mystic | 02cacf524527064e447c85bef406a6e5125d06b69bd35e10a813bf4a5659b985

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

753cdc12b984ece991f2018329d37985ee627640895e2d9b9a43a13a6dd6fb91.exe
Size

641KB
MD5

a2fb087405549d4844da7621326d7bc6
SHA1

41722d07ff394bb88e681e8cb55acdc420fbc696
SHA256

753cdc12b984ece991f2018329d37985ee627640895e2d9b9a43a13a6dd6fb91
SHA512

deac27f5aab4250178ca108607e59b275edccdf556fe2ddfe2f2bc51a302a985cab0408e6261f1459fecf19b8331bc959a0e30921103816e46686b617549dfa3
SSDEEP

12288:nMr9y90yHagkaQMkfPlNgEkJa1j6shpaH8UPGDTVqT3kUt90fnAr:ayaXnHrf1jS3uTVqrkUcK

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral14/memory/3436-14-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral14/memory/3436-18-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral14/memory/3436-16-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral14/memory/3436-15-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral14/files/0x0007000000023463-20.dat	family_redline
behavioral14/memory/3204-22-0x00000000005A0000-0x00000000005DE000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
4156	Vg7cw5Cv.exe
2036	1ws09Cr7.exe
3204	2Qy711qk.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	753cdc12b984ece991f2018329d37985ee627640895e2d9b9a43a13a6dd6fb91.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Vg7cw5Cv.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2036 set thread context of 3436	2036	1ws09Cr7.exe	86

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1152	3436	WerFault.exe	86
3180	2036	WerFault.exe	83

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 4156	3604	753cdc12b984ece991f2018329d37985ee627640895e2d9b9a43a13a6dd6fb91.exe	82
PID 3604 wrote to memory of 4156	3604	753cdc12b984ece991f2018329d37985ee627640895e2d9b9a43a13a6dd6fb91.exe	82
PID 3604 wrote to memory of 4156	3604	753cdc12b984ece991f2018329d37985ee627640895e2d9b9a43a13a6dd6fb91.exe	82
PID 4156 wrote to memory of 2036	4156	Vg7cw5Cv.exe	83
PID 4156 wrote to memory of 2036	4156	Vg7cw5Cv.exe	83
PID 4156 wrote to memory of 2036	4156	Vg7cw5Cv.exe	83
PID 2036 wrote to memory of 3436	2036	1ws09Cr7.exe	86
PID 2036 wrote to memory of 3436	2036	1ws09Cr7.exe	86
PID 2036 wrote to memory of 3436	2036	1ws09Cr7.exe	86
PID 2036 wrote to memory of 3436	2036	1ws09Cr7.exe	86
PID 2036 wrote to memory of 3436	2036	1ws09Cr7.exe	86
PID 2036 wrote to memory of 3436	2036	1ws09Cr7.exe	86
PID 2036 wrote to memory of 3436	2036	1ws09Cr7.exe	86
PID 2036 wrote to memory of 3436	2036	1ws09Cr7.exe	86
PID 2036 wrote to memory of 3436	2036	1ws09Cr7.exe	86
PID 2036 wrote to memory of 3436	2036	1ws09Cr7.exe	86
PID 4156 wrote to memory of 3204	4156	Vg7cw5Cv.exe	93
PID 4156 wrote to memory of 3204	4156	Vg7cw5Cv.exe	93
PID 4156 wrote to memory of 3204	4156	Vg7cw5Cv.exe	93

C:\Users\Admin\AppData\Local\Temp\753cdc12b984ece991f2018329d37985ee627640895e2d9b9a43a13a6dd6fb91.exe
"C:\Users\Admin\AppData\Local\Temp\753cdc12b984ece991f2018329d37985ee627640895e2d9b9a43a13a6dd6fb91.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vg7cw5Cv.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vg7cw5Cv.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4156
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ws09Cr7.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ws09Cr7.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3436
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 540
        5⤵
        Program crash
        
        PID:1152
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 576
      4⤵
      Program crash
      PID:3180
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Qy711qk.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Qy711qk.exe
    3⤵
    - Executes dropped EXE
    PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2036 -ip 2036
1⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3436 -ip 3436
1⤵
PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vg7cw5Cv.exe

Filesize
444KB

MD5
a132710ae930732daabf0f71afeab3f6

SHA1
99727dd282017777e355a1f5112aecc0c325e45c

SHA256
e1484c09a5a5770d0705e10e2e8d677b54cab973b2322cbf35aeae9e30966e33

SHA512
5e0943b45f280d523b53bf00c566631f1dd8689610a307650b58b5a1505fc6ee595aa397ee80b221864efa964922c020c5266b6d76603fac6d8a7059225503c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ws09Cr7.exe

Filesize
423KB

MD5
9bad28e6b65c9e39ea8b7d01f7ed2820

SHA1
ee3631552cc012421c583ccbf5fe0af25b460475

SHA256
9677940efae1b2c597e9a5e0b666473777bb847f1343f516b21d0fcf9cd0261a

SHA512
22390d8dcd6408c46eaa2c89a2faa2a51ebc52749d96ba9bc8324a02b12ad2317b2d6f1be96f0e20fc10cf8a091ba5c58be88d134d82856894dabb19a774111f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Qy711qk.exe

Filesize
221KB

MD5
1c07287e84177b5f541f83f7687297c4

SHA1
1552a1779c8ff1dc71b027abec5d98a8403d31c3

SHA256
33380d6c2e97d70af6ae8826976abc58cee08c36a1ef9c1508d1f2477e6a48d2

SHA512
f6f54dbf295f7230ec500f1e44e1bc7ad1da37c991bec6a465276c85f1dd91f78cf899e1c74e6538acf77011d89a3dabe9fc60dc7820fa635325c524dfa2a13a

Download Submit
memory/3204-27-0x0000000007F00000-0x000000000800A000-memory.dmp

Filesize
1.0MB

Download
memory/3204-22-0x00000000005A0000-0x00000000005DE000-memory.dmp

Filesize
248KB

Download
memory/3204-23-0x0000000007950000-0x0000000007EF4000-memory.dmp

Filesize
5.6MB

Download
memory/3204-24-0x0000000007460000-0x00000000074F2000-memory.dmp

Filesize
584KB

Download
memory/3204-25-0x0000000002900000-0x000000000290A000-memory.dmp

Filesize
40KB

Download
memory/3204-26-0x0000000008520000-0x0000000008B38000-memory.dmp

Filesize
6.1MB

Download
memory/3204-28-0x00000000075B0000-0x00000000075C2000-memory.dmp

Filesize
72KB

Download
memory/3204-29-0x0000000007610000-0x000000000764C000-memory.dmp

Filesize
240KB

Download
memory/3204-30-0x0000000007790000-0x00000000077DC000-memory.dmp

Filesize
304KB

Download
memory/3436-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3436-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3436-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3436-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads