mystic | b5255f6a452c09e32bf6a877027aef8aecfc3b5b967103da5ffe8ac64d419289

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 04:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b5255f6a452c09e32bf6a877027aef8aecfc3b5b967103da5ffe8ac64d419289.exe
Size

358KB
MD5

daf15e8853534e41bb001b66439d9632
SHA1

9c626eb5bfc9ac658eb65fd40e3d37017aaf227b
SHA256

b5255f6a452c09e32bf6a877027aef8aecfc3b5b967103da5ffe8ac64d419289
SHA512

83a826d7368f7cb8686b28d2b57fb30d5d70228e907ea41ad8bdffe0445c8f86fda220d20982c0a04b1cd01907721a118ddacc95ae77ddb49f88c3800abbd2f5
SSDEEP

6144:K/2XR/bOEHHkwxOSeyCKrJz4AOR8CDfAT7dUXN9wg5Hsrp3K8fi:+2X1aEHEw94XjEdQNf8c8fi

Score

10^/10

mystic stealer

Malware Config

Signatures

Detect Mystic stealer payload 6 IoCs

resource	yara_rule
behavioral1/memory/2668-3-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2668-4-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2668-5-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2668-7-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2668-9-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2668-11-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2236 set thread context of 2668	2236	b5255f6a452c09e32bf6a877027aef8aecfc3b5b967103da5ffe8ac64d419289.exe	29

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2760	2668	WerFault.exe	29

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2668	2236	b5255f6a452c09e32bf6a877027aef8aecfc3b5b967103da5ffe8ac64d419289.exe	29
PID 2236 wrote to memory of 2668	2236	b5255f6a452c09e32bf6a877027aef8aecfc3b5b967103da5ffe8ac64d419289.exe	29
PID 2236 wrote to memory of 2668	2236	b5255f6a452c09e32bf6a877027aef8aecfc3b5b967103da5ffe8ac64d419289.exe	29
PID 2236 wrote to memory of 2668	2236	b5255f6a452c09e32bf6a877027aef8aecfc3b5b967103da5ffe8ac64d419289.exe	29
PID 2236 wrote to memory of 2668	2236	b5255f6a452c09e32bf6a877027aef8aecfc3b5b967103da5ffe8ac64d419289.exe	29
PID 2236 wrote to memory of 2668	2236	b5255f6a452c09e32bf6a877027aef8aecfc3b5b967103da5ffe8ac64d419289.exe	29
PID 2236 wrote to memory of 2668	2236	b5255f6a452c09e32bf6a877027aef8aecfc3b5b967103da5ffe8ac64d419289.exe	29
PID 2236 wrote to memory of 2668	2236	b5255f6a452c09e32bf6a877027aef8aecfc3b5b967103da5ffe8ac64d419289.exe	29
PID 2236 wrote to memory of 2668	2236	b5255f6a452c09e32bf6a877027aef8aecfc3b5b967103da5ffe8ac64d419289.exe	29
PID 2236 wrote to memory of 2668	2236	b5255f6a452c09e32bf6a877027aef8aecfc3b5b967103da5ffe8ac64d419289.exe	29
PID 2236 wrote to memory of 2668	2236	b5255f6a452c09e32bf6a877027aef8aecfc3b5b967103da5ffe8ac64d419289.exe	29
PID 2236 wrote to memory of 2668	2236	b5255f6a452c09e32bf6a877027aef8aecfc3b5b967103da5ffe8ac64d419289.exe	29
PID 2236 wrote to memory of 2668	2236	b5255f6a452c09e32bf6a877027aef8aecfc3b5b967103da5ffe8ac64d419289.exe	29
PID 2236 wrote to memory of 2668	2236	b5255f6a452c09e32bf6a877027aef8aecfc3b5b967103da5ffe8ac64d419289.exe	29
PID 2668 wrote to memory of 2760	2668	AppLaunch.exe	30
PID 2668 wrote to memory of 2760	2668	AppLaunch.exe	30
PID 2668 wrote to memory of 2760	2668	AppLaunch.exe	30
PID 2668 wrote to memory of 2760	2668	AppLaunch.exe	30
PID 2668 wrote to memory of 2760	2668	AppLaunch.exe	30
PID 2668 wrote to memory of 2760	2668	AppLaunch.exe	30
PID 2668 wrote to memory of 2760	2668	AppLaunch.exe	30

C:\Users\Admin\AppData\Local\Temp\b5255f6a452c09e32bf6a877027aef8aecfc3b5b967103da5ffe8ac64d419289.exe
"C:\Users\Admin\AppData\Local\Temp\b5255f6a452c09e32bf6a877027aef8aecfc3b5b967103da5ffe8ac64d419289.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 196
    3⤵
    - Program crash
    PID:2760

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2668-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2668-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2668-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2668-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2668-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2668-5-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2668-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2668-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2668-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2668-11-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads