mystic | b8d2e06474042a1100affefeea7f773f0e3cef79b3ae0dcdd91b70bf2787ff43

General

Target

b8d2e06474042a1100affefeea7f773f0e3cef79b3ae0dcdd91b70bf2787ff43.exe
Size

364KB
MD5

5d9d5a2813ecc735b2d14bf713d1d3d2
SHA1

3ace9b76afff0144385f0f3dff38beb8b55e733a
SHA256

b8d2e06474042a1100affefeea7f773f0e3cef79b3ae0dcdd91b70bf2787ff43
SHA512

a58c183421e91ef47a29ba3826dac3f93b8b85bd8444159c2461a2c50e342ea1f1b25f7be28f72e270ade53c7136dfeccb67075d74c7694f76511d957b3362d3
SSDEEP

6144:/VXAxlt3fuPgyxhV5dAOILRScnYqgljBrwpoPGCH:/2xltWTSLR6qgvwQGCH

Score

10^/10

Malware Config

Signatures

Detect Mystic stealer payload 6 IoCs

resource	yara_rule
behavioral1/memory/2240-3-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2240-4-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2240-5-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2240-7-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2240-9-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2240-11-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1760 set thread context of 2240	1760	b8d2e06474042a1100affefeea7f773f0e3cef79b3ae0dcdd91b70bf2787ff43.exe	28

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3064	1760	WerFault.exe	27
2108	2240	WerFault.exe	28

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 2240	1760	b8d2e06474042a1100affefeea7f773f0e3cef79b3ae0dcdd91b70bf2787ff43.exe	28
PID 1760 wrote to memory of 2240	1760	b8d2e06474042a1100affefeea7f773f0e3cef79b3ae0dcdd91b70bf2787ff43.exe	28
PID 1760 wrote to memory of 2240	1760	b8d2e06474042a1100affefeea7f773f0e3cef79b3ae0dcdd91b70bf2787ff43.exe	28
PID 1760 wrote to memory of 2240	1760	b8d2e06474042a1100affefeea7f773f0e3cef79b3ae0dcdd91b70bf2787ff43.exe	28
PID 1760 wrote to memory of 2240	1760	b8d2e06474042a1100affefeea7f773f0e3cef79b3ae0dcdd91b70bf2787ff43.exe	28
PID 1760 wrote to memory of 2240	1760	b8d2e06474042a1100affefeea7f773f0e3cef79b3ae0dcdd91b70bf2787ff43.exe	28
PID 1760 wrote to memory of 2240	1760	b8d2e06474042a1100affefeea7f773f0e3cef79b3ae0dcdd91b70bf2787ff43.exe	28
PID 1760 wrote to memory of 2240	1760	b8d2e06474042a1100affefeea7f773f0e3cef79b3ae0dcdd91b70bf2787ff43.exe	28
PID 1760 wrote to memory of 2240	1760	b8d2e06474042a1100affefeea7f773f0e3cef79b3ae0dcdd91b70bf2787ff43.exe	28
PID 1760 wrote to memory of 2240	1760	b8d2e06474042a1100affefeea7f773f0e3cef79b3ae0dcdd91b70bf2787ff43.exe	28
PID 1760 wrote to memory of 2240	1760	b8d2e06474042a1100affefeea7f773f0e3cef79b3ae0dcdd91b70bf2787ff43.exe	28
PID 1760 wrote to memory of 2240	1760	b8d2e06474042a1100affefeea7f773f0e3cef79b3ae0dcdd91b70bf2787ff43.exe	28
PID 1760 wrote to memory of 2240	1760	b8d2e06474042a1100affefeea7f773f0e3cef79b3ae0dcdd91b70bf2787ff43.exe	28
PID 1760 wrote to memory of 2240	1760	b8d2e06474042a1100affefeea7f773f0e3cef79b3ae0dcdd91b70bf2787ff43.exe	28
PID 1760 wrote to memory of 3064	1760	b8d2e06474042a1100affefeea7f773f0e3cef79b3ae0dcdd91b70bf2787ff43.exe	29
PID 1760 wrote to memory of 3064	1760	b8d2e06474042a1100affefeea7f773f0e3cef79b3ae0dcdd91b70bf2787ff43.exe	29
PID 1760 wrote to memory of 3064	1760	b8d2e06474042a1100affefeea7f773f0e3cef79b3ae0dcdd91b70bf2787ff43.exe	29
PID 1760 wrote to memory of 3064	1760	b8d2e06474042a1100affefeea7f773f0e3cef79b3ae0dcdd91b70bf2787ff43.exe	29
PID 2240 wrote to memory of 2108	2240	AppLaunch.exe	30
PID 2240 wrote to memory of 2108	2240	AppLaunch.exe	30
PID 2240 wrote to memory of 2108	2240	AppLaunch.exe	30
PID 2240 wrote to memory of 2108	2240	AppLaunch.exe	30
PID 2240 wrote to memory of 2108	2240	AppLaunch.exe	30
PID 2240 wrote to memory of 2108	2240	AppLaunch.exe	30
PID 2240 wrote to memory of 2108	2240	AppLaunch.exe	30

C:\Users\Admin\AppData\Local\Temp\b8d2e06474042a1100affefeea7f773f0e3cef79b3ae0dcdd91b70bf2787ff43.exe
"C:\Users\Admin\AppData\Local\Temp\b8d2e06474042a1100affefeea7f773f0e3cef79b3ae0dcdd91b70bf2787ff43.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 196
    3⤵
    - Program crash
    PID:2108
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 92
  2⤵
  - Program crash
  PID:3064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2240-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2240-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2240-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2240-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2240-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2240-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2240-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2240-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2240-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2240-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads