mystic | eafc2bfbeaeddb89f86da75f29f14435b745b919f0b99dd1d0d30b9d33efb415

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6fd8428c609450c9b2629eda53c7749e0bb145c64d6bcfc5071adec21c467ff.exe
Size

396KB
MD5

fabbe9bb4bd6fd42e310e054a4990a6d
SHA1

0788c133a29974f06dfb39fd2e677d3376bfc81f
SHA256

a6fd8428c609450c9b2629eda53c7749e0bb145c64d6bcfc5071adec21c467ff
SHA512

f12e1b7af0b9e398548a80afa33c264953f0c04c2ebfb815dead8543a8d34e609a923132d679772a7fabc4281a04173210af6e517e588a4315daa9cd2605068f
SSDEEP

6144:Kjy+bnr+fp0yN90QEnA1zC5RFAJGBOnZDd1w7oTizoqReUj2sqqMrUWfp4:xMrby90RSCfmJTZDgxzoImUWK

Score

10^/10

mystic redline luate infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

luate

77.91.124.55:19071

Attributes

auth_value
e45cd419aba6c9d372088ffe5629308b

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral13/memory/2356-7-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral13/memory/2356-8-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral13/memory/2356-11-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral13/memory/2356-10-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h2143167.exe family_redline
behavioral13/memory/4004-16-0x0000000000A30000-0x0000000000A60000-memory.dmp family_redline
Executes dropped EXE 2 IoCs

Processes:

g6091759.exeh2143167.exe

pid process

368 g6091759.exe
4004 h2143167.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h2143167.exe	family_redline
behavioral13/memory/4004-16-0x0000000000A30000-0x0000000000A60000-memory.dmp	family_redline

pid	process
368	g6091759.exe
4004	h2143167.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a6fd8428c609450c9b2629eda53c7749e0bb145c64d6bcfc5071adec21c467ff.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a6fd8428c609450c9b2629eda53c7749e0bb145c64d6bcfc5071adec21c467ff.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

g6091759.exe

description pid process target process

PID 368 set thread context of 2356 368 g6091759.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

408 368 WerFault.exe g6091759.exe
4072 2356 WerFault.exe AppLaunch.exe

description	pid	process	target process
PID 368 set thread context of 2356	368	g6091759.exe	AppLaunch.exe

pid	pid_target	process	target process
408	368	WerFault.exe	g6091759.exe
4072	2356	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

a6fd8428c609450c9b2629eda53c7749e0bb145c64d6bcfc5071adec21c467ff.exeg6091759.exe

description	pid	process	target process
PID 940 wrote to memory of 368	940	a6fd8428c609450c9b2629eda53c7749e0bb145c64d6bcfc5071adec21c467ff.exe	g6091759.exe
PID 940 wrote to memory of 368	940	a6fd8428c609450c9b2629eda53c7749e0bb145c64d6bcfc5071adec21c467ff.exe	g6091759.exe
PID 940 wrote to memory of 368	940	a6fd8428c609450c9b2629eda53c7749e0bb145c64d6bcfc5071adec21c467ff.exe	g6091759.exe
PID 368 wrote to memory of 2356	368	g6091759.exe	AppLaunch.exe
PID 368 wrote to memory of 2356	368	g6091759.exe	AppLaunch.exe
PID 368 wrote to memory of 2356	368	g6091759.exe	AppLaunch.exe
PID 368 wrote to memory of 2356	368	g6091759.exe	AppLaunch.exe
PID 368 wrote to memory of 2356	368	g6091759.exe	AppLaunch.exe
PID 368 wrote to memory of 2356	368	g6091759.exe	AppLaunch.exe
PID 368 wrote to memory of 2356	368	g6091759.exe	AppLaunch.exe
PID 368 wrote to memory of 2356	368	g6091759.exe	AppLaunch.exe
PID 368 wrote to memory of 2356	368	g6091759.exe	AppLaunch.exe
PID 368 wrote to memory of 2356	368	g6091759.exe	AppLaunch.exe
PID 940 wrote to memory of 4004	940	a6fd8428c609450c9b2629eda53c7749e0bb145c64d6bcfc5071adec21c467ff.exe	h2143167.exe
PID 940 wrote to memory of 4004	940	a6fd8428c609450c9b2629eda53c7749e0bb145c64d6bcfc5071adec21c467ff.exe	h2143167.exe
PID 940 wrote to memory of 4004	940	a6fd8428c609450c9b2629eda53c7749e0bb145c64d6bcfc5071adec21c467ff.exe	h2143167.exe

C:\Users\Admin\AppData\Local\Temp\a6fd8428c609450c9b2629eda53c7749e0bb145c64d6bcfc5071adec21c467ff.exe
"C:\Users\Admin\AppData\Local\Temp\a6fd8428c609450c9b2629eda53c7749e0bb145c64d6bcfc5071adec21c467ff.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:940

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g6091759.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g6091759.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:2356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 540
4⤵
- Program crash
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 592
3⤵
- Program crash
PID:408

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h2143167.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h2143167.exe
2⤵
- Executes dropped EXE
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2356 -ip 2356
1⤵
PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 368 -ip 368
1⤵
PID:2984

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g6091759.exe
Filesize
379KB

MD5
2e73e739104326e94ac375010fd768fc

SHA1
729d6123161e891d5e3793501a9dca0b84a350a6

SHA256
09c8b7af19afe118bf95049aa665113d944463f1db74eac25ed7046a1e42cda9

SHA512
0e26680a7de2dead17540a63d880fc15c8d12d565389e3dcb6993a7b2e92fdf739bf19c9f991fd39718c4eb1df7e58ef2ff030b785c6d4b599bf17f33612b887

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h2143167.exe
Filesize
174KB

MD5
b626337e64966155899f1c5bb8ca97f7

SHA1
b44f2b3df6ecbb28e50d2e8b494c578a9b272553

SHA256
f42c53cdd9b4d7cabfc78a83c5b581bb057e37130c877b0cd19618cceb1104d6

SHA512
3744b3149354064915e7068b3a01bf6d787c095936abcf009a044930ec44ecf91a38709976f75e3c08c059db10675bae565979fb35c72fcac4d26a1f624ba6f7

Download Submit
memory/2356-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2356-8-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2356-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2356-10-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4004-17-0x0000000002D10000-0x0000000002D16000-memory.dmp

Filesize
24KB

Download
memory/4004-15-0x000000007361E000-0x000000007361F000-memory.dmp

Filesize
4KB

Download
memory/4004-16-0x0000000000A30000-0x0000000000A60000-memory.dmp

Filesize
192KB

Download
memory/4004-18-0x0000000005A10000-0x0000000006028000-memory.dmp

Filesize
6.1MB

Download
memory/4004-19-0x0000000005500000-0x000000000560A000-memory.dmp

Filesize
1.0MB

Download
memory/4004-20-0x00000000053B0000-0x00000000053C2000-memory.dmp

Filesize
72KB

Download
memory/4004-21-0x0000000005430000-0x000000000546C000-memory.dmp

Filesize
240KB

Download
memory/4004-22-0x0000000073610000-0x0000000073DC0000-memory.dmp

Filesize
7.7MB

Download
memory/4004-23-0x0000000005470000-0x00000000054BC000-memory.dmp

Filesize
304KB

Download
memory/4004-24-0x000000007361E000-0x000000007361F000-memory.dmp

Filesize
4KB

Download
memory/4004-25-0x0000000073610000-0x0000000073DC0000-memory.dmp

Filesize
7.7MB

Download