mystic | 4379dad75ad2b90064e521210188148237a4cbf61b24b8b0ee75e11fe27fadec

Analysis

max time kernel
139s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 20:26

Target

g1922773.exe
Size

380KB
MD5

db379c6dc105efb8e9cab0ce9dbcabcb
SHA1

2db15ba397d4446ab10f3e2c10f40b392c7102d3
SHA256

4379dad75ad2b90064e521210188148237a4cbf61b24b8b0ee75e11fe27fadec
SHA512

816b979881dc2e1cf4940b88d75a4705fa69b905f99562dba97e5b96a7909b6548d958ce20d71779d15d5d31d2903c46cf07decfa46819ce63cd44bfa0c1d0f1
SSDEEP

6144:0lPchHX110KwTVSf3pOCq5b6uAOQ5Q33LoEKTNoUcFqwm:0lPi3110dVaUcu6+kRWowm

Score

10^/10

mystic stealer

Family

mystic

http://5.42.92.211/loghub/master

Detect Mystic stealer payload 6 IoCs

resource	yara_rule
behavioral2/memory/4948-0-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4948-1-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4948-2-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4948-3-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4948-4-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4948-5-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3276 set thread context of 4948	3276	g1922773.exe	87

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3212	3276	WerFault.exe	84

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3276 wrote to memory of 2116	3276	g1922773.exe	86
PID 3276 wrote to memory of 2116	3276	g1922773.exe	86
PID 3276 wrote to memory of 2116	3276	g1922773.exe	86
PID 3276 wrote to memory of 4948	3276	g1922773.exe	87
PID 3276 wrote to memory of 4948	3276	g1922773.exe	87
PID 3276 wrote to memory of 4948	3276	g1922773.exe	87
PID 3276 wrote to memory of 4948	3276	g1922773.exe	87
PID 3276 wrote to memory of 4948	3276	g1922773.exe	87
PID 3276 wrote to memory of 4948	3276	g1922773.exe	87
PID 3276 wrote to memory of 4948	3276	g1922773.exe	87
PID 3276 wrote to memory of 4948	3276	g1922773.exe	87
PID 3276 wrote to memory of 4948	3276	g1922773.exe	87
PID 3276 wrote to memory of 4948	3276	g1922773.exe	87

C:\Users\Admin\AppData\Local\Temp\g1922773.exe
"C:\Users\Admin\AppData\Local\Temp\g1922773.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4948
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 268
  2⤵
  - Program crash
  PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3276 -ip 3276
1⤵
PID:1120

memory/4948-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4948-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4948-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4948-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4948-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4948-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download