mystic | be3323c3b2bd6ba736703199d528de6bf1396e8a7c6b9b58e4ca31fda43b00e0

Analysis

max time kernel
145s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2598a435594fc87df1b99231c77f9f38793dd1d59b7f06388b1b60d59d0bbecf.exe
Size

1.3MB
MD5

e19af8058d1c10695db59ff06382095c
SHA1

74879eca322c96e26ccc9d52b87c3f47d54cedf4
SHA256

2598a435594fc87df1b99231c77f9f38793dd1d59b7f06388b1b60d59d0bbecf
SHA512

2985aac9377a1d12090a1db16137338715ff9c5e857096f4b33b37f6f2af9463346e0ce859324c5c1f15eee83885f1c1d2ceb6ec9d3d00a6033e437d11af9dee
SSDEEP

24576:0y4htUc734dBIbW67vwZTO5aS/Fg4PE5jPBgBUZKA7/lkk5EA:D4htv2y7g0g4cZRDjR5E

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral3/memory/4348-35-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral3/memory/4348-36-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral3/memory/4348-38-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral3/files/0x0007000000023293-39.dat	family_redline
behavioral3/memory/1480-42-0x0000000000AE0000-0x0000000000B1E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
1264	gt0aC2kl.exe
4232	Bf1Mm6wM.exe
4604	Ra9hI4vN.exe
3164	fI4eZ4ii.exe
3432	1IQ76oz8.exe
1480	2QS669YZ.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2598a435594fc87df1b99231c77f9f38793dd1d59b7f06388b1b60d59d0bbecf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	gt0aC2kl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Bf1Mm6wM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Ra9hI4vN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	fI4eZ4ii.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3432 set thread context of 4348	3432	1IQ76oz8.exe	94

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1768	3432	WerFault.exe	93

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 1264	4068	2598a435594fc87df1b99231c77f9f38793dd1d59b7f06388b1b60d59d0bbecf.exe	89
PID 4068 wrote to memory of 1264	4068	2598a435594fc87df1b99231c77f9f38793dd1d59b7f06388b1b60d59d0bbecf.exe	89
PID 4068 wrote to memory of 1264	4068	2598a435594fc87df1b99231c77f9f38793dd1d59b7f06388b1b60d59d0bbecf.exe	89
PID 1264 wrote to memory of 4232	1264	gt0aC2kl.exe	90
PID 1264 wrote to memory of 4232	1264	gt0aC2kl.exe	90
PID 1264 wrote to memory of 4232	1264	gt0aC2kl.exe	90
PID 4232 wrote to memory of 4604	4232	Bf1Mm6wM.exe	91
PID 4232 wrote to memory of 4604	4232	Bf1Mm6wM.exe	91
PID 4232 wrote to memory of 4604	4232	Bf1Mm6wM.exe	91
PID 4604 wrote to memory of 3164	4604	Ra9hI4vN.exe	92
PID 4604 wrote to memory of 3164	4604	Ra9hI4vN.exe	92
PID 4604 wrote to memory of 3164	4604	Ra9hI4vN.exe	92
PID 3164 wrote to memory of 3432	3164	fI4eZ4ii.exe	93
PID 3164 wrote to memory of 3432	3164	fI4eZ4ii.exe	93
PID 3164 wrote to memory of 3432	3164	fI4eZ4ii.exe	93
PID 3432 wrote to memory of 4348	3432	1IQ76oz8.exe	94
PID 3432 wrote to memory of 4348	3432	1IQ76oz8.exe	94
PID 3432 wrote to memory of 4348	3432	1IQ76oz8.exe	94
PID 3432 wrote to memory of 4348	3432	1IQ76oz8.exe	94
PID 3432 wrote to memory of 4348	3432	1IQ76oz8.exe	94
PID 3432 wrote to memory of 4348	3432	1IQ76oz8.exe	94
PID 3432 wrote to memory of 4348	3432	1IQ76oz8.exe	94
PID 3432 wrote to memory of 4348	3432	1IQ76oz8.exe	94
PID 3432 wrote to memory of 4348	3432	1IQ76oz8.exe	94
PID 3432 wrote to memory of 4348	3432	1IQ76oz8.exe	94
PID 3164 wrote to memory of 1480	3164	fI4eZ4ii.exe	98
PID 3164 wrote to memory of 1480	3164	fI4eZ4ii.exe	98
PID 3164 wrote to memory of 1480	3164	fI4eZ4ii.exe	98

C:\Users\Admin\AppData\Local\Temp\2598a435594fc87df1b99231c77f9f38793dd1d59b7f06388b1b60d59d0bbecf.exe
"C:\Users\Admin\AppData\Local\Temp\2598a435594fc87df1b99231c77f9f38793dd1d59b7f06388b1b60d59d0bbecf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt0aC2kl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt0aC2kl.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Bf1Mm6wM.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Bf1Mm6wM.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4232
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ra9hI4vN.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ra9hI4vN.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4604
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\fI4eZ4ii.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\fI4eZ4ii.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3164
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1IQ76oz8.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1IQ76oz8.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 576
        7⤵
        Program crash
        
        PID:1768
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2QS669YZ.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2QS669YZ.exe
        6⤵
        Executes dropped EXE
        
        PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3432 -ip 3432
1⤵
PID:2128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4196 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt0aC2kl.exe

Filesize
1.1MB

MD5
6abc100af2fb0c5195db4c82bea69717

SHA1
3b257d9569562df3cfbffd17be6bc34ad050d6d8

SHA256
fde683fd96f5a0e9298acfea737879915d85a5f645de46bdb6b08d12a9cbcdae

SHA512
17348c5514db27897639fa9bc1862b8faf2c34aee32af9a49d5b710ed2e791a454a5e2ce7329ca42d1fd96ad1d95c25bd98124e07802278220503e0c4d7ed461

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Bf1Mm6wM.exe

Filesize
949KB

MD5
a53015d8b49d63a2d4cadf2195557ca6

SHA1
fad7dcb400c2557be3b7e41edcd3735ea5b0a38a

SHA256
bd90e58a7ee36f53ee8f63b183e89de46942c29b576c5bd1ec68fb150a61520f

SHA512
af63453c8f8af221de59a84744b53777b89863faab9bef5e7700c98a4d28cde8352587ba8ead814d54011370ed3447cc41a305f00687726b3ea4d4125b1a11a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ra9hI4vN.exe

Filesize
645KB

MD5
e80114723fe4b6b164b6b6e3c8a7ba82

SHA1
ca76fc7c25f54403419c065f610094363e3961b4

SHA256
da5f73535ed945a679a2cc6f0aa477da7e52e290ae147e4e0ac5e84031f1c59b

SHA512
dbf4afdd735f8377d36845a1300902295bd7b954f06e8237637b14c885ebc74c2eb2aa227600a07fa759744604f4e7c6667797ac0cb2358dd46670b205622699

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\fI4eZ4ii.exe

Filesize
449KB

MD5
55694bc98ddf85201c32ec8b2903766a

SHA1
781918266d8b400e1faa12c2339ed844009666e5

SHA256
43da2a0a11ae463cef4f0ea5a162a007c32808b89661468853d837c638e01e37

SHA512
4ae556fd775f74f642c4248ffb2f3865eaa25025c101473a3d27c05af45ced26f17d68b0c57402a39b859b36921363f93eb68df0a00ad3b81ac7d4ae0e4818bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1IQ76oz8.exe

Filesize
446KB

MD5
f72f7ce68786940e325b04efb37eed20

SHA1
be0f1b14cb6770468b549c9529c80107ea6bf3e3

SHA256
4f681293759a743adbd7f803fbe4875cb48f90657054c01cf1abb9400452f9a4

SHA512
e7ce5ecefa1e70956ff4b795cac039432f65ce593277f08feb633edccb285d2357cf0b119685d117230607ccd76489b1d934cb72615f3d25b38542dddfffaa4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2QS669YZ.exe

Filesize
222KB

MD5
781c6c4fb67b356ff62d815ce87a6de9

SHA1
f4a40a32f2f5a23b1e50df44c6a4479cf72459cd

SHA256
def9310e23962509bdfc9c6d3cc3a4d88cb2c2fea955a37deced707fa6d57cab

SHA512
7b0877a213357fdf70bb6f69e929b27eca77dd8077b75e1b73256d63bd0fc71a9916da750f7e1a9a017e70cccc7bce4dd0ae463edc06b4d1103a9be8a176420e

Download Submit
memory/1480-42-0x0000000000AE0000-0x0000000000B1E000-memory.dmp

Filesize
248KB

Download
memory/1480-43-0x0000000007D50000-0x00000000082F4000-memory.dmp

Filesize
5.6MB

Download
memory/1480-44-0x00000000078A0000-0x0000000007932000-memory.dmp

Filesize
584KB

Download
memory/1480-45-0x0000000007A50000-0x0000000007A5A000-memory.dmp

Filesize
40KB

Download
memory/1480-46-0x0000000008920000-0x0000000008F38000-memory.dmp

Filesize
6.1MB

Download
memory/1480-47-0x0000000008300000-0x000000000840A000-memory.dmp

Filesize
1.0MB

Download
memory/1480-48-0x0000000007C80000-0x0000000007C92000-memory.dmp

Filesize
72KB

Download
memory/1480-49-0x0000000007CE0000-0x0000000007D1C000-memory.dmp

Filesize
240KB

Download
memory/1480-50-0x0000000008410000-0x000000000845C000-memory.dmp

Filesize
304KB

Download
memory/4348-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads