mystic | 8653efc33615e4cd6946f561ebde231f0c963988ba91098513f9985345ae2385

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 15:24

Target

file.exe
Size

365KB
MD5

fb22311cb9af3404ce472c9bc4d52ed9
SHA1

cdcc4f8429ef3d9b70341db059af38648a8982de
SHA256

8653efc33615e4cd6946f561ebde231f0c963988ba91098513f9985345ae2385
SHA512

fdebc02e7da9bce11227cc58c8b45576f1c8dcfff9471eae534d8969bdd0169e03e633137995e555e83877ca54591dcaf823e484d51aced4813dc313cd2070f0
SSDEEP

6144:HQ3jE82jicP5iOo2T8VrSd/sUAOdUlHd5YQc3B3m7vjUVEaVRaAlEXZ41Sa:HQ3xqiG59ouXUtHskgVEaVRwe1Sa

Score

10^/10

mystic stealer

Detect Mystic stealer payload 5 IoCs

resource	yara_rule
behavioral2/memory/4512-0-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4512-1-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4512-2-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4512-3-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4512-4-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4412 set thread context of 4512	4412	file.exe	84

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 4512	4412	file.exe	84
PID 4412 wrote to memory of 4512	4412	file.exe	84
PID 4412 wrote to memory of 4512	4412	file.exe	84
PID 4412 wrote to memory of 4512	4412	file.exe	84
PID 4412 wrote to memory of 4512	4412	file.exe	84
PID 4412 wrote to memory of 4512	4412	file.exe	84
PID 4412 wrote to memory of 4512	4412	file.exe	84
PID 4412 wrote to memory of 4512	4412	file.exe	84
PID 4412 wrote to memory of 4512	4412	file.exe	84
PID 4412 wrote to memory of 4512	4412	file.exe	84

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4512

memory/4512-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4512-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4512-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4512-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4512-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download