mystic | be3323c3b2bd6ba736703199d528de6bf1396e8a7c6b9b58e4ca31fda43b00e0

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec4e6a678a24fbc6072d65beb0203bf9dc01f768df9a7430ed0d827b8d290172.exe
Size

640KB
MD5

936d47f90f4943e9191cba496e128a28
SHA1

74e03c3a3603048b6d43e84d0f1460fb8bcd5474
SHA256

ec4e6a678a24fbc6072d65beb0203bf9dc01f768df9a7430ed0d827b8d290172
SHA512

0db1c75b8decc83959fcc2c8bb3485bdefbc9b169b4aa0b05c33db78b1d4acdbfe4c41a75aa922de6694b0138a45706f789fd58e22da7c696318c0181b28a506
SSDEEP

12288:GMrGy90ZxnbkSAVpVLg7qHwGUz5YcXkzf02XhXH:Qyal8jQb5YcXEfph3

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral18/memory/1368-14-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral18/memory/1368-15-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral18/memory/1368-18-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral18/memory/1368-16-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral18/files/0x0007000000023470-20.dat	family_redline
behavioral18/memory/2064-22-0x0000000000760000-0x000000000079E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
3500	zA5gq5mz.exe
2912	1Aq95AW6.exe
2064	2PK733PX.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ec4e6a678a24fbc6072d65beb0203bf9dc01f768df9a7430ed0d827b8d290172.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zA5gq5mz.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2912 set thread context of 1368	2912	1Aq95AW6.exe	87

Program crash 2 IoCs

pid	pid_target	Process	procid_target
872	1368	WerFault.exe	87
1444	2912	WerFault.exe	86

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 3500	5080	ec4e6a678a24fbc6072d65beb0203bf9dc01f768df9a7430ed0d827b8d290172.exe	85
PID 5080 wrote to memory of 3500	5080	ec4e6a678a24fbc6072d65beb0203bf9dc01f768df9a7430ed0d827b8d290172.exe	85
PID 5080 wrote to memory of 3500	5080	ec4e6a678a24fbc6072d65beb0203bf9dc01f768df9a7430ed0d827b8d290172.exe	85
PID 3500 wrote to memory of 2912	3500	zA5gq5mz.exe	86
PID 3500 wrote to memory of 2912	3500	zA5gq5mz.exe	86
PID 3500 wrote to memory of 2912	3500	zA5gq5mz.exe	86
PID 2912 wrote to memory of 1368	2912	1Aq95AW6.exe	87
PID 2912 wrote to memory of 1368	2912	1Aq95AW6.exe	87
PID 2912 wrote to memory of 1368	2912	1Aq95AW6.exe	87
PID 2912 wrote to memory of 1368	2912	1Aq95AW6.exe	87
PID 2912 wrote to memory of 1368	2912	1Aq95AW6.exe	87
PID 2912 wrote to memory of 1368	2912	1Aq95AW6.exe	87
PID 2912 wrote to memory of 1368	2912	1Aq95AW6.exe	87
PID 2912 wrote to memory of 1368	2912	1Aq95AW6.exe	87
PID 2912 wrote to memory of 1368	2912	1Aq95AW6.exe	87
PID 2912 wrote to memory of 1368	2912	1Aq95AW6.exe	87
PID 3500 wrote to memory of 2064	3500	zA5gq5mz.exe	94
PID 3500 wrote to memory of 2064	3500	zA5gq5mz.exe	94
PID 3500 wrote to memory of 2064	3500	zA5gq5mz.exe	94

C:\Users\Admin\AppData\Local\Temp\ec4e6a678a24fbc6072d65beb0203bf9dc01f768df9a7430ed0d827b8d290172.exe
"C:\Users\Admin\AppData\Local\Temp\ec4e6a678a24fbc6072d65beb0203bf9dc01f768df9a7430ed0d827b8d290172.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zA5gq5mz.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zA5gq5mz.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3500
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Aq95AW6.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Aq95AW6.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1368
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 540
        5⤵
        Program crash
        
        PID:872
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 576
      4⤵
      Program crash
      PID:1444
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2PK733PX.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2PK733PX.exe
    3⤵
    - Executes dropped EXE
    PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2912 -ip 2912
1⤵
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1368 -ip 1368
1⤵
PID:4652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zA5gq5mz.exe

Filesize
444KB

MD5
509af7787fa601854e66d8e83bad6b56

SHA1
82c39adf9797d2ac7963d93027f435ca7bf63034

SHA256
104afd9342df5e297e8db83a419a5d4750a1f32921b5f7b25894fc5cb1dc6cbb

SHA512
5cbd66c405df712867ec88ec975e183fd69fcf9966d6abc69771b5cbdcc008c75b3eef6bca545417cb0ba52241457d3f6a2c64e4a01d7e20b9b581eef9f2161b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Aq95AW6.exe

Filesize
423KB

MD5
cced1f2ff28b2f86a221efe1158f543f

SHA1
049c3a3890d7ce5e1f0670ee3f0194bb11342f85

SHA256
ac032a9e67aa7a7d77e589a41dc296aeaa10e09da588cb70f40032828f0076ac

SHA512
29e6370a0273458cccb90036ca9f938c310c9045a8a37beb6b032cedb2749fb969f5a3e072dcda856f98835dd8e721811f9c6e7cd390dc4085a3b3f54adcbaf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2PK733PX.exe

Filesize
221KB

MD5
b8623399adf53370727ebd5553c4850b

SHA1
4dfcb61ed3e2b0deba6fb6bd339f1b2e624b0d44

SHA256
f13565df7515f419896d9fc66ccaa7f466149907732ae8e18848cd111e0667c2

SHA512
bc696ebc842cbad710cab084874e7e7af1737fd026a7df105b574aca479d8ccd4df0819927834a68085b603ea5bbdcf588dcb2a7841efbe5067e21194fe47751

Download Submit
memory/1368-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1368-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1368-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1368-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2064-23-0x0000000007B00000-0x00000000080A4000-memory.dmp

Filesize
5.6MB

Download
memory/2064-22-0x0000000000760000-0x000000000079E000-memory.dmp

Filesize
248KB

Download
memory/2064-24-0x0000000007630000-0x00000000076C2000-memory.dmp

Filesize
584KB

Download
memory/2064-25-0x0000000004BE0000-0x0000000004BEA000-memory.dmp

Filesize
40KB

Download
memory/2064-26-0x00000000086D0000-0x0000000008CE8000-memory.dmp

Filesize
6.1MB

Download
memory/2064-27-0x0000000007940000-0x0000000007A4A000-memory.dmp

Filesize
1.0MB

Download
memory/2064-28-0x0000000007860000-0x0000000007872000-memory.dmp

Filesize
72KB

Download
memory/2064-29-0x00000000078C0000-0x00000000078FC000-memory.dmp

Filesize
240KB

Download
memory/2064-30-0x0000000007A50000-0x0000000007A9C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads