mystic | 202f6a05ecc2cc94814fdec0df5d344e39f3852645c9cc3e44d5455ec5ea1cca

General

Target

202f6a05ecc2cc94814fdec0df5d344e39f3852645c9cc3e44d5455ec5ea1cca.exe
Size

379KB
MD5

e5f37c200de30f69d7e82c87f447686d
SHA1

312cde28218ce1d7bf931926d6528bb6e5892f1a
SHA256

202f6a05ecc2cc94814fdec0df5d344e39f3852645c9cc3e44d5455ec5ea1cca
SHA512

a72c4c351e0d7aa82dcb69b921aab4a45e3409588f2205d0948b8793ad333904cd084699b2a94e37d8a3dec15278203aecb4513db9187c0244677b3355a233d4
SSDEEP

6144:GlKcRgs3r9vIum2Tg0N63KAOQy9m6rRl0Q02tWrGt4SD2v0LB6wWwhHbjbTWUFgV:GlxRP3r9Hme6mOBAWq60F6IO3F

Score

10^/10

Malware Config

Signatures

Detect Mystic stealer payload 6 IoCs

resource	yara_rule
behavioral1/memory/2640-3-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2640-4-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2640-5-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2640-7-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2640-9-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2640-11-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2648 set thread context of 2640	2648	202f6a05ecc2cc94814fdec0df5d344e39f3852645c9cc3e44d5455ec5ea1cca.exe	27

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2720	2648	WerFault.exe	15
368	2640	WerFault.exe	27

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2640	2648	202f6a05ecc2cc94814fdec0df5d344e39f3852645c9cc3e44d5455ec5ea1cca.exe	27
PID 2648 wrote to memory of 2640	2648	202f6a05ecc2cc94814fdec0df5d344e39f3852645c9cc3e44d5455ec5ea1cca.exe	27
PID 2648 wrote to memory of 2640	2648	202f6a05ecc2cc94814fdec0df5d344e39f3852645c9cc3e44d5455ec5ea1cca.exe	27
PID 2648 wrote to memory of 2640	2648	202f6a05ecc2cc94814fdec0df5d344e39f3852645c9cc3e44d5455ec5ea1cca.exe	27
PID 2648 wrote to memory of 2640	2648	202f6a05ecc2cc94814fdec0df5d344e39f3852645c9cc3e44d5455ec5ea1cca.exe	27
PID 2648 wrote to memory of 2640	2648	202f6a05ecc2cc94814fdec0df5d344e39f3852645c9cc3e44d5455ec5ea1cca.exe	27
PID 2648 wrote to memory of 2640	2648	202f6a05ecc2cc94814fdec0df5d344e39f3852645c9cc3e44d5455ec5ea1cca.exe	27
PID 2648 wrote to memory of 2640	2648	202f6a05ecc2cc94814fdec0df5d344e39f3852645c9cc3e44d5455ec5ea1cca.exe	27
PID 2648 wrote to memory of 2640	2648	202f6a05ecc2cc94814fdec0df5d344e39f3852645c9cc3e44d5455ec5ea1cca.exe	27
PID 2648 wrote to memory of 2640	2648	202f6a05ecc2cc94814fdec0df5d344e39f3852645c9cc3e44d5455ec5ea1cca.exe	27
PID 2648 wrote to memory of 2640	2648	202f6a05ecc2cc94814fdec0df5d344e39f3852645c9cc3e44d5455ec5ea1cca.exe	27
PID 2648 wrote to memory of 2640	2648	202f6a05ecc2cc94814fdec0df5d344e39f3852645c9cc3e44d5455ec5ea1cca.exe	27
PID 2648 wrote to memory of 2640	2648	202f6a05ecc2cc94814fdec0df5d344e39f3852645c9cc3e44d5455ec5ea1cca.exe	27
PID 2648 wrote to memory of 2640	2648	202f6a05ecc2cc94814fdec0df5d344e39f3852645c9cc3e44d5455ec5ea1cca.exe	27
PID 2648 wrote to memory of 2720	2648	202f6a05ecc2cc94814fdec0df5d344e39f3852645c9cc3e44d5455ec5ea1cca.exe	28
PID 2648 wrote to memory of 2720	2648	202f6a05ecc2cc94814fdec0df5d344e39f3852645c9cc3e44d5455ec5ea1cca.exe	28
PID 2648 wrote to memory of 2720	2648	202f6a05ecc2cc94814fdec0df5d344e39f3852645c9cc3e44d5455ec5ea1cca.exe	28
PID 2648 wrote to memory of 2720	2648	202f6a05ecc2cc94814fdec0df5d344e39f3852645c9cc3e44d5455ec5ea1cca.exe	28
PID 2640 wrote to memory of 368	2640	AppLaunch.exe	29
PID 2640 wrote to memory of 368	2640	AppLaunch.exe	29
PID 2640 wrote to memory of 368	2640	AppLaunch.exe	29
PID 2640 wrote to memory of 368	2640	AppLaunch.exe	29
PID 2640 wrote to memory of 368	2640	AppLaunch.exe	29
PID 2640 wrote to memory of 368	2640	AppLaunch.exe	29
PID 2640 wrote to memory of 368	2640	AppLaunch.exe	29

C:\Users\Admin\AppData\Local\Temp\202f6a05ecc2cc94814fdec0df5d344e39f3852645c9cc3e44d5455ec5ea1cca.exe
"C:\Users\Admin\AppData\Local\Temp\202f6a05ecc2cc94814fdec0df5d344e39f3852645c9cc3e44d5455ec5ea1cca.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 196
    3⤵
    - Program crash
    PID:368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 92
  2⤵
  - Program crash
  PID:2720

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2640-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2640-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2640-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2640-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2640-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2640-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2640-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2640-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2640-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2640-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads