mystic | be3323c3b2bd6ba736703199d528de6bf1396e8a7c6b9b58e4ca31fda43b00e0

Analysis

max time kernel
145s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2598a435594fc87df1b99231c77f9f38793dd1d59b7f06388b1b60d59d0bbecf.exe
Size

1.3MB
MD5

e19af8058d1c10695db59ff06382095c
SHA1

74879eca322c96e26ccc9d52b87c3f47d54cedf4
SHA256

2598a435594fc87df1b99231c77f9f38793dd1d59b7f06388b1b60d59d0bbecf
SHA512

2985aac9377a1d12090a1db16137338715ff9c5e857096f4b33b37f6f2af9463346e0ce859324c5c1f15eee83885f1c1d2ceb6ec9d3d00a6033e437d11af9dee
SSDEEP

24576:0y4htUc734dBIbW67vwZTO5aS/Fg4PE5jPBgBUZKA7/lkk5EA:D4htv2y7g0g4cZRDjR5E

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral3/memory/4348-35-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral3/memory/4348-36-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral3/memory/4348-38-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2QS669YZ.exe family_redline
behavioral3/memory/1480-42-0x0000000000AE0000-0x0000000000B1E000-memory.dmp family_redline
Executes dropped EXE 6 IoCs

Processes:

gt0aC2kl.exeBf1Mm6wM.exeRa9hI4vN.exefI4eZ4ii.exe1IQ76oz8.exe2QS669YZ.exe

pid process

1264 gt0aC2kl.exe
4232 Bf1Mm6wM.exe
4604 Ra9hI4vN.exe
3164 fI4eZ4ii.exe
3432 1IQ76oz8.exe
1480 2QS669YZ.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2QS669YZ.exe	family_redline
behavioral3/memory/1480-42-0x0000000000AE0000-0x0000000000B1E000-memory.dmp	family_redline

pid	process
1264	gt0aC2kl.exe
4232	Bf1Mm6wM.exe
4604	Ra9hI4vN.exe
3164	fI4eZ4ii.exe
3432	1IQ76oz8.exe
1480	2QS669YZ.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2598a435594fc87df1b99231c77f9f38793dd1d59b7f06388b1b60d59d0bbecf.exegt0aC2kl.exeBf1Mm6wM.exeRa9hI4vN.exefI4eZ4ii.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2598a435594fc87df1b99231c77f9f38793dd1d59b7f06388b1b60d59d0bbecf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	gt0aC2kl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Bf1Mm6wM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Ra9hI4vN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	fI4eZ4ii.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1IQ76oz8.exe

description pid process target process

PID 3432 set thread context of 4348 3432 1IQ76oz8.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1768 3432 WerFault.exe 1IQ76oz8.exe

description	pid	process	target process
PID 3432 set thread context of 4348	3432	1IQ76oz8.exe	AppLaunch.exe

pid	pid_target	process	target process
1768	3432	WerFault.exe	1IQ76oz8.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

2598a435594fc87df1b99231c77f9f38793dd1d59b7f06388b1b60d59d0bbecf.exegt0aC2kl.exeBf1Mm6wM.exeRa9hI4vN.exefI4eZ4ii.exe1IQ76oz8.exe

description	pid	process	target process
PID 4068 wrote to memory of 1264	4068	2598a435594fc87df1b99231c77f9f38793dd1d59b7f06388b1b60d59d0bbecf.exe	gt0aC2kl.exe
PID 4068 wrote to memory of 1264	4068	2598a435594fc87df1b99231c77f9f38793dd1d59b7f06388b1b60d59d0bbecf.exe	gt0aC2kl.exe
PID 4068 wrote to memory of 1264	4068	2598a435594fc87df1b99231c77f9f38793dd1d59b7f06388b1b60d59d0bbecf.exe	gt0aC2kl.exe
PID 1264 wrote to memory of 4232	1264	gt0aC2kl.exe	Bf1Mm6wM.exe
PID 1264 wrote to memory of 4232	1264	gt0aC2kl.exe	Bf1Mm6wM.exe
PID 1264 wrote to memory of 4232	1264	gt0aC2kl.exe	Bf1Mm6wM.exe
PID 4232 wrote to memory of 4604	4232	Bf1Mm6wM.exe	Ra9hI4vN.exe
PID 4232 wrote to memory of 4604	4232	Bf1Mm6wM.exe	Ra9hI4vN.exe
PID 4232 wrote to memory of 4604	4232	Bf1Mm6wM.exe	Ra9hI4vN.exe
PID 4604 wrote to memory of 3164	4604	Ra9hI4vN.exe	fI4eZ4ii.exe
PID 4604 wrote to memory of 3164	4604	Ra9hI4vN.exe	fI4eZ4ii.exe
PID 4604 wrote to memory of 3164	4604	Ra9hI4vN.exe	fI4eZ4ii.exe
PID 3164 wrote to memory of 3432	3164	fI4eZ4ii.exe	1IQ76oz8.exe
PID 3164 wrote to memory of 3432	3164	fI4eZ4ii.exe	1IQ76oz8.exe
PID 3164 wrote to memory of 3432	3164	fI4eZ4ii.exe	1IQ76oz8.exe
PID 3432 wrote to memory of 4348	3432	1IQ76oz8.exe	AppLaunch.exe
PID 3432 wrote to memory of 4348	3432	1IQ76oz8.exe	AppLaunch.exe
PID 3432 wrote to memory of 4348	3432	1IQ76oz8.exe	AppLaunch.exe
PID 3432 wrote to memory of 4348	3432	1IQ76oz8.exe	AppLaunch.exe
PID 3432 wrote to memory of 4348	3432	1IQ76oz8.exe	AppLaunch.exe
PID 3432 wrote to memory of 4348	3432	1IQ76oz8.exe	AppLaunch.exe
PID 3432 wrote to memory of 4348	3432	1IQ76oz8.exe	AppLaunch.exe
PID 3432 wrote to memory of 4348	3432	1IQ76oz8.exe	AppLaunch.exe
PID 3432 wrote to memory of 4348	3432	1IQ76oz8.exe	AppLaunch.exe
PID 3432 wrote to memory of 4348	3432	1IQ76oz8.exe	AppLaunch.exe
PID 3164 wrote to memory of 1480	3164	fI4eZ4ii.exe	2QS669YZ.exe
PID 3164 wrote to memory of 1480	3164	fI4eZ4ii.exe	2QS669YZ.exe
PID 3164 wrote to memory of 1480	3164	fI4eZ4ii.exe	2QS669YZ.exe

C:\Users\Admin\AppData\Local\Temp\2598a435594fc87df1b99231c77f9f38793dd1d59b7f06388b1b60d59d0bbecf.exe
"C:\Users\Admin\AppData\Local\Temp\2598a435594fc87df1b99231c77f9f38793dd1d59b7f06388b1b60d59d0bbecf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4068

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt0aC2kl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt0aC2kl.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Bf1Mm6wM.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Bf1Mm6wM.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4232

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ra9hI4vN.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ra9hI4vN.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4604

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\fI4eZ4ii.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\fI4eZ4ii.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3164

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1IQ76oz8.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1IQ76oz8.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 576
7⤵
- Program crash
PID:1768

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2QS669YZ.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2QS669YZ.exe
6⤵
- Executes dropped EXE
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3432 -ip 3432
1⤵
PID:2128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4196 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:2972

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt0aC2kl.exe
Filesize
1.1MB

MD5
6abc100af2fb0c5195db4c82bea69717

SHA1
3b257d9569562df3cfbffd17be6bc34ad050d6d8

SHA256
fde683fd96f5a0e9298acfea737879915d85a5f645de46bdb6b08d12a9cbcdae

SHA512
17348c5514db27897639fa9bc1862b8faf2c34aee32af9a49d5b710ed2e791a454a5e2ce7329ca42d1fd96ad1d95c25bd98124e07802278220503e0c4d7ed461

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Bf1Mm6wM.exe
Filesize
949KB

MD5
a53015d8b49d63a2d4cadf2195557ca6

SHA1
fad7dcb400c2557be3b7e41edcd3735ea5b0a38a

SHA256
bd90e58a7ee36f53ee8f63b183e89de46942c29b576c5bd1ec68fb150a61520f

SHA512
af63453c8f8af221de59a84744b53777b89863faab9bef5e7700c98a4d28cde8352587ba8ead814d54011370ed3447cc41a305f00687726b3ea4d4125b1a11a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ra9hI4vN.exe
Filesize
645KB

MD5
e80114723fe4b6b164b6b6e3c8a7ba82

SHA1
ca76fc7c25f54403419c065f610094363e3961b4

SHA256
da5f73535ed945a679a2cc6f0aa477da7e52e290ae147e4e0ac5e84031f1c59b

SHA512
dbf4afdd735f8377d36845a1300902295bd7b954f06e8237637b14c885ebc74c2eb2aa227600a07fa759744604f4e7c6667797ac0cb2358dd46670b205622699

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\fI4eZ4ii.exe
Filesize
449KB

MD5
55694bc98ddf85201c32ec8b2903766a

SHA1
781918266d8b400e1faa12c2339ed844009666e5

SHA256
43da2a0a11ae463cef4f0ea5a162a007c32808b89661468853d837c638e01e37

SHA512
4ae556fd775f74f642c4248ffb2f3865eaa25025c101473a3d27c05af45ced26f17d68b0c57402a39b859b36921363f93eb68df0a00ad3b81ac7d4ae0e4818bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1IQ76oz8.exe
Filesize
446KB

MD5
f72f7ce68786940e325b04efb37eed20

SHA1
be0f1b14cb6770468b549c9529c80107ea6bf3e3

SHA256
4f681293759a743adbd7f803fbe4875cb48f90657054c01cf1abb9400452f9a4

SHA512
e7ce5ecefa1e70956ff4b795cac039432f65ce593277f08feb633edccb285d2357cf0b119685d117230607ccd76489b1d934cb72615f3d25b38542dddfffaa4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2QS669YZ.exe
Filesize
222KB

MD5
781c6c4fb67b356ff62d815ce87a6de9

SHA1
f4a40a32f2f5a23b1e50df44c6a4479cf72459cd

SHA256
def9310e23962509bdfc9c6d3cc3a4d88cb2c2fea955a37deced707fa6d57cab

SHA512
7b0877a213357fdf70bb6f69e929b27eca77dd8077b75e1b73256d63bd0fc71a9916da750f7e1a9a017e70cccc7bce4dd0ae463edc06b4d1103a9be8a176420e

Download Submit
memory/1480-42-0x0000000000AE0000-0x0000000000B1E000-memory.dmp

Filesize
248KB

Download
memory/1480-43-0x0000000007D50000-0x00000000082F4000-memory.dmp

Filesize
5.6MB

Download
memory/1480-44-0x00000000078A0000-0x0000000007932000-memory.dmp

Filesize
584KB

Download
memory/1480-45-0x0000000007A50000-0x0000000007A5A000-memory.dmp

Filesize
40KB

Download
memory/1480-46-0x0000000008920000-0x0000000008F38000-memory.dmp

Filesize
6.1MB

Download
memory/1480-47-0x0000000008300000-0x000000000840A000-memory.dmp

Filesize
1.0MB

Download
memory/1480-48-0x0000000007C80000-0x0000000007C92000-memory.dmp

Filesize
72KB

Download
memory/1480-49-0x0000000007CE0000-0x0000000007D1C000-memory.dmp

Filesize
240KB

Download
memory/1480-50-0x0000000008410000-0x000000000845C000-memory.dmp

Filesize
304KB

Download
memory/4348-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download