mystic | 711bde7c76b85bfafb8b6d96d9dbf73c64e3d993802aab12e8dba97a0b68b5b9

General

Target

711bde7c76b85bfafb8b6d96d9dbf73c64e3d993802aab12e8dba97a0b68b5b9.exe
Size

379KB
MD5

a1db3f1900560617e51efc6fc61444ee
SHA1

6fcef0e69ae96e06bce7e437b0b5536357688856
SHA256

711bde7c76b85bfafb8b6d96d9dbf73c64e3d993802aab12e8dba97a0b68b5b9
SHA512

8cdd36d939142847facf7c65dc35dd91eecef0b52005d13b81f7d71c26f8dfccd30f14075a210ea727011c8f8164fd157b1d1a72782fbf678decb6c8c371d678
SSDEEP

6144:NpTcRgs3r9vIum2Tg0N63KAO3LPv6cum6VXkGM/Fu/iaOhQL8PCg3F:NpoRP3r9Hme1WTm6VXkGM/ILE3F

Score

10^/10

Malware Config

Signatures

Detect Mystic stealer payload 6 IoCs

resource	yara_rule
behavioral1/memory/2488-3-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2488-4-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2488-5-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2488-7-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2488-9-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2488-11-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2200 set thread context of 2488	2200	711bde7c76b85bfafb8b6d96d9dbf73c64e3d993802aab12e8dba97a0b68b5b9.exe	28

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2444	2200	WerFault.exe	23
1908	2488	WerFault.exe	28

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2488	2200	711bde7c76b85bfafb8b6d96d9dbf73c64e3d993802aab12e8dba97a0b68b5b9.exe	28
PID 2200 wrote to memory of 2488	2200	711bde7c76b85bfafb8b6d96d9dbf73c64e3d993802aab12e8dba97a0b68b5b9.exe	28
PID 2200 wrote to memory of 2488	2200	711bde7c76b85bfafb8b6d96d9dbf73c64e3d993802aab12e8dba97a0b68b5b9.exe	28
PID 2200 wrote to memory of 2488	2200	711bde7c76b85bfafb8b6d96d9dbf73c64e3d993802aab12e8dba97a0b68b5b9.exe	28
PID 2200 wrote to memory of 2488	2200	711bde7c76b85bfafb8b6d96d9dbf73c64e3d993802aab12e8dba97a0b68b5b9.exe	28
PID 2200 wrote to memory of 2488	2200	711bde7c76b85bfafb8b6d96d9dbf73c64e3d993802aab12e8dba97a0b68b5b9.exe	28
PID 2200 wrote to memory of 2488	2200	711bde7c76b85bfafb8b6d96d9dbf73c64e3d993802aab12e8dba97a0b68b5b9.exe	28
PID 2200 wrote to memory of 2488	2200	711bde7c76b85bfafb8b6d96d9dbf73c64e3d993802aab12e8dba97a0b68b5b9.exe	28
PID 2200 wrote to memory of 2488	2200	711bde7c76b85bfafb8b6d96d9dbf73c64e3d993802aab12e8dba97a0b68b5b9.exe	28
PID 2200 wrote to memory of 2488	2200	711bde7c76b85bfafb8b6d96d9dbf73c64e3d993802aab12e8dba97a0b68b5b9.exe	28
PID 2200 wrote to memory of 2488	2200	711bde7c76b85bfafb8b6d96d9dbf73c64e3d993802aab12e8dba97a0b68b5b9.exe	28
PID 2200 wrote to memory of 2488	2200	711bde7c76b85bfafb8b6d96d9dbf73c64e3d993802aab12e8dba97a0b68b5b9.exe	28
PID 2200 wrote to memory of 2488	2200	711bde7c76b85bfafb8b6d96d9dbf73c64e3d993802aab12e8dba97a0b68b5b9.exe	28
PID 2200 wrote to memory of 2488	2200	711bde7c76b85bfafb8b6d96d9dbf73c64e3d993802aab12e8dba97a0b68b5b9.exe	28
PID 2200 wrote to memory of 2444	2200	711bde7c76b85bfafb8b6d96d9dbf73c64e3d993802aab12e8dba97a0b68b5b9.exe	29
PID 2200 wrote to memory of 2444	2200	711bde7c76b85bfafb8b6d96d9dbf73c64e3d993802aab12e8dba97a0b68b5b9.exe	29
PID 2200 wrote to memory of 2444	2200	711bde7c76b85bfafb8b6d96d9dbf73c64e3d993802aab12e8dba97a0b68b5b9.exe	29
PID 2200 wrote to memory of 2444	2200	711bde7c76b85bfafb8b6d96d9dbf73c64e3d993802aab12e8dba97a0b68b5b9.exe	29
PID 2488 wrote to memory of 1908	2488	AppLaunch.exe	30
PID 2488 wrote to memory of 1908	2488	AppLaunch.exe	30
PID 2488 wrote to memory of 1908	2488	AppLaunch.exe	30
PID 2488 wrote to memory of 1908	2488	AppLaunch.exe	30
PID 2488 wrote to memory of 1908	2488	AppLaunch.exe	30
PID 2488 wrote to memory of 1908	2488	AppLaunch.exe	30
PID 2488 wrote to memory of 1908	2488	AppLaunch.exe	30

C:\Users\Admin\AppData\Local\Temp\711bde7c76b85bfafb8b6d96d9dbf73c64e3d993802aab12e8dba97a0b68b5b9.exe
"C:\Users\Admin\AppData\Local\Temp\711bde7c76b85bfafb8b6d96d9dbf73c64e3d993802aab12e8dba97a0b68b5b9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 196
    3⤵
    - Program crash
    PID:1908
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 92
  2⤵
  - Program crash
  PID:2444

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2488-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2488-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2488-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2488-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2488-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2488-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2488-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2488-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2488-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2488-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads