mystic | be3323c3b2bd6ba736703199d528de6bf1396e8a7c6b9b58e4ca31fda43b00e0

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61799398eaa0d8b997b6fa9158074d701b10e120c7cac093e92c6dfbd278f50c.exe
Size

1.2MB
MD5

b98446b0f18286a42da76de220776baa
SHA1

a71b450e1661dcde86def137230b3caa1b55e6a3
SHA256

61799398eaa0d8b997b6fa9158074d701b10e120c7cac093e92c6dfbd278f50c
SHA512

a3880d6f69705178d6847e326d54f30a2bd9f739946426af2125502ee32a494691cf0df1a1e55e34c17a9bd3db4291e98e67f7db8accdf50166e201299532e08
SSDEEP

24576:iyEr/lyO4yJtpTven2JuR98YZ1uIEUs74Vlpu4yNkXPGLJpqYm:JELfVJtpnJuh1uJ374VXu4sEPGLJpqY

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral7/memory/2604-35-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral7/memory/2604-38-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral7/memory/2604-36-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ht041VO.exe family_redline
behavioral7/memory/2424-42-0x0000000000480000-0x00000000004BE000-memory.dmp family_redline
Executes dropped EXE 6 IoCs

Processes:

OA7HZ0Ce.exebb0hH6jn.exeRQ9Yn7jE.exeQK5dq7Hg.exe1ow05AM1.exe2Ht041VO.exe

pid process

2100 OA7HZ0Ce.exe
4208 bb0hH6jn.exe
1180 RQ9Yn7jE.exe
908 QK5dq7Hg.exe
4296 1ow05AM1.exe
2424 2Ht041VO.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ht041VO.exe	family_redline
behavioral7/memory/2424-42-0x0000000000480000-0x00000000004BE000-memory.dmp	family_redline

pid	process
2100	OA7HZ0Ce.exe
4208	bb0hH6jn.exe
1180	RQ9Yn7jE.exe
908	QK5dq7Hg.exe
4296	1ow05AM1.exe
2424	2Ht041VO.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

61799398eaa0d8b997b6fa9158074d701b10e120c7cac093e92c6dfbd278f50c.exeOA7HZ0Ce.exebb0hH6jn.exeRQ9Yn7jE.exeQK5dq7Hg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	61799398eaa0d8b997b6fa9158074d701b10e120c7cac093e92c6dfbd278f50c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	OA7HZ0Ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	bb0hH6jn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	RQ9Yn7jE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	QK5dq7Hg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1ow05AM1.exe

description pid process target process

PID 4296 set thread context of 2604 4296 1ow05AM1.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2648 4296 WerFault.exe 1ow05AM1.exe

description	pid	process	target process
PID 4296 set thread context of 2604	4296	1ow05AM1.exe	AppLaunch.exe

pid	pid_target	process	target process
2648	4296	WerFault.exe	1ow05AM1.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

61799398eaa0d8b997b6fa9158074d701b10e120c7cac093e92c6dfbd278f50c.exeOA7HZ0Ce.exebb0hH6jn.exeRQ9Yn7jE.exeQK5dq7Hg.exe1ow05AM1.exe

description	pid	process	target process
PID 5084 wrote to memory of 2100	5084	61799398eaa0d8b997b6fa9158074d701b10e120c7cac093e92c6dfbd278f50c.exe	OA7HZ0Ce.exe
PID 5084 wrote to memory of 2100	5084	61799398eaa0d8b997b6fa9158074d701b10e120c7cac093e92c6dfbd278f50c.exe	OA7HZ0Ce.exe
PID 5084 wrote to memory of 2100	5084	61799398eaa0d8b997b6fa9158074d701b10e120c7cac093e92c6dfbd278f50c.exe	OA7HZ0Ce.exe
PID 2100 wrote to memory of 4208	2100	OA7HZ0Ce.exe	bb0hH6jn.exe
PID 2100 wrote to memory of 4208	2100	OA7HZ0Ce.exe	bb0hH6jn.exe
PID 2100 wrote to memory of 4208	2100	OA7HZ0Ce.exe	bb0hH6jn.exe
PID 4208 wrote to memory of 1180	4208	bb0hH6jn.exe	RQ9Yn7jE.exe
PID 4208 wrote to memory of 1180	4208	bb0hH6jn.exe	RQ9Yn7jE.exe
PID 4208 wrote to memory of 1180	4208	bb0hH6jn.exe	RQ9Yn7jE.exe
PID 1180 wrote to memory of 908	1180	RQ9Yn7jE.exe	QK5dq7Hg.exe
PID 1180 wrote to memory of 908	1180	RQ9Yn7jE.exe	QK5dq7Hg.exe
PID 1180 wrote to memory of 908	1180	RQ9Yn7jE.exe	QK5dq7Hg.exe
PID 908 wrote to memory of 4296	908	QK5dq7Hg.exe	1ow05AM1.exe
PID 908 wrote to memory of 4296	908	QK5dq7Hg.exe	1ow05AM1.exe
PID 908 wrote to memory of 4296	908	QK5dq7Hg.exe	1ow05AM1.exe
PID 4296 wrote to memory of 2604	4296	1ow05AM1.exe	AppLaunch.exe
PID 4296 wrote to memory of 2604	4296	1ow05AM1.exe	AppLaunch.exe
PID 4296 wrote to memory of 2604	4296	1ow05AM1.exe	AppLaunch.exe
PID 4296 wrote to memory of 2604	4296	1ow05AM1.exe	AppLaunch.exe
PID 4296 wrote to memory of 2604	4296	1ow05AM1.exe	AppLaunch.exe
PID 4296 wrote to memory of 2604	4296	1ow05AM1.exe	AppLaunch.exe
PID 4296 wrote to memory of 2604	4296	1ow05AM1.exe	AppLaunch.exe
PID 4296 wrote to memory of 2604	4296	1ow05AM1.exe	AppLaunch.exe
PID 4296 wrote to memory of 2604	4296	1ow05AM1.exe	AppLaunch.exe
PID 4296 wrote to memory of 2604	4296	1ow05AM1.exe	AppLaunch.exe
PID 908 wrote to memory of 2424	908	QK5dq7Hg.exe	2Ht041VO.exe
PID 908 wrote to memory of 2424	908	QK5dq7Hg.exe	2Ht041VO.exe
PID 908 wrote to memory of 2424	908	QK5dq7Hg.exe	2Ht041VO.exe

C:\Users\Admin\AppData\Local\Temp\61799398eaa0d8b997b6fa9158074d701b10e120c7cac093e92c6dfbd278f50c.exe
"C:\Users\Admin\AppData\Local\Temp\61799398eaa0d8b997b6fa9158074d701b10e120c7cac093e92c6dfbd278f50c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5084

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OA7HZ0Ce.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OA7HZ0Ce.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2100

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bb0hH6jn.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bb0hH6jn.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4208

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\RQ9Yn7jE.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\RQ9Yn7jE.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\QK5dq7Hg.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\QK5dq7Hg.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:908

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ow05AM1.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ow05AM1.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:2604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 600
7⤵
- Program crash
PID:2648

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ht041VO.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ht041VO.exe
6⤵
- Executes dropped EXE
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4296 -ip 4296
1⤵
PID:4532

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OA7HZ0Ce.exe
Filesize
1.1MB

MD5
cbcfc7a8078e6008d13cbd3ed62e5149

SHA1
7281fd40a65e85da6cdf0ea31c80a8e90a87abd7

SHA256
18d9453558560c4eb4b2cff1462bb60c98921784ef8c1c28910c7b788338114f

SHA512
1535c9b53e25241774ab6b955fd151abdb239f75fc214a6f8b2a96f34d9ed12b7c1db4dacdae71523695847925b5680e3b8faa8c2a08d444c7c66824eef028b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bb0hH6jn.exe
Filesize
934KB

MD5
cab5e975eb9dd942c301f1f7968694a9

SHA1
b867ae819094b137fa4d6c2c84be466218e0121e

SHA256
180f9f583d79a0222c60b71f1e80b7dcf9e43967b51c79f823d31e78aa0da3ea

SHA512
d00dd58e28cfaae7ef23d8147aa89c9103317147e824c928c60a4a053c762de0935177a42fb55c0909f6dfa402fc4125bb7771e39e8af9eaecf9034adfef1924

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\RQ9Yn7jE.exe
Filesize
639KB

MD5
a9b0e1de237c6b2d8823e6b97e951d48

SHA1
09d901dfaa64656145abe69839418ea55ca50db3

SHA256
84967242c0d34785b778282b54b131abbf60cd183c61f1f3628e0a1168658889

SHA512
7e1eed17dc834cfad6db0172334d83a4216b92466355b0e41124f37497db8e7a205d6862135194c5c799a5b9f5ad500741bcdfcac08d19f5772ea852e0bc83cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\QK5dq7Hg.exe
Filesize
443KB

MD5
2f9ef32f70e4bdfcb59084c179e1c2b4

SHA1
270e89f35f3969cb08c46efffbfb491fdb81758f

SHA256
d9a3fd5af5abd5a5fdba99b0b08c11c1c53bf614729a81caf704e53209a00bc2

SHA512
8c290a715abd128a893aef16bd1ea584453a08fe22d431df3cdbad7f3c8140f69991f830e734962f758604ea5669b978e2f729878b32aafd7196182e4bb7dad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ow05AM1.exe
Filesize
422KB

MD5
4c143d833fb3ab835a2cedba32693e3c

SHA1
1eaa42218cf2fa6e29a7897834bdbef3dfd8c485

SHA256
b5487f674b7895a572bdbf80bfb688c69cca8ec8ea6a5461bac1b8c51cf959f3

SHA512
e5748c4b30f48d6e998d1c9f7edd791be0c196055841d166e6a271180a812557b5f4b32fafc549ef0f6cc496f8a0b125f8a4ba230720f1567b78b644b8d4d58e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ht041VO.exe
Filesize
221KB

MD5
0f42c03b65c28ec29a5dea5eb79abbdb

SHA1
b37e052cab05b605cca9aa940466387cb7c58299

SHA256
a7d6c01096fc9729075adb5c5dca17f20062b32c7cbbf68c3e1d4675856bacbe

SHA512
25f68b2a39310aa52077f302dbdff3aba1bf4d5ae5c243c90d5444272cfc75e3fa25ec5afed85f37739688e0c2422c1f32041732c1e738ed07a3f98fcc1d7f7a

Download Submit
memory/2424-42-0x0000000000480000-0x00000000004BE000-memory.dmp

Filesize
248KB

Download
memory/2424-43-0x0000000007800000-0x0000000007DA4000-memory.dmp

Filesize
5.6MB

Download
memory/2424-44-0x0000000007340000-0x00000000073D2000-memory.dmp

Filesize
584KB

Download
memory/2424-45-0x0000000002770000-0x000000000277A000-memory.dmp

Filesize
40KB

Download
memory/2424-46-0x00000000083D0000-0x00000000089E8000-memory.dmp

Filesize
6.1MB

Download
memory/2424-47-0x0000000007DB0000-0x0000000007EBA000-memory.dmp

Filesize
1.0MB

Download
memory/2424-48-0x0000000007490000-0x00000000074A2000-memory.dmp

Filesize
72KB

Download
memory/2424-49-0x00000000074F0000-0x000000000752C000-memory.dmp

Filesize
240KB

Download
memory/2424-50-0x0000000007640000-0x000000000768C000-memory.dmp

Filesize
304KB

Download
memory/2604-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download