mystic | 91e9fea87e0dcd09477cca6655fc7c0e9c69dcd78db17ce71978baac81c11114

Analysis

max time kernel
186s
max time network
259s
platform
windows10-1703_x64
resource
win10-20231023-en
resource tags

arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system
submitted
13-11-2023 09:30

Target

11or5678.exe
Size

276KB
MD5

3e39720bda10dbb894b99a4aef9d57a4
SHA1

4f0044c9d40096f13714dd47ef4d5a41132a88ce
SHA256

91e9fea87e0dcd09477cca6655fc7c0e9c69dcd78db17ce71978baac81c11114
SHA512

fb5d9f7796a185d40fb842531e30eceb4d7ef7ee9ccd538fd33e86249dff80d9441ad73631cf62ab27e6dccc95eff9caa8dcc0885519ccfa0631582e3a88cf7c
SSDEEP

6144:QKWeIhzyZNGuA4d5dikcydcaxbLRDlxLrtdqmA2WrpKH:QKWewyLd5diktdR1LdlxLRdqH2WNK

Score

10^/10

mystic stealer

Family

mystic

http://5.42.92.43/loghub/master

Detect Mystic stealer payload 5 IoCs

resource	yara_rule
behavioral2/memory/1276-0-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral2/memory/1276-3-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral2/memory/1276-4-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral2/memory/1276-5-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral2/memory/1276-6-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1192 set thread context of 1276	1192	11or5678.exe	72

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 1276	1192	11or5678.exe	72
PID 1192 wrote to memory of 1276	1192	11or5678.exe	72
PID 1192 wrote to memory of 1276	1192	11or5678.exe	72
PID 1192 wrote to memory of 1276	1192	11or5678.exe	72
PID 1192 wrote to memory of 1276	1192	11or5678.exe	72
PID 1192 wrote to memory of 1276	1192	11or5678.exe	72
PID 1192 wrote to memory of 1276	1192	11or5678.exe	72
PID 1192 wrote to memory of 1276	1192	11or5678.exe	72
PID 1192 wrote to memory of 1276	1192	11or5678.exe	72
PID 1192 wrote to memory of 1276	1192	11or5678.exe	72

C:\Users\Admin\AppData\Local\Temp\11or5678.exe
"C:\Users\Admin\AppData\Local\Temp\11or5678.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1276

memory/1276-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1276-3-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1276-4-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1276-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1276-6-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download