mystic | 189abcba819ada066ab0e305a49a6a95d4ae5f53e3f9fc62d1e0306d9398ec42

Analysis

max time kernel
123s
max time network
128s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
13-11-2023 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2AQ9373.exe
Size

310KB
MD5

2ea1fe5e48ff5e021b18c632d674cfd7
SHA1

5d4f2c90048e5a04a3cef2f8045fe65f5a3464a7
SHA256

189abcba819ada066ab0e305a49a6a95d4ae5f53e3f9fc62d1e0306d9398ec42
SHA512

26f90d2c5c828e493049629cf5c67fc3f71eda78b364acbba666633907dc9aab9ccbb21b9ebf626f03cd188309b0336c0313c5222f31f26c3e07775d147936a9
SSDEEP

6144:FRJ4eu5tKdffzjVOEaRLs46i2fNjKAyWqjNWsHffh9NzL:FRJ4e5fPV5aRLsBf1yxAuh9Nv

Score

10^/10

mystic stealer

Malware Config

Signatures

Detect Mystic stealer payload 6 IoCs

resource	yara_rule
behavioral1/memory/2632-3-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2632-4-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2632-5-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2632-7-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2632-9-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2632-11-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 884 set thread context of 2632	884	2AQ9373.exe	31

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2360	2632	WerFault.exe	31

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 3012	884	2AQ9373.exe	29
PID 884 wrote to memory of 3012	884	2AQ9373.exe	29
PID 884 wrote to memory of 3012	884	2AQ9373.exe	29
PID 884 wrote to memory of 3012	884	2AQ9373.exe	29
PID 884 wrote to memory of 3012	884	2AQ9373.exe	29
PID 884 wrote to memory of 3012	884	2AQ9373.exe	29
PID 884 wrote to memory of 3012	884	2AQ9373.exe	29
PID 884 wrote to memory of 3056	884	2AQ9373.exe	30
PID 884 wrote to memory of 3056	884	2AQ9373.exe	30
PID 884 wrote to memory of 3056	884	2AQ9373.exe	30
PID 884 wrote to memory of 3056	884	2AQ9373.exe	30
PID 884 wrote to memory of 3056	884	2AQ9373.exe	30
PID 884 wrote to memory of 3056	884	2AQ9373.exe	30
PID 884 wrote to memory of 3056	884	2AQ9373.exe	30
PID 884 wrote to memory of 2632	884	2AQ9373.exe	31
PID 884 wrote to memory of 2632	884	2AQ9373.exe	31
PID 884 wrote to memory of 2632	884	2AQ9373.exe	31
PID 884 wrote to memory of 2632	884	2AQ9373.exe	31
PID 884 wrote to memory of 2632	884	2AQ9373.exe	31
PID 884 wrote to memory of 2632	884	2AQ9373.exe	31
PID 884 wrote to memory of 2632	884	2AQ9373.exe	31
PID 884 wrote to memory of 2632	884	2AQ9373.exe	31
PID 884 wrote to memory of 2632	884	2AQ9373.exe	31
PID 884 wrote to memory of 2632	884	2AQ9373.exe	31
PID 884 wrote to memory of 2632	884	2AQ9373.exe	31
PID 884 wrote to memory of 2632	884	2AQ9373.exe	31
PID 884 wrote to memory of 2632	884	2AQ9373.exe	31
PID 884 wrote to memory of 2632	884	2AQ9373.exe	31
PID 2632 wrote to memory of 2360	2632	AppLaunch.exe	32
PID 2632 wrote to memory of 2360	2632	AppLaunch.exe	32
PID 2632 wrote to memory of 2360	2632	AppLaunch.exe	32
PID 2632 wrote to memory of 2360	2632	AppLaunch.exe	32
PID 2632 wrote to memory of 2360	2632	AppLaunch.exe	32
PID 2632 wrote to memory of 2360	2632	AppLaunch.exe	32
PID 2632 wrote to memory of 2360	2632	AppLaunch.exe	32

C:\Users\Admin\AppData\Local\Temp\2AQ9373.exe
"C:\Users\Admin\AppData\Local\Temp\2AQ9373.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 196
    3⤵
    - Program crash
    PID:2360

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2632-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-2-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-3-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-4-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2632-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-11-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads