mystic | f1d81c9a67bdec9aabc76b75a4446b81e4c76eaec82dc3d3e1d192344426f975

Analysis

max time kernel
124s
max time network
132s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
06-10-2023 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1d81c9a67bdec9aabc76b75a4446b81e4c76eaec82dc3d3e1d192344426f975.exe
Size

378KB
MD5

79cbf924e425753827d48146d83e1f62
SHA1

696299174e5f7f1f970ac395e913287edac22c3b
SHA256

f1d81c9a67bdec9aabc76b75a4446b81e4c76eaec82dc3d3e1d192344426f975
SHA512

fe4ff19ddfd4a40944286cb2c67ef0fd2ca0a43edbbeaeaea1ff6a3e596e9fcaca5f98585639a8792dcdfe38ac65c5ea74f0c7dacee482ef80c64eefcf9d7f83
SSDEEP

6144:e4RSq92pCryG4kfjSGwEi56AO8GGzmUarBzj5rIJjRM44o0D:e4RX2wryNSZL1BzjAS9D

Score

10^/10

mystic stealer

Malware Config

Extracted

Family

mystic

http://5.42.92.211/loghub/master

Signatures

Detect Mystic stealer payload 5 IoCs

resource	yara_rule
behavioral1/memory/2916-0-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2916-3-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2916-4-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2916-5-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2916-6-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1052 set thread context of 2916	1052	f1d81c9a67bdec9aabc76b75a4446b81e4c76eaec82dc3d3e1d192344426f975.exe	73

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1500	1052	WerFault.exe	69

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 4160	1052	f1d81c9a67bdec9aabc76b75a4446b81e4c76eaec82dc3d3e1d192344426f975.exe	71
PID 1052 wrote to memory of 4160	1052	f1d81c9a67bdec9aabc76b75a4446b81e4c76eaec82dc3d3e1d192344426f975.exe	71
PID 1052 wrote to memory of 4160	1052	f1d81c9a67bdec9aabc76b75a4446b81e4c76eaec82dc3d3e1d192344426f975.exe	71
PID 1052 wrote to memory of 3260	1052	f1d81c9a67bdec9aabc76b75a4446b81e4c76eaec82dc3d3e1d192344426f975.exe	72
PID 1052 wrote to memory of 3260	1052	f1d81c9a67bdec9aabc76b75a4446b81e4c76eaec82dc3d3e1d192344426f975.exe	72
PID 1052 wrote to memory of 3260	1052	f1d81c9a67bdec9aabc76b75a4446b81e4c76eaec82dc3d3e1d192344426f975.exe	72
PID 1052 wrote to memory of 2916	1052	f1d81c9a67bdec9aabc76b75a4446b81e4c76eaec82dc3d3e1d192344426f975.exe	73
PID 1052 wrote to memory of 2916	1052	f1d81c9a67bdec9aabc76b75a4446b81e4c76eaec82dc3d3e1d192344426f975.exe	73
PID 1052 wrote to memory of 2916	1052	f1d81c9a67bdec9aabc76b75a4446b81e4c76eaec82dc3d3e1d192344426f975.exe	73
PID 1052 wrote to memory of 2916	1052	f1d81c9a67bdec9aabc76b75a4446b81e4c76eaec82dc3d3e1d192344426f975.exe	73
PID 1052 wrote to memory of 2916	1052	f1d81c9a67bdec9aabc76b75a4446b81e4c76eaec82dc3d3e1d192344426f975.exe	73
PID 1052 wrote to memory of 2916	1052	f1d81c9a67bdec9aabc76b75a4446b81e4c76eaec82dc3d3e1d192344426f975.exe	73
PID 1052 wrote to memory of 2916	1052	f1d81c9a67bdec9aabc76b75a4446b81e4c76eaec82dc3d3e1d192344426f975.exe	73
PID 1052 wrote to memory of 2916	1052	f1d81c9a67bdec9aabc76b75a4446b81e4c76eaec82dc3d3e1d192344426f975.exe	73
PID 1052 wrote to memory of 2916	1052	f1d81c9a67bdec9aabc76b75a4446b81e4c76eaec82dc3d3e1d192344426f975.exe	73
PID 1052 wrote to memory of 2916	1052	f1d81c9a67bdec9aabc76b75a4446b81e4c76eaec82dc3d3e1d192344426f975.exe	73

C:\Users\Admin\AppData\Local\Temp\f1d81c9a67bdec9aabc76b75a4446b81e4c76eaec82dc3d3e1d192344426f975.exe
"C:\Users\Admin\AppData\Local\Temp\f1d81c9a67bdec9aabc76b75a4446b81e4c76eaec82dc3d3e1d192344426f975.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2916
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 148
  2⤵
  - Program crash
  PID:1500

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2916-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2916-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2916-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2916-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2916-6-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download