mystic | e45db5ef043ad9b5c82c58d0bff06826c09fe8eb833fcf9df03354265bc43755

General

Target

NEAS.e45db5ef043ad9b5c82c58d0bff06826c09fe8eb833fcf9df03354265bc43755_JC.exe
Size

378KB
MD5

6f7a8a6721ec18e6ac75d65f69e86caf
SHA1

cb04920d42f6962c3bfed223f5c4f27f9ef7fa1f
SHA256

e45db5ef043ad9b5c82c58d0bff06826c09fe8eb833fcf9df03354265bc43755
SHA512

0d033e7e066a10cf7d627b6e6baa2d091ecd83b41c3684a42984715d42c3a91ffef82feba8812820a4daa4414c24259dd31376af6eb5b54b3d4ee3e3708bca24
SSDEEP

6144:h4ZSt92pCryG4kfjSGwEi56AOlGsnlMagGNB5MqAy+rExmSctIvY9U1x0D:h4Zu2wryNSWYsGNnf1xGtmY9BD

Score

10^/10

Malware Config

Signatures

Detect Mystic stealer payload 6 IoCs

resource	yara_rule
behavioral1/memory/2708-7-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2708-5-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2708-4-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2708-3-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2708-9-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2708-11-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3068 set thread context of 2708	3068	NEAS.e45db5ef043ad9b5c82c58d0bff06826c09fe8eb833fcf9df03354265bc43755_JC.exe	29

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2628	3068	WerFault.exe	17
2788	2708	WerFault.exe	29

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2708	3068	NEAS.e45db5ef043ad9b5c82c58d0bff06826c09fe8eb833fcf9df03354265bc43755_JC.exe	29
PID 3068 wrote to memory of 2708	3068	NEAS.e45db5ef043ad9b5c82c58d0bff06826c09fe8eb833fcf9df03354265bc43755_JC.exe	29
PID 3068 wrote to memory of 2708	3068	NEAS.e45db5ef043ad9b5c82c58d0bff06826c09fe8eb833fcf9df03354265bc43755_JC.exe	29
PID 3068 wrote to memory of 2708	3068	NEAS.e45db5ef043ad9b5c82c58d0bff06826c09fe8eb833fcf9df03354265bc43755_JC.exe	29
PID 3068 wrote to memory of 2708	3068	NEAS.e45db5ef043ad9b5c82c58d0bff06826c09fe8eb833fcf9df03354265bc43755_JC.exe	29
PID 3068 wrote to memory of 2708	3068	NEAS.e45db5ef043ad9b5c82c58d0bff06826c09fe8eb833fcf9df03354265bc43755_JC.exe	29
PID 3068 wrote to memory of 2708	3068	NEAS.e45db5ef043ad9b5c82c58d0bff06826c09fe8eb833fcf9df03354265bc43755_JC.exe	29
PID 3068 wrote to memory of 2708	3068	NEAS.e45db5ef043ad9b5c82c58d0bff06826c09fe8eb833fcf9df03354265bc43755_JC.exe	29
PID 3068 wrote to memory of 2708	3068	NEAS.e45db5ef043ad9b5c82c58d0bff06826c09fe8eb833fcf9df03354265bc43755_JC.exe	29
PID 3068 wrote to memory of 2708	3068	NEAS.e45db5ef043ad9b5c82c58d0bff06826c09fe8eb833fcf9df03354265bc43755_JC.exe	29
PID 3068 wrote to memory of 2708	3068	NEAS.e45db5ef043ad9b5c82c58d0bff06826c09fe8eb833fcf9df03354265bc43755_JC.exe	29
PID 3068 wrote to memory of 2708	3068	NEAS.e45db5ef043ad9b5c82c58d0bff06826c09fe8eb833fcf9df03354265bc43755_JC.exe	29
PID 3068 wrote to memory of 2708	3068	NEAS.e45db5ef043ad9b5c82c58d0bff06826c09fe8eb833fcf9df03354265bc43755_JC.exe	29
PID 3068 wrote to memory of 2708	3068	NEAS.e45db5ef043ad9b5c82c58d0bff06826c09fe8eb833fcf9df03354265bc43755_JC.exe	29
PID 3068 wrote to memory of 2628	3068	NEAS.e45db5ef043ad9b5c82c58d0bff06826c09fe8eb833fcf9df03354265bc43755_JC.exe	30
PID 3068 wrote to memory of 2628	3068	NEAS.e45db5ef043ad9b5c82c58d0bff06826c09fe8eb833fcf9df03354265bc43755_JC.exe	30
PID 3068 wrote to memory of 2628	3068	NEAS.e45db5ef043ad9b5c82c58d0bff06826c09fe8eb833fcf9df03354265bc43755_JC.exe	30
PID 3068 wrote to memory of 2628	3068	NEAS.e45db5ef043ad9b5c82c58d0bff06826c09fe8eb833fcf9df03354265bc43755_JC.exe	30
PID 2708 wrote to memory of 2788	2708	AppLaunch.exe	31
PID 2708 wrote to memory of 2788	2708	AppLaunch.exe	31
PID 2708 wrote to memory of 2788	2708	AppLaunch.exe	31
PID 2708 wrote to memory of 2788	2708	AppLaunch.exe	31
PID 2708 wrote to memory of 2788	2708	AppLaunch.exe	31
PID 2708 wrote to memory of 2788	2708	AppLaunch.exe	31
PID 2708 wrote to memory of 2788	2708	AppLaunch.exe	31

C:\Users\Admin\AppData\Local\Temp\NEAS.e45db5ef043ad9b5c82c58d0bff06826c09fe8eb833fcf9df03354265bc43755_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e45db5ef043ad9b5c82c58d0bff06826c09fe8eb833fcf9df03354265bc43755_JC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 196
    3⤵
    - Program crash
    PID:2788
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 136
  2⤵
  - Program crash
  PID:2628

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2708-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2708-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2708-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2708-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2708-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2708-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2708-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2708-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2708-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2708-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads