mystic | 1e818621e629bc06a70b61ca7a68f5a77a26b6010e84c769091c64a0dfdf5adc

General

Target

1e818621e629bc06a70b61ca7a68f5a77a26b6010e84c769091c64a0dfdf5adc.exe
Size

379KB
MD5

390bc29db02b22ab38ba8e962006dc08
SHA1

e26c1c7e30da099ba6f020b87f00e9b275440655
SHA256

1e818621e629bc06a70b61ca7a68f5a77a26b6010e84c769091c64a0dfdf5adc
SHA512

3c67e2a3fa5e314acad7a3e9aae57d30867ddd70f132d5b5cf330f3d7ba4a1825ca154760a7f3cd236db773c0472aa757816cb33133bd22dacf2004465de8570
SSDEEP

6144:Mu2cRgs3r9vIum2Tg0N63KAOi8FGKdChXhl0ZwlnFMkYyrwzYaREDL+f8UPcOoeK:MuNRP3r9Hmes8/3wlnFMkYc2YsEOf8UA

Score

10^/10

Malware Config

Signatures

Detect Mystic stealer payload 6 IoCs

resource	yara_rule
behavioral1/memory/1452-3-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1452-4-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1452-5-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1452-7-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1452-9-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1452-11-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2852 set thread context of 1452	2852	1e818621e629bc06a70b61ca7a68f5a77a26b6010e84c769091c64a0dfdf5adc.exe	28

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1100	2852	WerFault.exe	26
2776	1452	WerFault.exe	28

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 1452	2852	1e818621e629bc06a70b61ca7a68f5a77a26b6010e84c769091c64a0dfdf5adc.exe	28
PID 2852 wrote to memory of 1452	2852	1e818621e629bc06a70b61ca7a68f5a77a26b6010e84c769091c64a0dfdf5adc.exe	28
PID 2852 wrote to memory of 1452	2852	1e818621e629bc06a70b61ca7a68f5a77a26b6010e84c769091c64a0dfdf5adc.exe	28
PID 2852 wrote to memory of 1452	2852	1e818621e629bc06a70b61ca7a68f5a77a26b6010e84c769091c64a0dfdf5adc.exe	28
PID 2852 wrote to memory of 1452	2852	1e818621e629bc06a70b61ca7a68f5a77a26b6010e84c769091c64a0dfdf5adc.exe	28
PID 2852 wrote to memory of 1452	2852	1e818621e629bc06a70b61ca7a68f5a77a26b6010e84c769091c64a0dfdf5adc.exe	28
PID 2852 wrote to memory of 1452	2852	1e818621e629bc06a70b61ca7a68f5a77a26b6010e84c769091c64a0dfdf5adc.exe	28
PID 2852 wrote to memory of 1452	2852	1e818621e629bc06a70b61ca7a68f5a77a26b6010e84c769091c64a0dfdf5adc.exe	28
PID 2852 wrote to memory of 1452	2852	1e818621e629bc06a70b61ca7a68f5a77a26b6010e84c769091c64a0dfdf5adc.exe	28
PID 2852 wrote to memory of 1452	2852	1e818621e629bc06a70b61ca7a68f5a77a26b6010e84c769091c64a0dfdf5adc.exe	28
PID 2852 wrote to memory of 1452	2852	1e818621e629bc06a70b61ca7a68f5a77a26b6010e84c769091c64a0dfdf5adc.exe	28
PID 2852 wrote to memory of 1452	2852	1e818621e629bc06a70b61ca7a68f5a77a26b6010e84c769091c64a0dfdf5adc.exe	28
PID 2852 wrote to memory of 1452	2852	1e818621e629bc06a70b61ca7a68f5a77a26b6010e84c769091c64a0dfdf5adc.exe	28
PID 2852 wrote to memory of 1452	2852	1e818621e629bc06a70b61ca7a68f5a77a26b6010e84c769091c64a0dfdf5adc.exe	28
PID 2852 wrote to memory of 1100	2852	1e818621e629bc06a70b61ca7a68f5a77a26b6010e84c769091c64a0dfdf5adc.exe	29
PID 2852 wrote to memory of 1100	2852	1e818621e629bc06a70b61ca7a68f5a77a26b6010e84c769091c64a0dfdf5adc.exe	29
PID 2852 wrote to memory of 1100	2852	1e818621e629bc06a70b61ca7a68f5a77a26b6010e84c769091c64a0dfdf5adc.exe	29
PID 2852 wrote to memory of 1100	2852	1e818621e629bc06a70b61ca7a68f5a77a26b6010e84c769091c64a0dfdf5adc.exe	29
PID 1452 wrote to memory of 2776	1452	AppLaunch.exe	30
PID 1452 wrote to memory of 2776	1452	AppLaunch.exe	30
PID 1452 wrote to memory of 2776	1452	AppLaunch.exe	30
PID 1452 wrote to memory of 2776	1452	AppLaunch.exe	30
PID 1452 wrote to memory of 2776	1452	AppLaunch.exe	30
PID 1452 wrote to memory of 2776	1452	AppLaunch.exe	30
PID 1452 wrote to memory of 2776	1452	AppLaunch.exe	30

C:\Users\Admin\AppData\Local\Temp\1e818621e629bc06a70b61ca7a68f5a77a26b6010e84c769091c64a0dfdf5adc.exe
"C:\Users\Admin\AppData\Local\Temp\1e818621e629bc06a70b61ca7a68f5a77a26b6010e84c769091c64a0dfdf5adc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 196
    3⤵
    - Program crash
    PID:2776
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 92
  2⤵
  - Program crash
  PID:1100

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1452-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1452-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1452-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1452-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1452-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1452-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1452-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1452-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1452-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1452-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads