mystic | 1167a88cefca0900d0ef3e4f3579d7577c9ffc1c2cedfd723cf8ef2d5bbbfd2a

Analysis

max time kernel
126s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 06:55

Target

18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269.exe
Size

1016KB
MD5

7dccae063e4b38bc0c58570f14a1960e
SHA1

0f854020abd45cb29b77cfef21b75f1a57047e95
SHA256

18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269
SHA512

82561f57d0d2517ab5f4eb332e9663f4480670ccbacb3ee0b91858f3386dcf8f93a8619169714fbbc7e083fe099252bfba60f51dc972612d06cdb9bb03791c86
SSDEEP

12288:e+NAoNYtBYDKzcx9jkmP8buy7/0RDMmZZxnyUuyyuCkYD5206NZqPiu/9:eo6YDKzcx9jkmP+/knxyfkYD52V+PT9

Score

10^/10

mystic stealer

Family

mystic

http://5.42.92.211/loghub/master

Detect Mystic stealer payload 5 IoCs

resource	yara_rule
behavioral2/memory/4308-0-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4308-3-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4308-2-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4308-1-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4308-4-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4820 set thread context of 4308	4820	18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269.exe	70

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1776	4820	WerFault.exe	20

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 4308	4820	18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269.exe	70
PID 4820 wrote to memory of 4308	4820	18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269.exe	70
PID 4820 wrote to memory of 4308	4820	18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269.exe	70
PID 4820 wrote to memory of 4308	4820	18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269.exe	70
PID 4820 wrote to memory of 4308	4820	18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269.exe	70
PID 4820 wrote to memory of 4308	4820	18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269.exe	70
PID 4820 wrote to memory of 4308	4820	18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269.exe	70
PID 4820 wrote to memory of 4308	4820	18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269.exe	70
PID 4820 wrote to memory of 4308	4820	18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269.exe	70
PID 4820 wrote to memory of 4308	4820	18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269.exe	70

C:\Users\Admin\AppData\Local\Temp\18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269.exe
"C:\Users\Admin\AppData\Local\Temp\18ef1d6332be0c8b9b67bfa92fa1aacfbff38f961adf124ca2104cf17898a269.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4308
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 300
  2⤵
  - Program crash
  PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4820 -ip 4820
1⤵
PID:3624

memory/4308-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4308-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4308-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4308-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4308-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download