mystic | 3bf82e78c1668578276f0eff8ede9d61d214f78b6d495764c740e0869abcb556

General

Target

3bf82e78c1668578276f0eff8ede9d61d214f78b6d495764c740e0869abcb556.exe
Size

356KB
MD5

12b455c4175731142ff6eb653193fb23
SHA1

475387ae1b3f802f76acc44fb2958930e8a6533d
SHA256

3bf82e78c1668578276f0eff8ede9d61d214f78b6d495764c740e0869abcb556
SHA512

2622e4bf7f8d4fa2cbd0fc7e683f74e61ad63ce33d88a4c60cf45491b087e5909ef3fd22a247d0476fa72b2a9d7a8bda26ea94757f8f4ef04a30e39328c43583
SSDEEP

6144:wMTeW/s5GqrO5aXnfEGIXWPvZAO4y44zVu2Stje2/Eh5rkdY9un44eVs0BC+:wmcGqrOk86xA4s2SEOGs0BC+

Score

10^/10

Malware Config

Signatures

Detect Mystic stealer payload 6 IoCs

resource	yara_rule
behavioral1/memory/3056-3-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3056-4-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3056-5-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3056-7-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3056-9-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3056-11-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2256 set thread context of 3056	2256	3bf82e78c1668578276f0eff8ede9d61d214f78b6d495764c740e0869abcb556.exe	29

Program crash 2 IoCs

pid	pid_target	Process	procid_target
908	2256	WerFault.exe	27
1212	3056	WerFault.exe	29

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 3056	2256	3bf82e78c1668578276f0eff8ede9d61d214f78b6d495764c740e0869abcb556.exe	29
PID 2256 wrote to memory of 3056	2256	3bf82e78c1668578276f0eff8ede9d61d214f78b6d495764c740e0869abcb556.exe	29
PID 2256 wrote to memory of 3056	2256	3bf82e78c1668578276f0eff8ede9d61d214f78b6d495764c740e0869abcb556.exe	29
PID 2256 wrote to memory of 3056	2256	3bf82e78c1668578276f0eff8ede9d61d214f78b6d495764c740e0869abcb556.exe	29
PID 2256 wrote to memory of 3056	2256	3bf82e78c1668578276f0eff8ede9d61d214f78b6d495764c740e0869abcb556.exe	29
PID 2256 wrote to memory of 3056	2256	3bf82e78c1668578276f0eff8ede9d61d214f78b6d495764c740e0869abcb556.exe	29
PID 2256 wrote to memory of 3056	2256	3bf82e78c1668578276f0eff8ede9d61d214f78b6d495764c740e0869abcb556.exe	29
PID 2256 wrote to memory of 3056	2256	3bf82e78c1668578276f0eff8ede9d61d214f78b6d495764c740e0869abcb556.exe	29
PID 2256 wrote to memory of 3056	2256	3bf82e78c1668578276f0eff8ede9d61d214f78b6d495764c740e0869abcb556.exe	29
PID 2256 wrote to memory of 3056	2256	3bf82e78c1668578276f0eff8ede9d61d214f78b6d495764c740e0869abcb556.exe	29
PID 2256 wrote to memory of 3056	2256	3bf82e78c1668578276f0eff8ede9d61d214f78b6d495764c740e0869abcb556.exe	29
PID 2256 wrote to memory of 3056	2256	3bf82e78c1668578276f0eff8ede9d61d214f78b6d495764c740e0869abcb556.exe	29
PID 2256 wrote to memory of 3056	2256	3bf82e78c1668578276f0eff8ede9d61d214f78b6d495764c740e0869abcb556.exe	29
PID 2256 wrote to memory of 3056	2256	3bf82e78c1668578276f0eff8ede9d61d214f78b6d495764c740e0869abcb556.exe	29
PID 2256 wrote to memory of 908	2256	3bf82e78c1668578276f0eff8ede9d61d214f78b6d495764c740e0869abcb556.exe	30
PID 2256 wrote to memory of 908	2256	3bf82e78c1668578276f0eff8ede9d61d214f78b6d495764c740e0869abcb556.exe	30
PID 2256 wrote to memory of 908	2256	3bf82e78c1668578276f0eff8ede9d61d214f78b6d495764c740e0869abcb556.exe	30
PID 2256 wrote to memory of 908	2256	3bf82e78c1668578276f0eff8ede9d61d214f78b6d495764c740e0869abcb556.exe	30
PID 3056 wrote to memory of 1212	3056	AppLaunch.exe	31
PID 3056 wrote to memory of 1212	3056	AppLaunch.exe	31
PID 3056 wrote to memory of 1212	3056	AppLaunch.exe	31
PID 3056 wrote to memory of 1212	3056	AppLaunch.exe	31
PID 3056 wrote to memory of 1212	3056	AppLaunch.exe	31
PID 3056 wrote to memory of 1212	3056	AppLaunch.exe	31
PID 3056 wrote to memory of 1212	3056	AppLaunch.exe	31

C:\Users\Admin\AppData\Local\Temp\3bf82e78c1668578276f0eff8ede9d61d214f78b6d495764c740e0869abcb556.exe
"C:\Users\Admin\AppData\Local\Temp\3bf82e78c1668578276f0eff8ede9d61d214f78b6d495764c740e0869abcb556.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 196
    3⤵
    - Program crash
    PID:1212
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 76
  2⤵
  - Program crash
  PID:908

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3056-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3056-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3056-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3056-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3056-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3056-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3056-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3056-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/3056-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3056-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads