mystic | 1167a88cefca0900d0ef3e4f3579d7577c9ffc1c2cedfd723cf8ef2d5bbbfd2a

General

Target

18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269.exe
Size

1016KB
MD5

7dccae063e4b38bc0c58570f14a1960e
SHA1

0f854020abd45cb29b77cfef21b75f1a57047e95
SHA256

18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269
SHA512

82561f57d0d2517ab5f4eb332e9663f4480670ccbacb3ee0b91858f3386dcf8f93a8619169714fbbc7e083fe099252bfba60f51dc972612d06cdb9bb03791c86
SSDEEP

12288:e+NAoNYtBYDKzcx9jkmP8buy7/0RDMmZZxnyUuyyuCkYD5206NZqPiu/9:eo6YDKzcx9jkmP+/knxyfkYD52V+PT9

Score

10^/10

Malware Config

Signatures

Detect Mystic stealer payload 6 IoCs

resource	yara_rule
behavioral1/memory/852-3-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/852-4-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/852-5-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/852-7-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/852-9-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/852-11-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2436 set thread context of 852	2436	18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269.exe	29

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2632	2436	WerFault.exe	27
2712	852	WerFault.exe	29

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 852	2436	18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269.exe	29
PID 2436 wrote to memory of 852	2436	18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269.exe	29
PID 2436 wrote to memory of 852	2436	18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269.exe	29
PID 2436 wrote to memory of 852	2436	18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269.exe	29
PID 2436 wrote to memory of 852	2436	18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269.exe	29
PID 2436 wrote to memory of 852	2436	18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269.exe	29
PID 2436 wrote to memory of 852	2436	18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269.exe	29
PID 2436 wrote to memory of 852	2436	18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269.exe	29
PID 2436 wrote to memory of 852	2436	18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269.exe	29
PID 2436 wrote to memory of 852	2436	18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269.exe	29
PID 2436 wrote to memory of 852	2436	18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269.exe	29
PID 2436 wrote to memory of 852	2436	18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269.exe	29
PID 2436 wrote to memory of 852	2436	18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269.exe	29
PID 2436 wrote to memory of 852	2436	18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269.exe	29
PID 2436 wrote to memory of 2632	2436	18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269.exe	30
PID 2436 wrote to memory of 2632	2436	18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269.exe	30
PID 2436 wrote to memory of 2632	2436	18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269.exe	30
PID 2436 wrote to memory of 2632	2436	18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269.exe	30
PID 852 wrote to memory of 2712	852	AppLaunch.exe	31
PID 852 wrote to memory of 2712	852	AppLaunch.exe	31
PID 852 wrote to memory of 2712	852	AppLaunch.exe	31
PID 852 wrote to memory of 2712	852	AppLaunch.exe	31
PID 852 wrote to memory of 2712	852	AppLaunch.exe	31
PID 852 wrote to memory of 2712	852	AppLaunch.exe	31
PID 852 wrote to memory of 2712	852	AppLaunch.exe	31

C:\Users\Admin\AppData\Local\Temp\18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269.exe
"C:\Users\Admin\AppData\Local\Temp\18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 196
    3⤵
    - Program crash
    PID:2712
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 92
  2⤵
  - Program crash
  PID:2632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/852-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/852-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/852-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/852-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/852-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/852-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/852-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/852-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/852-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/852-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads