mystic | a2c9bc7b50def8e84455e289696de3843f7a3cc398826ecba28f2293d0609544

General

Target

a2c9bc7b50def8e84455e289696de3843f7a3cc398826ecba28f2293d0609544.exe
Size

356KB
MD5

f3ccb4915b813eae646c48b84e30aadc
SHA1

4965383edae445aa058b8c2adefc88dc621722a8
SHA256

a2c9bc7b50def8e84455e289696de3843f7a3cc398826ecba28f2293d0609544
SHA512

dfc4ae977ad2d8f61f54b4083a9b7a6bd9c7cb71cd63be319674397126da0acf011bdef5ea0614ed9680f51c7245408c64a524315b5765beaca30d27721c3477
SSDEEP

6144:hKTeW/s5GqrO5aXnfEGIXWPvZAOnyqvJy+lPVIPaIHvVs0BC+:5mcGqrOk86xx0+l98a4s0BC+

Score

10^/10

Malware Config

Signatures

Detect Mystic stealer payload 6 IoCs

resource	yara_rule
behavioral1/memory/1228-3-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1228-5-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1228-4-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1228-7-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1228-9-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1228-11-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2252 set thread context of 1228	2252	a2c9bc7b50def8e84455e289696de3843f7a3cc398826ecba28f2293d0609544.exe	29

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2648	2252	WerFault.exe	19
2756	1228	WerFault.exe	29

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 1228	2252	a2c9bc7b50def8e84455e289696de3843f7a3cc398826ecba28f2293d0609544.exe	29
PID 2252 wrote to memory of 1228	2252	a2c9bc7b50def8e84455e289696de3843f7a3cc398826ecba28f2293d0609544.exe	29
PID 2252 wrote to memory of 1228	2252	a2c9bc7b50def8e84455e289696de3843f7a3cc398826ecba28f2293d0609544.exe	29
PID 2252 wrote to memory of 1228	2252	a2c9bc7b50def8e84455e289696de3843f7a3cc398826ecba28f2293d0609544.exe	29
PID 2252 wrote to memory of 1228	2252	a2c9bc7b50def8e84455e289696de3843f7a3cc398826ecba28f2293d0609544.exe	29
PID 2252 wrote to memory of 1228	2252	a2c9bc7b50def8e84455e289696de3843f7a3cc398826ecba28f2293d0609544.exe	29
PID 2252 wrote to memory of 1228	2252	a2c9bc7b50def8e84455e289696de3843f7a3cc398826ecba28f2293d0609544.exe	29
PID 2252 wrote to memory of 1228	2252	a2c9bc7b50def8e84455e289696de3843f7a3cc398826ecba28f2293d0609544.exe	29
PID 2252 wrote to memory of 1228	2252	a2c9bc7b50def8e84455e289696de3843f7a3cc398826ecba28f2293d0609544.exe	29
PID 2252 wrote to memory of 1228	2252	a2c9bc7b50def8e84455e289696de3843f7a3cc398826ecba28f2293d0609544.exe	29
PID 2252 wrote to memory of 1228	2252	a2c9bc7b50def8e84455e289696de3843f7a3cc398826ecba28f2293d0609544.exe	29
PID 2252 wrote to memory of 1228	2252	a2c9bc7b50def8e84455e289696de3843f7a3cc398826ecba28f2293d0609544.exe	29
PID 2252 wrote to memory of 1228	2252	a2c9bc7b50def8e84455e289696de3843f7a3cc398826ecba28f2293d0609544.exe	29
PID 2252 wrote to memory of 1228	2252	a2c9bc7b50def8e84455e289696de3843f7a3cc398826ecba28f2293d0609544.exe	29
PID 2252 wrote to memory of 2648	2252	a2c9bc7b50def8e84455e289696de3843f7a3cc398826ecba28f2293d0609544.exe	30
PID 2252 wrote to memory of 2648	2252	a2c9bc7b50def8e84455e289696de3843f7a3cc398826ecba28f2293d0609544.exe	30
PID 2252 wrote to memory of 2648	2252	a2c9bc7b50def8e84455e289696de3843f7a3cc398826ecba28f2293d0609544.exe	30
PID 2252 wrote to memory of 2648	2252	a2c9bc7b50def8e84455e289696de3843f7a3cc398826ecba28f2293d0609544.exe	30
PID 1228 wrote to memory of 2756	1228	AppLaunch.exe	31
PID 1228 wrote to memory of 2756	1228	AppLaunch.exe	31
PID 1228 wrote to memory of 2756	1228	AppLaunch.exe	31
PID 1228 wrote to memory of 2756	1228	AppLaunch.exe	31
PID 1228 wrote to memory of 2756	1228	AppLaunch.exe	31
PID 1228 wrote to memory of 2756	1228	AppLaunch.exe	31
PID 1228 wrote to memory of 2756	1228	AppLaunch.exe	31

C:\Users\Admin\AppData\Local\Temp\a2c9bc7b50def8e84455e289696de3843f7a3cc398826ecba28f2293d0609544.exe
"C:\Users\Admin\AppData\Local\Temp\a2c9bc7b50def8e84455e289696de3843f7a3cc398826ecba28f2293d0609544.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 196
    3⤵
    - Program crash
    PID:2756
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 76
  2⤵
  - Program crash
  PID:2648

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1228-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1228-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1228-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1228-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1228-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1228-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1228-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1228-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1228-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1228-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads