mystic | f7cb850d3461f742356beb890fc8eb14af08185d3f371bbf35ca39c8583cd24f

General

Target

f7cb850d3461f742356beb890fc8eb14af08185d3f371bbf35ca39c8583cd24f.exe
Size

356KB
MD5

e7e09c5075a4b1659442d3d3a6663ddf
SHA1

4011e1a610ae62c1c7329985de9635d782aef860
SHA256

f7cb850d3461f742356beb890fc8eb14af08185d3f371bbf35ca39c8583cd24f
SHA512

79766c71cc9aaacb958de6f195341ca76c1ef7ae583605b92df836655d8aa45672f4057f1efedf25f307f6fdc67c25e0b0d80d62ae0b59bb46267fa8617edb90
SSDEEP

6144:khTeW/s5GqrO5aXnfEGIXWPvZAONyMY2EO0+h8vIj0AKUVkullH9aEvLe9Vs0BC+:RmcGqrOk86x/YEv+s0BC+

Score

10^/10

Malware Config

Signatures

Detect Mystic stealer payload 6 IoCs

resource	yara_rule
behavioral1/memory/2636-7-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2636-5-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2636-4-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2636-3-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2636-9-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2636-11-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2264 set thread context of 2636	2264	f7cb850d3461f742356beb890fc8eb14af08185d3f371bbf35ca39c8583cd24f.exe	30

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2796	2264	WerFault.exe	1
2616	2636	WerFault.exe	30

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2636	2264	f7cb850d3461f742356beb890fc8eb14af08185d3f371bbf35ca39c8583cd24f.exe	30
PID 2264 wrote to memory of 2636	2264	f7cb850d3461f742356beb890fc8eb14af08185d3f371bbf35ca39c8583cd24f.exe	30
PID 2264 wrote to memory of 2636	2264	f7cb850d3461f742356beb890fc8eb14af08185d3f371bbf35ca39c8583cd24f.exe	30
PID 2264 wrote to memory of 2636	2264	f7cb850d3461f742356beb890fc8eb14af08185d3f371bbf35ca39c8583cd24f.exe	30
PID 2264 wrote to memory of 2636	2264	f7cb850d3461f742356beb890fc8eb14af08185d3f371bbf35ca39c8583cd24f.exe	30
PID 2264 wrote to memory of 2636	2264	f7cb850d3461f742356beb890fc8eb14af08185d3f371bbf35ca39c8583cd24f.exe	30
PID 2264 wrote to memory of 2636	2264	f7cb850d3461f742356beb890fc8eb14af08185d3f371bbf35ca39c8583cd24f.exe	30
PID 2264 wrote to memory of 2636	2264	f7cb850d3461f742356beb890fc8eb14af08185d3f371bbf35ca39c8583cd24f.exe	30
PID 2264 wrote to memory of 2636	2264	f7cb850d3461f742356beb890fc8eb14af08185d3f371bbf35ca39c8583cd24f.exe	30
PID 2264 wrote to memory of 2636	2264	f7cb850d3461f742356beb890fc8eb14af08185d3f371bbf35ca39c8583cd24f.exe	30
PID 2264 wrote to memory of 2636	2264	f7cb850d3461f742356beb890fc8eb14af08185d3f371bbf35ca39c8583cd24f.exe	30
PID 2264 wrote to memory of 2636	2264	f7cb850d3461f742356beb890fc8eb14af08185d3f371bbf35ca39c8583cd24f.exe	30
PID 2264 wrote to memory of 2636	2264	f7cb850d3461f742356beb890fc8eb14af08185d3f371bbf35ca39c8583cd24f.exe	30
PID 2264 wrote to memory of 2636	2264	f7cb850d3461f742356beb890fc8eb14af08185d3f371bbf35ca39c8583cd24f.exe	30
PID 2264 wrote to memory of 2796	2264	f7cb850d3461f742356beb890fc8eb14af08185d3f371bbf35ca39c8583cd24f.exe	31
PID 2264 wrote to memory of 2796	2264	f7cb850d3461f742356beb890fc8eb14af08185d3f371bbf35ca39c8583cd24f.exe	31
PID 2264 wrote to memory of 2796	2264	f7cb850d3461f742356beb890fc8eb14af08185d3f371bbf35ca39c8583cd24f.exe	31
PID 2264 wrote to memory of 2796	2264	f7cb850d3461f742356beb890fc8eb14af08185d3f371bbf35ca39c8583cd24f.exe	31
PID 2636 wrote to memory of 2616	2636	AppLaunch.exe	32
PID 2636 wrote to memory of 2616	2636	AppLaunch.exe	32
PID 2636 wrote to memory of 2616	2636	AppLaunch.exe	32
PID 2636 wrote to memory of 2616	2636	AppLaunch.exe	32
PID 2636 wrote to memory of 2616	2636	AppLaunch.exe	32
PID 2636 wrote to memory of 2616	2636	AppLaunch.exe	32
PID 2636 wrote to memory of 2616	2636	AppLaunch.exe	32

C:\Users\Admin\AppData\Local\Temp\f7cb850d3461f742356beb890fc8eb14af08185d3f371bbf35ca39c8583cd24f.exe
"C:\Users\Admin\AppData\Local\Temp\f7cb850d3461f742356beb890fc8eb14af08185d3f371bbf35ca39c8583cd24f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 196
    3⤵
    - Program crash
    PID:2616
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 76
  2⤵
  - Program crash
  PID:2796

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2636-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2636-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2636-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2636-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2636-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2636-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2636-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2636-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2636-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2636-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads