mystic | fda5104a0d4389470df10405124acd288388d947b3319fff1603fd0b228c8331

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 23:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fda5104a0d4389470df10405124acd288388d947b3319fff1603fd0b228c8331.exe
Size

359KB
MD5

a5e64ecc172415defe738474a38a5a2e
SHA1

5c2a07148650355d2871109a2665733abd64d44e
SHA256

fda5104a0d4389470df10405124acd288388d947b3319fff1603fd0b228c8331
SHA512

e4dcbbf3fcd25e9fed947b7d2182bfc604aa9dab88e507c3cf59db651f655f4ad550f18128764e1e3915fed4a6e64b017b1bebab2b0f87148ca60bf06f71fb45
SSDEEP

6144:kv3aNJ/tWwk8XhkeP+jUPwVAOel1fXGOiqTECoEtYuQnXxIrDjXdqV8Ey:kvq//tWpJRYT3RTEstwnBWjXdi8Ey

Score

10^/10

mystic stealer

Malware Config

Signatures

Detect Mystic stealer payload 6 IoCs

resource	yara_rule
behavioral1/memory/2824-4-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2824-5-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2824-3-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2824-7-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2824-9-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2824-11-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1856 set thread context of 2824	1856	fda5104a0d4389470df10405124acd288388d947b3319fff1603fd0b228c8331.exe	29

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2632	2824	WerFault.exe	29

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 2824	1856	fda5104a0d4389470df10405124acd288388d947b3319fff1603fd0b228c8331.exe	29
PID 1856 wrote to memory of 2824	1856	fda5104a0d4389470df10405124acd288388d947b3319fff1603fd0b228c8331.exe	29
PID 1856 wrote to memory of 2824	1856	fda5104a0d4389470df10405124acd288388d947b3319fff1603fd0b228c8331.exe	29
PID 1856 wrote to memory of 2824	1856	fda5104a0d4389470df10405124acd288388d947b3319fff1603fd0b228c8331.exe	29
PID 1856 wrote to memory of 2824	1856	fda5104a0d4389470df10405124acd288388d947b3319fff1603fd0b228c8331.exe	29
PID 1856 wrote to memory of 2824	1856	fda5104a0d4389470df10405124acd288388d947b3319fff1603fd0b228c8331.exe	29
PID 1856 wrote to memory of 2824	1856	fda5104a0d4389470df10405124acd288388d947b3319fff1603fd0b228c8331.exe	29
PID 1856 wrote to memory of 2824	1856	fda5104a0d4389470df10405124acd288388d947b3319fff1603fd0b228c8331.exe	29
PID 1856 wrote to memory of 2824	1856	fda5104a0d4389470df10405124acd288388d947b3319fff1603fd0b228c8331.exe	29
PID 1856 wrote to memory of 2824	1856	fda5104a0d4389470df10405124acd288388d947b3319fff1603fd0b228c8331.exe	29
PID 1856 wrote to memory of 2824	1856	fda5104a0d4389470df10405124acd288388d947b3319fff1603fd0b228c8331.exe	29
PID 1856 wrote to memory of 2824	1856	fda5104a0d4389470df10405124acd288388d947b3319fff1603fd0b228c8331.exe	29
PID 1856 wrote to memory of 2824	1856	fda5104a0d4389470df10405124acd288388d947b3319fff1603fd0b228c8331.exe	29
PID 1856 wrote to memory of 2824	1856	fda5104a0d4389470df10405124acd288388d947b3319fff1603fd0b228c8331.exe	29
PID 2824 wrote to memory of 2632	2824	AppLaunch.exe	30
PID 2824 wrote to memory of 2632	2824	AppLaunch.exe	30
PID 2824 wrote to memory of 2632	2824	AppLaunch.exe	30
PID 2824 wrote to memory of 2632	2824	AppLaunch.exe	30
PID 2824 wrote to memory of 2632	2824	AppLaunch.exe	30
PID 2824 wrote to memory of 2632	2824	AppLaunch.exe	30
PID 2824 wrote to memory of 2632	2824	AppLaunch.exe	30

C:\Users\Admin\AppData\Local\Temp\fda5104a0d4389470df10405124acd288388d947b3319fff1603fd0b228c8331.exe
"C:\Users\Admin\AppData\Local\Temp\fda5104a0d4389470df10405124acd288388d947b3319fff1603fd0b228c8331.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 196
    3⤵
    - Program crash
    PID:2632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2824-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2824-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2824-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2824-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2824-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2824-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2824-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2824-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2824-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2824-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads