mystic | 7933fef612cfed24528ffac4aad5a6e220fd5b4ace233682c5f634c88264b8b2

General

Target

7933fef612cfed24528ffac4aad5a6e220fd5b4ace233682c5f634c88264b8b2N.exe
Size

879KB
MD5

219de7799d0ae3a227896e76a31b1a50
SHA1

f52122d9e3d9515c91306c7e4f5c0ab862e5704e
SHA256

7933fef612cfed24528ffac4aad5a6e220fd5b4ace233682c5f634c88264b8b2
SHA512

f9b6f9bed1644946a5138dd964ff69f86ebf4c252e143dcdb918a620ece9765b82f03ef6fef2f2eb621cc8751577f80bd6e96f6d800f21ff0c7f7a4749975e8d
SSDEEP

24576:fy1UUaE7Ns0fhyLYzVA2HR8RKV4dtHEnYp:q1UXcc4SSR8RKV4dSn

Score

10^/10

mystic redline lutyr discovery infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

C2

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral1/memory/3484-21-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral1/memory/3484-22-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral1/memory/3484-24-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
Mystic family
mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023c90-26.dat	family_redline
behavioral1/memory/968-28-0x0000000000F30000-0x0000000000F6E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
4512	KT0KD8JM.exe
2656	og4ap9oL.exe
1932	1lZ26Rj0.exe
968	2Kq196Mk.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7933fef612cfed24528ffac4aad5a6e220fd5b4ace233682c5f634c88264b8b2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	KT0KD8JM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	og4ap9oL.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1932 set thread context of 3484	1932	1lZ26Rj0.exe	90

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4796	1932	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KT0KD8JM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	og4ap9oL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1lZ26Rj0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2Kq196Mk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7933fef612cfed24528ffac4aad5a6e220fd5b4ace233682c5f634c88264b8b2N.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 4512	1552	7933fef612cfed24528ffac4aad5a6e220fd5b4ace233682c5f634c88264b8b2N.exe	83
PID 1552 wrote to memory of 4512	1552	7933fef612cfed24528ffac4aad5a6e220fd5b4ace233682c5f634c88264b8b2N.exe	83
PID 1552 wrote to memory of 4512	1552	7933fef612cfed24528ffac4aad5a6e220fd5b4ace233682c5f634c88264b8b2N.exe	83
PID 4512 wrote to memory of 2656	4512	KT0KD8JM.exe	84
PID 4512 wrote to memory of 2656	4512	KT0KD8JM.exe	84
PID 4512 wrote to memory of 2656	4512	KT0KD8JM.exe	84
PID 2656 wrote to memory of 1932	2656	og4ap9oL.exe	86
PID 2656 wrote to memory of 1932	2656	og4ap9oL.exe	86
PID 2656 wrote to memory of 1932	2656	og4ap9oL.exe	86
PID 1932 wrote to memory of 3484	1932	1lZ26Rj0.exe	90
PID 1932 wrote to memory of 3484	1932	1lZ26Rj0.exe	90
PID 1932 wrote to memory of 3484	1932	1lZ26Rj0.exe	90
PID 1932 wrote to memory of 3484	1932	1lZ26Rj0.exe	90
PID 1932 wrote to memory of 3484	1932	1lZ26Rj0.exe	90
PID 1932 wrote to memory of 3484	1932	1lZ26Rj0.exe	90
PID 1932 wrote to memory of 3484	1932	1lZ26Rj0.exe	90
PID 1932 wrote to memory of 3484	1932	1lZ26Rj0.exe	90
PID 1932 wrote to memory of 3484	1932	1lZ26Rj0.exe	90
PID 1932 wrote to memory of 3484	1932	1lZ26Rj0.exe	90
PID 2656 wrote to memory of 968	2656	og4ap9oL.exe	94
PID 2656 wrote to memory of 968	2656	og4ap9oL.exe	94
PID 2656 wrote to memory of 968	2656	og4ap9oL.exe	94

C:\Users\Admin\AppData\Local\Temp\7933fef612cfed24528ffac4aad5a6e220fd5b4ace233682c5f634c88264b8b2N.exe
"C:\Users\Admin\AppData\Local\Temp\7933fef612cfed24528ffac4aad5a6e220fd5b4ace233682c5f634c88264b8b2N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KT0KD8JM.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KT0KD8JM.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\og4ap9oL.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\og4ap9oL.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1lZ26Rj0.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1lZ26Rj0.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1932
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3484
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 616
        5⤵
        Program crash
        
        PID:4796
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Kq196Mk.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Kq196Mk.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1932 -ip 1932
1⤵
PID:3420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KT0KD8JM.exe

Filesize
585KB

MD5
0c1ec67b55129ca9848fe6d9a0324ab3

SHA1
2d6120890500ef116ea028af01fd308474bb2d32

SHA256
2096a86f6c415cfbdf8efa2cdd8018b694fa33f266b2f7f43a04e897f6ac2e5c

SHA512
1749a5589b3dc0c2af66f34df087f3a02c402cfcd993ccec0b9c7b250a3714461dd5440a24dc03de07ea5d75dca7ceeca32472757d3e9dc6a622e85839c320ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\og4ap9oL.exe

Filesize
413KB

MD5
096c3c0bb47a4f47094342a9364fadd2

SHA1
125ce981e82f4a2ea3ba3ec6bf0e6069c94835b5

SHA256
be61c2390a7ccd417232e1da02f9b23cb59fc32cea1a22a435f9818d3b0f02fe

SHA512
19089c22ef59f123d05cc3bd00f6dc226bf6783c5f5b9d5aadf85e83788246b1eba02edf029a862dbf4ddef3c8a40556fb22d31fcf42f7e232ab9857cf3fc6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1lZ26Rj0.exe

Filesize
378KB

MD5
a5facf2fefb1b41b5caa0ad2cd5ac71f

SHA1
ebf15f0f5139e1b1e057ec09b8696174052e65ab

SHA256
aefb13984cf99ee053a32bf55a269cddaa80dc7b52ce734ca9faee00cd279f62

SHA512
b406db295bdf49bdbe5f58af535046a359e63053f291998d4f7ce4b1d126d41395baa6d338b67da738064c8af1b2fe15bd1a61a24b5c301fc79828e8a9581e6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Kq196Mk.exe

Filesize
221KB

MD5
a9f34c85200c7fadf4f45384c478a9cc

SHA1
817c64d0376eb22697aee39578c566052fe87887

SHA256
eed865e4fa7e1426bd1ec2468a2ef9cea3089891e022d1b4d51fb9fe97f597de

SHA512
3bc9f765a9df49922dd0105e409049d3e7e0735ba646382dd98c21a83a86cbd8fe8b58909bcf43ca4524412f3ddf26f308f1068a2228fc01191ac1841428ca87

Download Submit
memory/968-33-0x0000000008780000-0x000000000888A000-memory.dmp

Filesize
1.0MB

Download
memory/968-28-0x0000000000F30000-0x0000000000F6E000-memory.dmp

Filesize
248KB

Download
memory/968-29-0x00000000081D0000-0x0000000008774000-memory.dmp

Filesize
5.6MB

Download
memory/968-30-0x0000000007CC0000-0x0000000007D52000-memory.dmp

Filesize
584KB

Download
memory/968-31-0x0000000005210000-0x000000000521A000-memory.dmp

Filesize
40KB

Download
memory/968-32-0x0000000008DA0000-0x00000000093B8000-memory.dmp

Filesize
6.1MB

Download
memory/968-34-0x0000000008050000-0x0000000008062000-memory.dmp

Filesize
72KB

Download
memory/968-35-0x00000000080B0000-0x00000000080EC000-memory.dmp

Filesize
240KB

Download
memory/968-36-0x00000000080F0000-0x000000000813C000-memory.dmp

Filesize
304KB

Download
memory/3484-24-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3484-22-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3484-21-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads