mystic | 189abcba819ada066ab0e305a49a6a95d4ae5f53e3f9fc62d1e0306d9398ec42

Analysis

max time kernel
300s
max time network
189s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
13-11-2023 09:30

Target

2AQ9373.exe
Size

310KB
MD5

2ea1fe5e48ff5e021b18c632d674cfd7
SHA1

5d4f2c90048e5a04a3cef2f8045fe65f5a3464a7
SHA256

189abcba819ada066ab0e305a49a6a95d4ae5f53e3f9fc62d1e0306d9398ec42
SHA512

26f90d2c5c828e493049629cf5c67fc3f71eda78b364acbba666633907dc9aab9ccbb21b9ebf626f03cd188309b0336c0313c5222f31f26c3e07775d147936a9
SSDEEP

6144:FRJ4eu5tKdffzjVOEaRLs46i2fNjKAyWqjNWsHffh9NzL:FRJ4e5fPV5aRLsBf1yxAuh9Nv

Score

10^/10

mystic stealer

Family

mystic

http://5.42.92.43/loghub/master

Detect Mystic stealer payload 5 IoCs

resource	yara_rule
behavioral2/memory/3836-0-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral2/memory/3836-3-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral2/memory/3836-4-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral2/memory/3836-5-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral2/memory/3836-6-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4500 set thread context of 3836	4500	2AQ9373.exe	73

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 2948	4500	2AQ9373.exe	72
PID 4500 wrote to memory of 2948	4500	2AQ9373.exe	72
PID 4500 wrote to memory of 2948	4500	2AQ9373.exe	72
PID 4500 wrote to memory of 3836	4500	2AQ9373.exe	73
PID 4500 wrote to memory of 3836	4500	2AQ9373.exe	73
PID 4500 wrote to memory of 3836	4500	2AQ9373.exe	73
PID 4500 wrote to memory of 3836	4500	2AQ9373.exe	73
PID 4500 wrote to memory of 3836	4500	2AQ9373.exe	73
PID 4500 wrote to memory of 3836	4500	2AQ9373.exe	73
PID 4500 wrote to memory of 3836	4500	2AQ9373.exe	73
PID 4500 wrote to memory of 3836	4500	2AQ9373.exe	73
PID 4500 wrote to memory of 3836	4500	2AQ9373.exe	73
PID 4500 wrote to memory of 3836	4500	2AQ9373.exe	73

C:\Users\Admin\AppData\Local\Temp\2AQ9373.exe
"C:\Users\Admin\AppData\Local\Temp\2AQ9373.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3836

memory/3836-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3836-3-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3836-4-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3836-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3836-6-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download