mystic | 295ec873225215ab37bdff973443fb9e4dc979361db1858346ae7ec6713b3d4a

General

Target

295ec873225215ab37bdff973443fb9e4dc979361db1858346ae7ec6713b3d4a.exe
Size

1016KB
MD5

181edf95529bfa716a5d92b569173567
SHA1

c6e15eabfba0089f3a66b44669ab59d9d0b9b2e3
SHA256

295ec873225215ab37bdff973443fb9e4dc979361db1858346ae7ec6713b3d4a
SHA512

cdf3d8f8b30f525c017f617745e8d4145d070fd31c2bfce66964f0b812f52ef03f990c50163ff8bd2dc6c88e3060922bafef20fd069aa700a028e68b4d000a30
SSDEEP

12288:D0zIlVZ87IYDKzcx9jkmP8bey7/0RDMmZZxnyUuyyuMiQnw0ph1rA9:DrOIYDKzcx9jkmPe/knxyxiAwAk9

Score

10^/10

Malware Config

Signatures

Detect Mystic stealer payload 6 IoCs

resource	yara_rule
behavioral1/memory/2716-3-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2716-5-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2716-4-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2716-7-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2716-9-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2716-11-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3032 set thread context of 2716	3032	295ec873225215ab37bdff973443fb9e4dc979361db1858346ae7ec6713b3d4a.exe	30

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2744	3032	WerFault.exe	26
2836	2716	WerFault.exe	30

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2716	3032	295ec873225215ab37bdff973443fb9e4dc979361db1858346ae7ec6713b3d4a.exe	30
PID 3032 wrote to memory of 2716	3032	295ec873225215ab37bdff973443fb9e4dc979361db1858346ae7ec6713b3d4a.exe	30
PID 3032 wrote to memory of 2716	3032	295ec873225215ab37bdff973443fb9e4dc979361db1858346ae7ec6713b3d4a.exe	30
PID 3032 wrote to memory of 2716	3032	295ec873225215ab37bdff973443fb9e4dc979361db1858346ae7ec6713b3d4a.exe	30
PID 3032 wrote to memory of 2716	3032	295ec873225215ab37bdff973443fb9e4dc979361db1858346ae7ec6713b3d4a.exe	30
PID 3032 wrote to memory of 2716	3032	295ec873225215ab37bdff973443fb9e4dc979361db1858346ae7ec6713b3d4a.exe	30
PID 3032 wrote to memory of 2716	3032	295ec873225215ab37bdff973443fb9e4dc979361db1858346ae7ec6713b3d4a.exe	30
PID 3032 wrote to memory of 2716	3032	295ec873225215ab37bdff973443fb9e4dc979361db1858346ae7ec6713b3d4a.exe	30
PID 3032 wrote to memory of 2716	3032	295ec873225215ab37bdff973443fb9e4dc979361db1858346ae7ec6713b3d4a.exe	30
PID 3032 wrote to memory of 2716	3032	295ec873225215ab37bdff973443fb9e4dc979361db1858346ae7ec6713b3d4a.exe	30
PID 3032 wrote to memory of 2716	3032	295ec873225215ab37bdff973443fb9e4dc979361db1858346ae7ec6713b3d4a.exe	30
PID 3032 wrote to memory of 2716	3032	295ec873225215ab37bdff973443fb9e4dc979361db1858346ae7ec6713b3d4a.exe	30
PID 3032 wrote to memory of 2716	3032	295ec873225215ab37bdff973443fb9e4dc979361db1858346ae7ec6713b3d4a.exe	30
PID 3032 wrote to memory of 2716	3032	295ec873225215ab37bdff973443fb9e4dc979361db1858346ae7ec6713b3d4a.exe	30
PID 3032 wrote to memory of 2744	3032	295ec873225215ab37bdff973443fb9e4dc979361db1858346ae7ec6713b3d4a.exe	31
PID 3032 wrote to memory of 2744	3032	295ec873225215ab37bdff973443fb9e4dc979361db1858346ae7ec6713b3d4a.exe	31
PID 3032 wrote to memory of 2744	3032	295ec873225215ab37bdff973443fb9e4dc979361db1858346ae7ec6713b3d4a.exe	31
PID 3032 wrote to memory of 2744	3032	295ec873225215ab37bdff973443fb9e4dc979361db1858346ae7ec6713b3d4a.exe	31
PID 2716 wrote to memory of 2836	2716	AppLaunch.exe	32
PID 2716 wrote to memory of 2836	2716	AppLaunch.exe	32
PID 2716 wrote to memory of 2836	2716	AppLaunch.exe	32
PID 2716 wrote to memory of 2836	2716	AppLaunch.exe	32
PID 2716 wrote to memory of 2836	2716	AppLaunch.exe	32
PID 2716 wrote to memory of 2836	2716	AppLaunch.exe	32
PID 2716 wrote to memory of 2836	2716	AppLaunch.exe	32

C:\Users\Admin\AppData\Local\Temp\295ec873225215ab37bdff973443fb9e4dc979361db1858346ae7ec6713b3d4a.exe
"C:\Users\Admin\AppData\Local\Temp\295ec873225215ab37bdff973443fb9e4dc979361db1858346ae7ec6713b3d4a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 196
    3⤵
    - Program crash
    PID:2836
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 92
  2⤵
  - Program crash
  PID:2744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2716-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2716-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2716-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2716-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2716-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2716-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2716-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2716-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2716-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2716-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads