mystic | bab9cabbbc1d60d0ff5052af11bf8360c985f4a9f487cde022adff7fd84b5922

Analysis

max time kernel
188s
max time network
260s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
13-11-2023 09:30

Target

11Qn8937.exe
Size

276KB
MD5

886f7c985e2cb4f17b549024d11f8a98
SHA1

2e24b78e7a8bb3ea49a022ee05bc61129d757b45
SHA256

bab9cabbbc1d60d0ff5052af11bf8360c985f4a9f487cde022adff7fd84b5922
SHA512

d219e35338a60eacf81b096304882517f21b8ed7167e7db54ce3903dab8f9905a30ee24484e5db1fa6c76654f943ba98cdf0006d80f888a5e2e755aebe6e46df
SSDEEP

6144:RKWeIhzyZNGuL4EVE/XWXhsxteYnyaIOtpFhBL3aXnD2W+HW+HW+HW+x9pXKKH:RKWewyJzsxtRNjZG+2+2+2+x9NKK

Score

10^/10

mystic stealer

Family

mystic

http://5.42.92.43/loghub/master

Detect Mystic stealer payload 5 IoCs

resource	yara_rule
behavioral2/memory/3308-3-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral2/memory/3308-4-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral2/memory/3308-0-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral2/memory/3308-5-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral2/memory/3308-6-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1380 set thread context of 3308	1380	11Qn8937.exe	72

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 3308	1380	11Qn8937.exe	72
PID 1380 wrote to memory of 3308	1380	11Qn8937.exe	72
PID 1380 wrote to memory of 3308	1380	11Qn8937.exe	72
PID 1380 wrote to memory of 3308	1380	11Qn8937.exe	72
PID 1380 wrote to memory of 3308	1380	11Qn8937.exe	72
PID 1380 wrote to memory of 3308	1380	11Qn8937.exe	72
PID 1380 wrote to memory of 3308	1380	11Qn8937.exe	72
PID 1380 wrote to memory of 3308	1380	11Qn8937.exe	72
PID 1380 wrote to memory of 3308	1380	11Qn8937.exe	72
PID 1380 wrote to memory of 3308	1380	11Qn8937.exe	72

C:\Users\Admin\AppData\Local\Temp\11Qn8937.exe
"C:\Users\Admin\AppData\Local\Temp\11Qn8937.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3308

memory/3308-3-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-4-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-6-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download