mystic | 37039734722887d3e0608288bb7a62ddc24545b092d49e1d9413fdb060a48c15

General

Target

37039734722887d3e0608288bb7a62ddc24545b092d49e1d9413fdb060a48c15.exe
Size

1016KB
MD5

6c591851197d7f906bbd1deb2d213fae
SHA1

9ba2ad55ca33d307ca613f5367c39d49eb8f4c2b
SHA256

37039734722887d3e0608288bb7a62ddc24545b092d49e1d9413fdb060a48c15
SHA512

d7289f835f32b9f75f8053d14448b714a57f2ccce3c2a007df364473a17d1b667a3a5e72aef459da81cf27d24d6ba77fa67ec88a98f0d3adbf096a1e2fdeede4
SSDEEP

12288:k+FAoeYjBYDKzcx9jkmP8buy7/0RDMmZZxnyUuyyuT+kF/SX7FJ0e/9:kfQYDKzcx9jkmP+/knxyC/67719

Score

10^/10

Malware Config

Signatures

Detect Mystic stealer payload 6 IoCs

resource	yara_rule
behavioral1/memory/1576-3-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1576-5-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1576-7-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1576-4-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1576-9-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1576-11-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2440 set thread context of 1576	2440	37039734722887d3e0608288bb7a62ddc24545b092d49e1d9413fdb060a48c15.exe	29

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2292	2440	WerFault.exe	15
1516	1576	WerFault.exe	29

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 1576	2440	37039734722887d3e0608288bb7a62ddc24545b092d49e1d9413fdb060a48c15.exe	29
PID 2440 wrote to memory of 1576	2440	37039734722887d3e0608288bb7a62ddc24545b092d49e1d9413fdb060a48c15.exe	29
PID 2440 wrote to memory of 1576	2440	37039734722887d3e0608288bb7a62ddc24545b092d49e1d9413fdb060a48c15.exe	29
PID 2440 wrote to memory of 1576	2440	37039734722887d3e0608288bb7a62ddc24545b092d49e1d9413fdb060a48c15.exe	29
PID 2440 wrote to memory of 1576	2440	37039734722887d3e0608288bb7a62ddc24545b092d49e1d9413fdb060a48c15.exe	29
PID 2440 wrote to memory of 1576	2440	37039734722887d3e0608288bb7a62ddc24545b092d49e1d9413fdb060a48c15.exe	29
PID 2440 wrote to memory of 1576	2440	37039734722887d3e0608288bb7a62ddc24545b092d49e1d9413fdb060a48c15.exe	29
PID 2440 wrote to memory of 1576	2440	37039734722887d3e0608288bb7a62ddc24545b092d49e1d9413fdb060a48c15.exe	29
PID 2440 wrote to memory of 1576	2440	37039734722887d3e0608288bb7a62ddc24545b092d49e1d9413fdb060a48c15.exe	29
PID 2440 wrote to memory of 1576	2440	37039734722887d3e0608288bb7a62ddc24545b092d49e1d9413fdb060a48c15.exe	29
PID 2440 wrote to memory of 1576	2440	37039734722887d3e0608288bb7a62ddc24545b092d49e1d9413fdb060a48c15.exe	29
PID 2440 wrote to memory of 1576	2440	37039734722887d3e0608288bb7a62ddc24545b092d49e1d9413fdb060a48c15.exe	29
PID 2440 wrote to memory of 1576	2440	37039734722887d3e0608288bb7a62ddc24545b092d49e1d9413fdb060a48c15.exe	29
PID 2440 wrote to memory of 1576	2440	37039734722887d3e0608288bb7a62ddc24545b092d49e1d9413fdb060a48c15.exe	29
PID 2440 wrote to memory of 2292	2440	37039734722887d3e0608288bb7a62ddc24545b092d49e1d9413fdb060a48c15.exe	30
PID 2440 wrote to memory of 2292	2440	37039734722887d3e0608288bb7a62ddc24545b092d49e1d9413fdb060a48c15.exe	30
PID 2440 wrote to memory of 2292	2440	37039734722887d3e0608288bb7a62ddc24545b092d49e1d9413fdb060a48c15.exe	30
PID 2440 wrote to memory of 2292	2440	37039734722887d3e0608288bb7a62ddc24545b092d49e1d9413fdb060a48c15.exe	30
PID 1576 wrote to memory of 1516	1576	AppLaunch.exe	31
PID 1576 wrote to memory of 1516	1576	AppLaunch.exe	31
PID 1576 wrote to memory of 1516	1576	AppLaunch.exe	31
PID 1576 wrote to memory of 1516	1576	AppLaunch.exe	31
PID 1576 wrote to memory of 1516	1576	AppLaunch.exe	31
PID 1576 wrote to memory of 1516	1576	AppLaunch.exe	31
PID 1576 wrote to memory of 1516	1576	AppLaunch.exe	31

C:\Users\Admin\AppData\Local\Temp\37039734722887d3e0608288bb7a62ddc24545b092d49e1d9413fdb060a48c15.exe
"C:\Users\Admin\AppData\Local\Temp\37039734722887d3e0608288bb7a62ddc24545b092d49e1d9413fdb060a48c15.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 196
    3⤵
    - Program crash
    PID:1516
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 92
  2⤵
  - Program crash
  PID:2292

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1576-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1576-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1576-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1576-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1576-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1576-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1576-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1576-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1576-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1576-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads