mystic | fdcfa93ccd168a11b0b2a8807870112efff6119d114b40fbd3843ea520cf262b

General

Target

fdcfa93ccd168a11b0b2a8807870112efff6119d114b40fbd3843ea520cf262b.exe
Size

276KB
MD5

8478353eea4ec0f9c17095bed9756786
SHA1

a4b498f13dc2f3bd7a4df11fad36745d56c595c5
SHA256

fdcfa93ccd168a11b0b2a8807870112efff6119d114b40fbd3843ea520cf262b
SHA512

3a2c7cbc017920339af30fa0801360927d124d6174c69216e64dd856bcd38adc979dab5d15356c7bf29472585a371e8622a02226d83fb671b755f17eadfc5a7b
SSDEEP

6144:Whn2KajWpVP06Yj++WIDsSH3bz6fpEKWLk82jD6Qrj:WUKajWu++WIDb3b2fUkLyuj

Score

10^/10

Malware Config

Signatures

Detect Mystic stealer payload 6 IoCs

resource	yara_rule
behavioral1/memory/2208-3-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2208-4-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2208-5-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2208-7-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2208-9-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2208-11-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2108 set thread context of 2208	2108	fdcfa93ccd168a11b0b2a8807870112efff6119d114b40fbd3843ea520cf262b.exe	29

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1336	2108	WerFault.exe	14
2676	2208	WerFault.exe	29

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2208	2108	fdcfa93ccd168a11b0b2a8807870112efff6119d114b40fbd3843ea520cf262b.exe	29
PID 2108 wrote to memory of 2208	2108	fdcfa93ccd168a11b0b2a8807870112efff6119d114b40fbd3843ea520cf262b.exe	29
PID 2108 wrote to memory of 2208	2108	fdcfa93ccd168a11b0b2a8807870112efff6119d114b40fbd3843ea520cf262b.exe	29
PID 2108 wrote to memory of 2208	2108	fdcfa93ccd168a11b0b2a8807870112efff6119d114b40fbd3843ea520cf262b.exe	29
PID 2108 wrote to memory of 2208	2108	fdcfa93ccd168a11b0b2a8807870112efff6119d114b40fbd3843ea520cf262b.exe	29
PID 2108 wrote to memory of 2208	2108	fdcfa93ccd168a11b0b2a8807870112efff6119d114b40fbd3843ea520cf262b.exe	29
PID 2108 wrote to memory of 2208	2108	fdcfa93ccd168a11b0b2a8807870112efff6119d114b40fbd3843ea520cf262b.exe	29
PID 2108 wrote to memory of 2208	2108	fdcfa93ccd168a11b0b2a8807870112efff6119d114b40fbd3843ea520cf262b.exe	29
PID 2108 wrote to memory of 2208	2108	fdcfa93ccd168a11b0b2a8807870112efff6119d114b40fbd3843ea520cf262b.exe	29
PID 2108 wrote to memory of 2208	2108	fdcfa93ccd168a11b0b2a8807870112efff6119d114b40fbd3843ea520cf262b.exe	29
PID 2108 wrote to memory of 2208	2108	fdcfa93ccd168a11b0b2a8807870112efff6119d114b40fbd3843ea520cf262b.exe	29
PID 2108 wrote to memory of 2208	2108	fdcfa93ccd168a11b0b2a8807870112efff6119d114b40fbd3843ea520cf262b.exe	29
PID 2108 wrote to memory of 2208	2108	fdcfa93ccd168a11b0b2a8807870112efff6119d114b40fbd3843ea520cf262b.exe	29
PID 2108 wrote to memory of 2208	2108	fdcfa93ccd168a11b0b2a8807870112efff6119d114b40fbd3843ea520cf262b.exe	29
PID 2108 wrote to memory of 1336	2108	fdcfa93ccd168a11b0b2a8807870112efff6119d114b40fbd3843ea520cf262b.exe	30
PID 2108 wrote to memory of 1336	2108	fdcfa93ccd168a11b0b2a8807870112efff6119d114b40fbd3843ea520cf262b.exe	30
PID 2108 wrote to memory of 1336	2108	fdcfa93ccd168a11b0b2a8807870112efff6119d114b40fbd3843ea520cf262b.exe	30
PID 2108 wrote to memory of 1336	2108	fdcfa93ccd168a11b0b2a8807870112efff6119d114b40fbd3843ea520cf262b.exe	30
PID 2208 wrote to memory of 2676	2208	AppLaunch.exe	31
PID 2208 wrote to memory of 2676	2208	AppLaunch.exe	31
PID 2208 wrote to memory of 2676	2208	AppLaunch.exe	31
PID 2208 wrote to memory of 2676	2208	AppLaunch.exe	31
PID 2208 wrote to memory of 2676	2208	AppLaunch.exe	31
PID 2208 wrote to memory of 2676	2208	AppLaunch.exe	31
PID 2208 wrote to memory of 2676	2208	AppLaunch.exe	31

C:\Users\Admin\AppData\Local\Temp\fdcfa93ccd168a11b0b2a8807870112efff6119d114b40fbd3843ea520cf262b.exe
"C:\Users\Admin\AppData\Local\Temp\fdcfa93ccd168a11b0b2a8807870112efff6119d114b40fbd3843ea520cf262b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 196
    3⤵
    - Program crash
    PID:2676
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 68
  2⤵
  - Program crash
  PID:1336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2208-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2208-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2208-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2208-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2208-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2208-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2208-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2208-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2208-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2208-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads