mystic | 555e2e96cadddac7eb38d1d05f1426621d653734fce83d1180239800918df8c1

General

Target

555e2e96cadddac7eb38d1d05f1426621d653734fce83d1180239800918df8c1.exe
Size

522KB
MD5

445f7f64dbdf136608359b3ac09cc3f2
SHA1

a6c747bd747eb775cfb07376e21283e2c44b9c8d
SHA256

555e2e96cadddac7eb38d1d05f1426621d653734fce83d1180239800918df8c1
SHA512

906c8127789f8e5afc6059b9ede36c037a021d5ebfdf23ba0724ca823278e86d688ff1e4a374758dd35b2bf1519397407d8537c1598f3fb927bcee9d61a83e3d
SSDEEP

6144:KQy+bnr+jp0yN90QEFhJRfOCrz1ensG/ZmlTjDzLc24vwpgHho8llvrgliPAtt6/:0Mrjy90PhxRTj424vw9cklV4sNLFQx9

Score

10^/10

mystic redline lutyr discovery infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

C2

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000023bdc-12.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
Mystic family
mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023bdd-15.dat	family_redline
behavioral1/memory/1112-18-0x0000000000750000-0x000000000078E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
2236	Qb9FK5VE.exe
3872	1AK48Cq1.exe
1112	2ne164fS.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	555e2e96cadddac7eb38d1d05f1426621d653734fce83d1180239800918df8c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Qb9FK5VE.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	555e2e96cadddac7eb38d1d05f1426621d653734fce83d1180239800918df8c1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qb9FK5VE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1AK48Cq1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ne164fS.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 2236	3512	555e2e96cadddac7eb38d1d05f1426621d653734fce83d1180239800918df8c1.exe	86
PID 3512 wrote to memory of 2236	3512	555e2e96cadddac7eb38d1d05f1426621d653734fce83d1180239800918df8c1.exe	86
PID 3512 wrote to memory of 2236	3512	555e2e96cadddac7eb38d1d05f1426621d653734fce83d1180239800918df8c1.exe	86
PID 2236 wrote to memory of 3872	2236	Qb9FK5VE.exe	87
PID 2236 wrote to memory of 3872	2236	Qb9FK5VE.exe	87
PID 2236 wrote to memory of 3872	2236	Qb9FK5VE.exe	87
PID 2236 wrote to memory of 1112	2236	Qb9FK5VE.exe	88
PID 2236 wrote to memory of 1112	2236	Qb9FK5VE.exe	88
PID 2236 wrote to memory of 1112	2236	Qb9FK5VE.exe	88

C:\Users\Admin\AppData\Local\Temp\555e2e96cadddac7eb38d1d05f1426621d653734fce83d1180239800918df8c1.exe
"C:\Users\Admin\AppData\Local\Temp\555e2e96cadddac7eb38d1d05f1426621d653734fce83d1180239800918df8c1.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Qb9FK5VE.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Qb9FK5VE.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1AK48Cq1.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1AK48Cq1.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3872
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ne164fS.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ne164fS.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Qb9FK5VE.exe

Filesize
326KB

MD5
788425e89453595b3cde23a4340eb9b4

SHA1
e79a7acc90a8290974709f03e713dc43e7b43092

SHA256
2e1a42a1f156e8abc690a56d06352aacdd8b42f70729300bf5fae62ee0b5eee3

SHA512
a6b264112ab5ade6d99d498c2692793dcdb5494d88f98e8c4ffe9b2e927d04c08426d5f06e93a231880c3928675e442c2889555ce2c270e79d7852f0ad881e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1AK48Cq1.exe

Filesize
190KB

MD5
a6656e3d6d06c8ce9cbb4b6952553c20

SHA1
af45103616dc896da5ee4268fd5f9483b5b97c1c

SHA256
fec303b128c44607654c078736b96d2762722f51b6c473dfe5415158fd83718b

SHA512
f53f2214d3f192a352b2a93c66d91988a41a5ab9dbf15edd62ea8ce38da8a732114e3c46526d4dc6f3132330913b1acb90fa11ff454a1520d117149a86678d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ne164fS.exe

Filesize
221KB

MD5
4eb67f4d64fb8297a3dc8ffc6df010bb

SHA1
0f79d6e2150adcd7277ce5cd822d13d8a907b0f5

SHA256
f28406ecf29bdcefbd9bdfb4794385e2d073710946c952025af1c44b355816fb

SHA512
bade839a420a3ca0899f67948089674e96ce7bc6e16e4a6aa2176a586b6a269623dd498c886763a22d3498af2d15111b590d2a54aef3b703a7087b7ecebbd301

Download Submit
memory/1112-17-0x0000000073E8E000-0x0000000073E8F000-memory.dmp

Filesize
4KB

Download
memory/1112-18-0x0000000000750000-0x000000000078E000-memory.dmp

Filesize
248KB

Download
memory/1112-19-0x0000000007A80000-0x0000000008024000-memory.dmp

Filesize
5.6MB

Download
memory/1112-20-0x0000000007570000-0x0000000007602000-memory.dmp

Filesize
584KB

Download
memory/1112-21-0x0000000002940000-0x000000000294A000-memory.dmp

Filesize
40KB

Download
memory/1112-22-0x0000000008650000-0x0000000008C68000-memory.dmp

Filesize
6.1MB

Download
memory/1112-23-0x0000000008030000-0x000000000813A000-memory.dmp

Filesize
1.0MB

Download
memory/1112-24-0x0000000007610000-0x0000000007622000-memory.dmp

Filesize
72KB

Download
memory/1112-25-0x0000000007670000-0x00000000076AC000-memory.dmp

Filesize
240KB

Download
memory/1112-26-0x00000000076D0000-0x000000000771C000-memory.dmp

Filesize
304KB

Download
memory/1112-27-0x0000000073E8E000-0x0000000073E8F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads