mystic | bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e

Analysis

max time kernel
140s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 12:23

Target

bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe
Size

379KB
MD5

e04d14cd921c4d462ddafc16c1cddee2
SHA1

5b110b7263ad4736fb8ddb35c731e16802e47ffe
SHA256

bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e
SHA512

2be3c3612236eee06d3645dc230fc947b8d53e8f2d57114cb03d82fafdb20f09720c1cd13101b2f3b68d34c15f8ce1056f3a357f57bf53a81581f37e63117945
SSDEEP

6144:HEAZcRgs3r9vIum2Tg0N63KAORXqfQVW98ngsr9AlK51Qtosg3F:HE5RP3r9HmebafYWarew1Qti3F

Score

10^/10

mystic stealer

Family

mystic

http://5.42.92.211/loghub/master

Detect Mystic stealer payload 5 IoCs

resource	yara_rule
behavioral2/memory/1520-0-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1520-1-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1520-2-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1520-3-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1520-4-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3700 set thread context of 1520	3700	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	83

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1044	3700	WerFault.exe	81

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3700 wrote to memory of 1520	3700	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	83
PID 3700 wrote to memory of 1520	3700	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	83
PID 3700 wrote to memory of 1520	3700	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	83
PID 3700 wrote to memory of 1520	3700	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	83
PID 3700 wrote to memory of 1520	3700	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	83
PID 3700 wrote to memory of 1520	3700	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	83
PID 3700 wrote to memory of 1520	3700	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	83
PID 3700 wrote to memory of 1520	3700	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	83
PID 3700 wrote to memory of 1520	3700	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	83
PID 3700 wrote to memory of 1520	3700	bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe	83

C:\Users\Admin\AppData\Local\Temp\bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe
"C:\Users\Admin\AppData\Local\Temp\bd6809262e18c2639efa48967d8764232fa9ba31dc97df2ed33f7c9fbfe0623e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 296
  2⤵
  - Program crash
  PID:1044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3700 -ip 3700
1⤵
PID:3316

memory/1520-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1520-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1520-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1520-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1520-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download