mystic | e520b22a1beaa0fed00c3f72263ae9b0037bdd568bf0792199e027b6a5b20c9f

Analysis

max time kernel
139s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 14:53

Target

file.exe
Size

365KB
MD5

4039b8b64e45056eaabd6b051d56c4d3
SHA1

466e305ba81a1b1b755c7065f07d8e06e61a5f02
SHA256

e520b22a1beaa0fed00c3f72263ae9b0037bdd568bf0792199e027b6a5b20c9f
SHA512

4b91a7c28b477411340f0fe54e16b60942ece8df276344eecc59d6628547818f09ab9885ebf5ada36df0f2b1f54278c1d7daabaf7d2a1cf973438454e2a0ecb5
SSDEEP

6144:AJKjEr2jicP5iOo2T8VrSd/sUAOeUl4Ta/tNGsvW7CvoMv8i3XU0Yr71Sa:AJKqqiG59ou8UBU7CvDL3E0s71Sa

Score

10^/10

mystic stealer

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/4140-0-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4140-1-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4140-3-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4140-2-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5020 set thread context of 4140	5020	file.exe	86

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 4536	5020	file.exe	84
PID 5020 wrote to memory of 4536	5020	file.exe	84
PID 5020 wrote to memory of 4536	5020	file.exe	84
PID 5020 wrote to memory of 3012	5020	file.exe	85
PID 5020 wrote to memory of 3012	5020	file.exe	85
PID 5020 wrote to memory of 3012	5020	file.exe	85
PID 5020 wrote to memory of 4140	5020	file.exe	86
PID 5020 wrote to memory of 4140	5020	file.exe	86
PID 5020 wrote to memory of 4140	5020	file.exe	86
PID 5020 wrote to memory of 4140	5020	file.exe	86
PID 5020 wrote to memory of 4140	5020	file.exe	86
PID 5020 wrote to memory of 4140	5020	file.exe	86
PID 5020 wrote to memory of 4140	5020	file.exe	86
PID 5020 wrote to memory of 4140	5020	file.exe	86
PID 5020 wrote to memory of 4140	5020	file.exe	86
PID 5020 wrote to memory of 4140	5020	file.exe	86

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4140

memory/4140-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4140-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4140-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4140-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4140-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download