mystic | 1cf94f3a5941709a35527aaf5f1d731e4fcfecd9ad578e59a1439517b3215da1

General

Target

1cf94f3a5941709a35527aaf5f1d731e4fcfecd9ad578e59a1439517b3215da1.exe
Size

380KB
MD5

0cf15a89f9f6e02ab9aaeafc7816a79e
SHA1

5c1d39b5e8675823ed307134e657111e52db70ff
SHA256

1cf94f3a5941709a35527aaf5f1d731e4fcfecd9ad578e59a1439517b3215da1
SHA512

265e319bc042a648165c02924d54dce016e86ddbcc93b81be813936029706b40e7cea95cf8bc1a76c13933ba5213d0ccd27287e23777bd8c2f81f12e703a627d
SSDEEP

6144:olPYhHX110KwTVSf3pOCq5b6uAOsUQSiGBs60GIyzQICQDL0S7qwm:olP+3110dVaUcuWPjGtzPCpwm

Score

10^/10

Malware Config

Signatures

Detect Mystic stealer payload 6 IoCs

resource	yara_rule
behavioral1/memory/2208-4-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2208-3-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2208-5-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2208-7-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2208-9-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2208-11-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1272 set thread context of 2208	1272	1cf94f3a5941709a35527aaf5f1d731e4fcfecd9ad578e59a1439517b3215da1.exe	28

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2368	1272	WerFault.exe	24
2656	2208	WerFault.exe	28

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 2208	1272	1cf94f3a5941709a35527aaf5f1d731e4fcfecd9ad578e59a1439517b3215da1.exe	28
PID 1272 wrote to memory of 2208	1272	1cf94f3a5941709a35527aaf5f1d731e4fcfecd9ad578e59a1439517b3215da1.exe	28
PID 1272 wrote to memory of 2208	1272	1cf94f3a5941709a35527aaf5f1d731e4fcfecd9ad578e59a1439517b3215da1.exe	28
PID 1272 wrote to memory of 2208	1272	1cf94f3a5941709a35527aaf5f1d731e4fcfecd9ad578e59a1439517b3215da1.exe	28
PID 1272 wrote to memory of 2208	1272	1cf94f3a5941709a35527aaf5f1d731e4fcfecd9ad578e59a1439517b3215da1.exe	28
PID 1272 wrote to memory of 2208	1272	1cf94f3a5941709a35527aaf5f1d731e4fcfecd9ad578e59a1439517b3215da1.exe	28
PID 1272 wrote to memory of 2208	1272	1cf94f3a5941709a35527aaf5f1d731e4fcfecd9ad578e59a1439517b3215da1.exe	28
PID 1272 wrote to memory of 2208	1272	1cf94f3a5941709a35527aaf5f1d731e4fcfecd9ad578e59a1439517b3215da1.exe	28
PID 1272 wrote to memory of 2208	1272	1cf94f3a5941709a35527aaf5f1d731e4fcfecd9ad578e59a1439517b3215da1.exe	28
PID 1272 wrote to memory of 2208	1272	1cf94f3a5941709a35527aaf5f1d731e4fcfecd9ad578e59a1439517b3215da1.exe	28
PID 1272 wrote to memory of 2208	1272	1cf94f3a5941709a35527aaf5f1d731e4fcfecd9ad578e59a1439517b3215da1.exe	28
PID 1272 wrote to memory of 2208	1272	1cf94f3a5941709a35527aaf5f1d731e4fcfecd9ad578e59a1439517b3215da1.exe	28
PID 1272 wrote to memory of 2208	1272	1cf94f3a5941709a35527aaf5f1d731e4fcfecd9ad578e59a1439517b3215da1.exe	28
PID 1272 wrote to memory of 2208	1272	1cf94f3a5941709a35527aaf5f1d731e4fcfecd9ad578e59a1439517b3215da1.exe	28
PID 1272 wrote to memory of 2368	1272	1cf94f3a5941709a35527aaf5f1d731e4fcfecd9ad578e59a1439517b3215da1.exe	29
PID 1272 wrote to memory of 2368	1272	1cf94f3a5941709a35527aaf5f1d731e4fcfecd9ad578e59a1439517b3215da1.exe	29
PID 1272 wrote to memory of 2368	1272	1cf94f3a5941709a35527aaf5f1d731e4fcfecd9ad578e59a1439517b3215da1.exe	29
PID 1272 wrote to memory of 2368	1272	1cf94f3a5941709a35527aaf5f1d731e4fcfecd9ad578e59a1439517b3215da1.exe	29
PID 2208 wrote to memory of 2656	2208	AppLaunch.exe	30
PID 2208 wrote to memory of 2656	2208	AppLaunch.exe	30
PID 2208 wrote to memory of 2656	2208	AppLaunch.exe	30
PID 2208 wrote to memory of 2656	2208	AppLaunch.exe	30
PID 2208 wrote to memory of 2656	2208	AppLaunch.exe	30
PID 2208 wrote to memory of 2656	2208	AppLaunch.exe	30
PID 2208 wrote to memory of 2656	2208	AppLaunch.exe	30

C:\Users\Admin\AppData\Local\Temp\1cf94f3a5941709a35527aaf5f1d731e4fcfecd9ad578e59a1439517b3215da1.exe
"C:\Users\Admin\AppData\Local\Temp\1cf94f3a5941709a35527aaf5f1d731e4fcfecd9ad578e59a1439517b3215da1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 196
    3⤵
    - Program crash
    PID:2656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 52
  2⤵
  - Program crash
  PID:2368

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2208-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2208-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2208-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2208-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2208-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2208-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2208-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2208-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2208-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2208-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads