt.exe
932 sm4CY4on.exe
1528 1Gd73Cl8.exe
2752 2RW035Qh.exe

pid	process
4784	hW4Hb0mU.exe
4220	Kz7jr7Jt.exe
932	sm4CY4on.exe
1528	1Gd73Cl8.exe
2752	2RW035Qh.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

hW4Hb0mU.exeKz7jr7Jt.exesm4CY4on.exeb3e77f6d31ee37298332a8155798214c602890ab8954cc30261e7ff78e48f838.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	hW4Hb0mU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Kz7jr7Jt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	sm4CY4on.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b3e77f6d31ee37298332a8155798214c602890ab8954cc30261e7ff78e48f838.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1Gd73Cl8.exe

description pid process target process

PID 1528 set thread context of 4892 1528 1Gd73Cl8.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1668 1528 WerFault.exe 1Gd73Cl8.exe

description	pid	process	target process
PID 1528 set thread context of 4892	1528	1Gd73Cl8.exe	AppLaunch.exe

pid	pid_target	process	target process
1668	1528	WerFault.exe	1Gd73Cl8.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

b3e77f6d31ee37298332a8155798214c602890ab8954cc30261e7ff78e48f838.exehW4Hb0mU.exeKz7jr7Jt.exesm4CY4on.exe1Gd73Cl8.exe

description	pid	process	target process
PID 2308 wrote to memory of 4784	2308	b3e77f6d31ee37298332a8155798214c602890ab8954cc30261e7ff78e48f838.exe	hW4Hb0mU.exe
PID 2308 wrote to memory of 4784	2308	b3e77f6d31ee37298332a8155798214c602890ab8954cc30261e7ff78e48f838.exe	hW4Hb0mU.exe
PID 2308 wrote to memory of 4784	2308	b3e77f6d31ee37298332a8155798214c602890ab8954cc30261e7ff78e48f838.exe	hW4Hb0mU.exe
PID 4784 wrote to memory of 4220	4784	hW4Hb0mU.exe	Kz7jr7Jt.exe
PID 4784 wrote to memory of 4220	4784	hW4Hb0mU.exe	Kz7jr7Jt.exe
PID 4784 wrote to memory of 4220	4784	hW4Hb0mU.exe	Kz7jr7Jt.exe
PID 4220 wrote to memory of 932	4220	Kz7jr7Jt.exe	sm4CY4on.exe
PID 4220 wrote to memory of 932	4220	Kz7jr7Jt.exe	sm4CY4on.exe
PID 4220 wrote to memory of 932	4220	Kz7jr7Jt.exe	sm4CY4on.exe
PID 932 wrote to memory of 1528	932	sm4CY4on.exe	1Gd73Cl8.exe
PID 932 wrote to memory of 1528	932	sm4CY4on.exe	1Gd73Cl8.exe
PID 932 wrote to memory of 1528	932	sm4CY4on.exe	1Gd73Cl8.exe
PID 1528 wrote to memory of 4892	1528	1Gd73Cl8.exe	AppLaunch.exe
PID 1528 wrote to memory of 4892	1528	1Gd73Cl8.exe	AppLaunch.exe
PID 1528 wrote to memory of 4892	1528	1Gd73Cl8.exe	AppLaunch.exe
PID 1528 wrote to memory of 4892	1528	1Gd73Cl8.exe	AppLaunch.exe
PID 1528 wrote to memory of 4892	1528	1Gd73Cl8.exe	AppLaunch.exe
PID 1528 wrote to memory of 4892	1528	1Gd73Cl8.exe	AppLaunch.exe
PID 1528 wrote to memory of 4892	1528	1Gd73Cl8.exe	AppLaunch.exe
PID 1528 wrote to memory of 4892	1528	1Gd73Cl8.exe	AppLaunch.exe
PID 1528 wrote to memory of 4892	1528	1Gd73Cl8.exe	AppLaunch.exe
PID 1528 wrote to memory of 4892	1528	1Gd73Cl8.exe	AppLaunch.exe
PID 932 wrote to memory of 2752	932	sm4CY4on.exe	2RW035Qh.exe
PID 932 wrote to memory of 2752	932	sm4CY4on.exe	2RW035Qh.exe
PID 932 wrote to memory of 2752	932	sm4CY4on.exe	2RW035Qh.exe

C:\Users\Admin\AppData\Local\Temp\b3e77f6d31ee37298332a8155798214c602890ab8954cc30261e7ff78e48f838.exe
"C:\Users\Admin\AppData\Local\Temp\b3e77f6d31ee37298332a8155798214c602890ab8954cc30261e7ff78e48f838.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2308

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hW4Hb0mU.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hW4Hb0mU.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4784

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kz7jr7Jt.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kz7jr7Jt.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4220

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sm4CY4on.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sm4CY4on.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:932

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Gd73Cl8.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Gd73Cl8.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 588
6⤵
- Program crash
PID:1668

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2RW035Qh.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2RW035Qh.exe
5⤵
- Executes dropped EXE
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1528 -ip 1528
1⤵
PID:1448

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hW4Hb0mU.exe
Filesize
936KB

MD5
fb04d85ed438dc626938d887b557b889

SHA1
9f238d0cf3fc1048d804270ea8e933f07fab1e05

SHA256
09b60d2fc6bd1feb09dbea16ec2c78273a2d50e16495f60755a716062ba2e122

SHA512
533a9637cc62354c3f6fcb81e8031f7a526dc235db562094ec4ceb4e97defc33a8cdb5a00ddf074679c20b498cc35b5b42ab90e4b846ed4ce57e730911698f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kz7jr7Jt.exe
Filesize
640KB

MD5
4e1351d70f0fd287651152f16f51c11a

SHA1
a13c92f34bba25cedc08f4a8c1afd1482a2e6628

SHA256
74b95bdafc114a7d701dd53826eea37384bcc3c7a05184e5891565ab28f7c2a2

SHA512
4450c03c2eb28afcdc51570189e8899ef7f0727c79e482e5aa33e9fff85f5db0aafd7c20a2b3f4160bd4e3c30a03f5c491b270749e4ae82607b234371b370d13

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sm4CY4on.exe
Filesize
444KB

MD5
b26fe864cea57f25a2bea46d92f25aa7

SHA1
d826bc24c78374762039e43f84674f3183b1b258

SHA256
32b8463ee9a1186aebb3bf574a89f5b6fe7f2de8a315c99617829ab6b89a2c91

SHA512
2547a49e45ee9ecaa1f22d62d3947e355001be50e7d77c7baf384ef01a2fb82d84e334de2ab1f45a09edd7d8971cd951342891124a3f6822d7372ca075da757e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Gd73Cl8.exe
Filesize
423KB

MD5
0b5719994e67a8888baf8568d845b9bd

SHA1
3c52ff8bd30d34357db0111ac7939b8d406fa668

SHA256
7f036b9930458495f8ff03e7636e0019cdedcb9d548ccae9aaf17f1f083b76ad

SHA512
1c7605c132af72bed179f9b91c7c20da952f2bad35ca16ad40a477c3816c6d60d583cccaa582e86c92c2116ea10a092f747526c900cbd99306eb33799a095839

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2RW035Qh.exe
Filesize
221KB

MD5
5b209cb636a99b25077bed0e2db24a46

SHA1
d2dbc38b3985ffb749b95f14f5e58cf03649642f

SHA256
1f41459c9778c0915d63e9579ec9f27e9ceaf0e6b1f3edc5b49d8f2477e260d2

SHA512
6047eab088d0778f9274b8bbdc172cc65f5655857b3288115538904a47c4a7d85c9009103620c1f36c74347999d009477245d3e0e749d1060dc00814296c031f

Download Submit
memory/2752-39-0x0000000008B00000-0x0000000009118000-memory.dmp

Filesize
6.1MB

Download
memory/2752-35-0x0000000000BF0000-0x0000000000C2E000-memory.dmp

Filesize
248KB

Download
memory/2752-36-0x0000000007F30000-0x00000000084D4000-memory.dmp

Filesize
5.6MB

Download
memory/2752-37-0x0000000007A20000-0x0000000007AB2000-memory.dmp

Filesize
584KB

Download
memory/2752-38-0x0000000004FB0000-0x0000000004FBA000-memory.dmp

Filesize
40KB

Download
memory/2752-40-0x0000000007D10000-0x0000000007E1A000-memory.dmp

Filesize
1.0MB

Download
memory/2752-41-0x0000000007BB0000-0x0000000007BC2000-memory.dmp

Filesize
72KB

Download
memory/2752-42-0x0000000007C40000-0x0000000007C7C000-memory.dmp

Filesize
240KB

Download
memory/2752-43-0x0000000007C80000-0x0000000007CCC000-memory.dmp

Filesize
304KB

Download
memory/4892-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4892-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4892-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download