mystic | 634cb5ec30bc0e9e7a2ddc62c8c83871b0adf592bdfa9a4e9771d7d0aef16c23

Analysis

max time kernel
185s
max time network
293s
platform
windows10-1703_x64
resource
win10-20231023-en
resource tags

arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system
submitted
13-11-2023 09:30

Target

2et8410.exe
Size

310KB
MD5

10dfeb895bcf90a5164ce7b5075dbb94
SHA1

c3bacf0357a7ca4f9d43346015ad0c62bf7d1ebf
SHA256

634cb5ec30bc0e9e7a2ddc62c8c83871b0adf592bdfa9a4e9771d7d0aef16c23
SHA512

5242a0c52487e5bdca222366bcb7dc5f1d8093acba849dc29c93d199f8c414487b26cdba4847936623a4bf8f43a633432d7708d9e3adfd79c6b65948bb28e0c0
SSDEEP

6144:rRJ4eu5tKah/T5pOMiwXH87AGImxmRK5MZLRBN/ch9NzL:rRJ4ei/T5pviwwtIMmRK5KYh9Nv

Score

10^/10

mystic stealer

Family

mystic

http://5.42.92.43/loghub/master

Detect Mystic stealer payload 5 IoCs

resource	yara_rule
behavioral2/memory/660-0-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral2/memory/660-3-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral2/memory/660-4-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral2/memory/660-5-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral2/memory/660-6-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1076 set thread context of 660	1076	2et8410.exe	73

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 4960	1076	2et8410.exe	72
PID 1076 wrote to memory of 4960	1076	2et8410.exe	72
PID 1076 wrote to memory of 4960	1076	2et8410.exe	72
PID 1076 wrote to memory of 660	1076	2et8410.exe	73
PID 1076 wrote to memory of 660	1076	2et8410.exe	73
PID 1076 wrote to memory of 660	1076	2et8410.exe	73
PID 1076 wrote to memory of 660	1076	2et8410.exe	73
PID 1076 wrote to memory of 660	1076	2et8410.exe	73
PID 1076 wrote to memory of 660	1076	2et8410.exe	73
PID 1076 wrote to memory of 660	1076	2et8410.exe	73
PID 1076 wrote to memory of 660	1076	2et8410.exe	73
PID 1076 wrote to memory of 660	1076	2et8410.exe	73
PID 1076 wrote to memory of 660	1076	2et8410.exe	73

C:\Users\Admin\AppData\Local\Temp\2et8410.exe
"C:\Users\Admin\AppData\Local\Temp\2et8410.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:660

memory/660-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/660-3-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/660-4-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/660-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/660-6-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download