mystic | a23e825a219297f40d096df546a11e21e70c0642ebb04866cac9f8c991f16f83

General

Target

a23e825a219297f40d096df546a11e21e70c0642ebb04866cac9f8c991f16f83.exe
Size

379KB
MD5

36e4d7c38ed8609c3a2ffaa57d593809
SHA1

9903b576d9fc80f3ee65869f8cb6d025a863416b
SHA256

a23e825a219297f40d096df546a11e21e70c0642ebb04866cac9f8c991f16f83
SHA512

0c91e260f1719b80a9ea7b3179f12978fec4f008860dbb467d25a893191fba6e2d00f96012a46d89a80643c6367851af9bd7c9c6f674844750555fcda670eb37
SSDEEP

6144:GMecRgs3r9vIum2Tg0N63KAOw4VTudJ02l8reRaCJMvdg3F:GM1RP3r9Hmeau2qyRaCSvK3F

Score

10^/10

Malware Config

Signatures

Detect Mystic stealer payload 6 IoCs

resource	yara_rule
behavioral1/memory/1404-3-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1404-4-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1404-5-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1404-7-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1404-9-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1404-11-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2420 set thread context of 1404	2420	a23e825a219297f40d096df546a11e21e70c0642ebb04866cac9f8c991f16f83.exe	27

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2448	2420	WerFault.exe	14
1908	1404	WerFault.exe	27

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 1404	2420	a23e825a219297f40d096df546a11e21e70c0642ebb04866cac9f8c991f16f83.exe	27
PID 2420 wrote to memory of 1404	2420	a23e825a219297f40d096df546a11e21e70c0642ebb04866cac9f8c991f16f83.exe	27
PID 2420 wrote to memory of 1404	2420	a23e825a219297f40d096df546a11e21e70c0642ebb04866cac9f8c991f16f83.exe	27
PID 2420 wrote to memory of 1404	2420	a23e825a219297f40d096df546a11e21e70c0642ebb04866cac9f8c991f16f83.exe	27
PID 2420 wrote to memory of 1404	2420	a23e825a219297f40d096df546a11e21e70c0642ebb04866cac9f8c991f16f83.exe	27
PID 2420 wrote to memory of 1404	2420	a23e825a219297f40d096df546a11e21e70c0642ebb04866cac9f8c991f16f83.exe	27
PID 2420 wrote to memory of 1404	2420	a23e825a219297f40d096df546a11e21e70c0642ebb04866cac9f8c991f16f83.exe	27
PID 2420 wrote to memory of 1404	2420	a23e825a219297f40d096df546a11e21e70c0642ebb04866cac9f8c991f16f83.exe	27
PID 2420 wrote to memory of 1404	2420	a23e825a219297f40d096df546a11e21e70c0642ebb04866cac9f8c991f16f83.exe	27
PID 2420 wrote to memory of 1404	2420	a23e825a219297f40d096df546a11e21e70c0642ebb04866cac9f8c991f16f83.exe	27
PID 2420 wrote to memory of 1404	2420	a23e825a219297f40d096df546a11e21e70c0642ebb04866cac9f8c991f16f83.exe	27
PID 2420 wrote to memory of 1404	2420	a23e825a219297f40d096df546a11e21e70c0642ebb04866cac9f8c991f16f83.exe	27
PID 2420 wrote to memory of 1404	2420	a23e825a219297f40d096df546a11e21e70c0642ebb04866cac9f8c991f16f83.exe	27
PID 2420 wrote to memory of 1404	2420	a23e825a219297f40d096df546a11e21e70c0642ebb04866cac9f8c991f16f83.exe	27
PID 2420 wrote to memory of 2448	2420	a23e825a219297f40d096df546a11e21e70c0642ebb04866cac9f8c991f16f83.exe	28
PID 2420 wrote to memory of 2448	2420	a23e825a219297f40d096df546a11e21e70c0642ebb04866cac9f8c991f16f83.exe	28
PID 2420 wrote to memory of 2448	2420	a23e825a219297f40d096df546a11e21e70c0642ebb04866cac9f8c991f16f83.exe	28
PID 2420 wrote to memory of 2448	2420	a23e825a219297f40d096df546a11e21e70c0642ebb04866cac9f8c991f16f83.exe	28
PID 1404 wrote to memory of 1908	1404	AppLaunch.exe	29
PID 1404 wrote to memory of 1908	1404	AppLaunch.exe	29
PID 1404 wrote to memory of 1908	1404	AppLaunch.exe	29
PID 1404 wrote to memory of 1908	1404	AppLaunch.exe	29
PID 1404 wrote to memory of 1908	1404	AppLaunch.exe	29
PID 1404 wrote to memory of 1908	1404	AppLaunch.exe	29
PID 1404 wrote to memory of 1908	1404	AppLaunch.exe	29

C:\Users\Admin\AppData\Local\Temp\a23e825a219297f40d096df546a11e21e70c0642ebb04866cac9f8c991f16f83.exe
"C:\Users\Admin\AppData\Local\Temp\a23e825a219297f40d096df546a11e21e70c0642ebb04866cac9f8c991f16f83.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 196
    3⤵
    - Program crash
    PID:1908
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 92
  2⤵
  - Program crash
  PID:2448

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1404-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1404-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1404-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1404-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1404-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1404-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1404-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1404-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1404-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1404-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads