mystic | 5a8d3d40ed21d984db0712373f467f835f9cbc423dd094daa822c60a6c9fbc74

Analysis

max time kernel
139s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2023 15:58

Target

5a8d3d40ed21d984db0712373f467f835f9cbc423dd094daa822c60a6c9fbc74.exe
Size

283KB
MD5

1ecd1ffc41c75a212ac7871ed8a0c5e8
SHA1

d1bd4ca453f325cb5908c7eb2eb6a21a30819aa6
SHA256

5a8d3d40ed21d984db0712373f467f835f9cbc423dd094daa822c60a6c9fbc74
SHA512

9559d8222939119be5c99bcac176dfb378efd16596d73259c280963ee9452c238bc6409cf1ab6cbb713398b578ba94b69f3f990a5c84bfeecf98500fa137797d
SSDEEP

3072:/cNqRJurMsou937Zx8GKadC/CPbYpMi1DEWpnPIC0cHNjeXFbnebZKh5XZYpFInu:/c/LomW3DzpnPqpXFOfU6cZB7Ud3

Score

10^/10

mystic stealer

Family

mystic

http://5.42.92.43/loghub/master

Detect Mystic stealer payload 5 IoCs

resource	yara_rule
behavioral1/memory/2896-0-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2896-2-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2896-3-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2896-1-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2896-4-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 948 set thread context of 2896	948	5a8d3d40ed21d984db0712373f467f835f9cbc423dd094daa822c60a6c9fbc74.exe	97

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 2896	948	5a8d3d40ed21d984db0712373f467f835f9cbc423dd094daa822c60a6c9fbc74.exe	97
PID 948 wrote to memory of 2896	948	5a8d3d40ed21d984db0712373f467f835f9cbc423dd094daa822c60a6c9fbc74.exe	97
PID 948 wrote to memory of 2896	948	5a8d3d40ed21d984db0712373f467f835f9cbc423dd094daa822c60a6c9fbc74.exe	97
PID 948 wrote to memory of 2896	948	5a8d3d40ed21d984db0712373f467f835f9cbc423dd094daa822c60a6c9fbc74.exe	97
PID 948 wrote to memory of 2896	948	5a8d3d40ed21d984db0712373f467f835f9cbc423dd094daa822c60a6c9fbc74.exe	97
PID 948 wrote to memory of 2896	948	5a8d3d40ed21d984db0712373f467f835f9cbc423dd094daa822c60a6c9fbc74.exe	97
PID 948 wrote to memory of 2896	948	5a8d3d40ed21d984db0712373f467f835f9cbc423dd094daa822c60a6c9fbc74.exe	97
PID 948 wrote to memory of 2896	948	5a8d3d40ed21d984db0712373f467f835f9cbc423dd094daa822c60a6c9fbc74.exe	97
PID 948 wrote to memory of 2896	948	5a8d3d40ed21d984db0712373f467f835f9cbc423dd094daa822c60a6c9fbc74.exe	97
PID 948 wrote to memory of 2896	948	5a8d3d40ed21d984db0712373f467f835f9cbc423dd094daa822c60a6c9fbc74.exe	97

C:\Users\Admin\AppData\Local\Temp\5a8d3d40ed21d984db0712373f467f835f9cbc423dd094daa822c60a6c9fbc74.exe
"C:\Users\Admin\AppData\Local\Temp\5a8d3d40ed21d984db0712373f467f835f9cbc423dd094daa822c60a6c9fbc74.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2896

memory/2896-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-2-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-3-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-4-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download