mystic | 9b37dd08720cab6f736d09c532374e6cfac8fee8d016df2eba9ac2d082d18363

General

Target

9b37dd08720cab6f736d09c532374e6cfac8fee8d016df2eba9ac2d082d18363.exe
Size

346KB
MD5

5816f87b1f99d45de4ffc6365e630c97
SHA1

67348c88395e276a75cd4e373161c90d9a4efc66
SHA256

9b37dd08720cab6f736d09c532374e6cfac8fee8d016df2eba9ac2d082d18363
SHA512

259c3a2c1b523badfc93bc9eafb75b68d50f1c4514293cc56766932bdb0f85429db8507a0550a8e5fa6be1234640e943c0a99b77b3af829d5525a94f0d03e49e
SSDEEP

6144:OfC0ljS9PgGzqLHvw1t6mAOLUDm0Evhjgz3OeuSFmjBTxq3viKC:OfpS9PgGimeK0oEzjrKx8iKC

Score

10^/10

Malware Config

Signatures

Detect Mystic stealer payload 6 IoCs

resource	yara_rule
behavioral1/memory/2648-3-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2648-4-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2648-7-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2648-5-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2648-9-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2648-11-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2736 set thread context of 2648	2736	9b37dd08720cab6f736d09c532374e6cfac8fee8d016df2eba9ac2d082d18363.exe	30

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2636	2736	WerFault.exe	6
2760	2648	WerFault.exe	30

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2648	2736	9b37dd08720cab6f736d09c532374e6cfac8fee8d016df2eba9ac2d082d18363.exe	30
PID 2736 wrote to memory of 2648	2736	9b37dd08720cab6f736d09c532374e6cfac8fee8d016df2eba9ac2d082d18363.exe	30
PID 2736 wrote to memory of 2648	2736	9b37dd08720cab6f736d09c532374e6cfac8fee8d016df2eba9ac2d082d18363.exe	30
PID 2736 wrote to memory of 2648	2736	9b37dd08720cab6f736d09c532374e6cfac8fee8d016df2eba9ac2d082d18363.exe	30
PID 2736 wrote to memory of 2648	2736	9b37dd08720cab6f736d09c532374e6cfac8fee8d016df2eba9ac2d082d18363.exe	30
PID 2736 wrote to memory of 2648	2736	9b37dd08720cab6f736d09c532374e6cfac8fee8d016df2eba9ac2d082d18363.exe	30
PID 2736 wrote to memory of 2648	2736	9b37dd08720cab6f736d09c532374e6cfac8fee8d016df2eba9ac2d082d18363.exe	30
PID 2736 wrote to memory of 2648	2736	9b37dd08720cab6f736d09c532374e6cfac8fee8d016df2eba9ac2d082d18363.exe	30
PID 2736 wrote to memory of 2648	2736	9b37dd08720cab6f736d09c532374e6cfac8fee8d016df2eba9ac2d082d18363.exe	30
PID 2736 wrote to memory of 2648	2736	9b37dd08720cab6f736d09c532374e6cfac8fee8d016df2eba9ac2d082d18363.exe	30
PID 2736 wrote to memory of 2648	2736	9b37dd08720cab6f736d09c532374e6cfac8fee8d016df2eba9ac2d082d18363.exe	30
PID 2736 wrote to memory of 2648	2736	9b37dd08720cab6f736d09c532374e6cfac8fee8d016df2eba9ac2d082d18363.exe	30
PID 2736 wrote to memory of 2648	2736	9b37dd08720cab6f736d09c532374e6cfac8fee8d016df2eba9ac2d082d18363.exe	30
PID 2736 wrote to memory of 2648	2736	9b37dd08720cab6f736d09c532374e6cfac8fee8d016df2eba9ac2d082d18363.exe	30
PID 2736 wrote to memory of 2636	2736	9b37dd08720cab6f736d09c532374e6cfac8fee8d016df2eba9ac2d082d18363.exe	31
PID 2736 wrote to memory of 2636	2736	9b37dd08720cab6f736d09c532374e6cfac8fee8d016df2eba9ac2d082d18363.exe	31
PID 2736 wrote to memory of 2636	2736	9b37dd08720cab6f736d09c532374e6cfac8fee8d016df2eba9ac2d082d18363.exe	31
PID 2736 wrote to memory of 2636	2736	9b37dd08720cab6f736d09c532374e6cfac8fee8d016df2eba9ac2d082d18363.exe	31
PID 2648 wrote to memory of 2760	2648	AppLaunch.exe	32
PID 2648 wrote to memory of 2760	2648	AppLaunch.exe	32
PID 2648 wrote to memory of 2760	2648	AppLaunch.exe	32
PID 2648 wrote to memory of 2760	2648	AppLaunch.exe	32
PID 2648 wrote to memory of 2760	2648	AppLaunch.exe	32
PID 2648 wrote to memory of 2760	2648	AppLaunch.exe	32
PID 2648 wrote to memory of 2760	2648	AppLaunch.exe	32

C:\Users\Admin\AppData\Local\Temp\9b37dd08720cab6f736d09c532374e6cfac8fee8d016df2eba9ac2d082d18363.exe
"C:\Users\Admin\AppData\Local\Temp\9b37dd08720cab6f736d09c532374e6cfac8fee8d016df2eba9ac2d082d18363.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 196
    3⤵
    - Program crash
    PID:2760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 120
  2⤵
  - Program crash
  PID:2636

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2648-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2648-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2648-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2648-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2648-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2648-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2648-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2648-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2648-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2648-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads