mystic | 142fbde8dbd65e26be5497a65ee4995642403e4088ccd1c39a1d4c744fbedb8a

Analysis

max time kernel
119s
max time network
126s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
16-11-2023 21:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.8923a47ce8bbdad1a40951460f344530.exe
Size

276KB
MD5

8923a47ce8bbdad1a40951460f344530
SHA1

e0cf703275bdcb348eb6e713ffd5dbf04b9a9a4e
SHA256

142fbde8dbd65e26be5497a65ee4995642403e4088ccd1c39a1d4c744fbedb8a
SHA512

368c5c817aa33efd0dda719803acf38354ba7cc064bc4cd8b2638dcd12a8176847b1dce561438b986960849549ef339ae0529eec3bb16633ad8cfdedd4f1101b
SSDEEP

6144:bKWeIhzyZNGuH1Uld95bB/bz3z7Ra/fbJO5m9/7KH:bKWewyvUJ//bzPk9X/7K

Score

10^/10

mystic stealer

Malware Config

Signatures

Detect Mystic stealer payload 6 IoCs

resource	yara_rule
behavioral1/memory/2848-3-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2848-5-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2848-4-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2848-7-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2848-9-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2848-11-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2124 set thread context of 2848	2124	NEAS.8923a47ce8bbdad1a40951460f344530.exe	30

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1992	2848	WerFault.exe	30

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2836	2124	NEAS.8923a47ce8bbdad1a40951460f344530.exe	29
PID 2124 wrote to memory of 2836	2124	NEAS.8923a47ce8bbdad1a40951460f344530.exe	29
PID 2124 wrote to memory of 2836	2124	NEAS.8923a47ce8bbdad1a40951460f344530.exe	29
PID 2124 wrote to memory of 2836	2124	NEAS.8923a47ce8bbdad1a40951460f344530.exe	29
PID 2124 wrote to memory of 2836	2124	NEAS.8923a47ce8bbdad1a40951460f344530.exe	29
PID 2124 wrote to memory of 2836	2124	NEAS.8923a47ce8bbdad1a40951460f344530.exe	29
PID 2124 wrote to memory of 2836	2124	NEAS.8923a47ce8bbdad1a40951460f344530.exe	29
PID 2124 wrote to memory of 2848	2124	NEAS.8923a47ce8bbdad1a40951460f344530.exe	30
PID 2124 wrote to memory of 2848	2124	NEAS.8923a47ce8bbdad1a40951460f344530.exe	30
PID 2124 wrote to memory of 2848	2124	NEAS.8923a47ce8bbdad1a40951460f344530.exe	30
PID 2124 wrote to memory of 2848	2124	NEAS.8923a47ce8bbdad1a40951460f344530.exe	30
PID 2124 wrote to memory of 2848	2124	NEAS.8923a47ce8bbdad1a40951460f344530.exe	30
PID 2124 wrote to memory of 2848	2124	NEAS.8923a47ce8bbdad1a40951460f344530.exe	30
PID 2124 wrote to memory of 2848	2124	NEAS.8923a47ce8bbdad1a40951460f344530.exe	30
PID 2124 wrote to memory of 2848	2124	NEAS.8923a47ce8bbdad1a40951460f344530.exe	30
PID 2124 wrote to memory of 2848	2124	NEAS.8923a47ce8bbdad1a40951460f344530.exe	30
PID 2124 wrote to memory of 2848	2124	NEAS.8923a47ce8bbdad1a40951460f344530.exe	30
PID 2124 wrote to memory of 2848	2124	NEAS.8923a47ce8bbdad1a40951460f344530.exe	30
PID 2124 wrote to memory of 2848	2124	NEAS.8923a47ce8bbdad1a40951460f344530.exe	30
PID 2124 wrote to memory of 2848	2124	NEAS.8923a47ce8bbdad1a40951460f344530.exe	30
PID 2124 wrote to memory of 2848	2124	NEAS.8923a47ce8bbdad1a40951460f344530.exe	30
PID 2848 wrote to memory of 1992	2848	AppLaunch.exe	31
PID 2848 wrote to memory of 1992	2848	AppLaunch.exe	31
PID 2848 wrote to memory of 1992	2848	AppLaunch.exe	31
PID 2848 wrote to memory of 1992	2848	AppLaunch.exe	31
PID 2848 wrote to memory of 1992	2848	AppLaunch.exe	31
PID 2848 wrote to memory of 1992	2848	AppLaunch.exe	31
PID 2848 wrote to memory of 1992	2848	AppLaunch.exe	31

C:\Users\Admin\AppData\Local\Temp\NEAS.8923a47ce8bbdad1a40951460f344530.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.8923a47ce8bbdad1a40951460f344530.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 196
    3⤵
    - Program crash
    PID:1992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2848-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-3-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-4-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2848-2-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-11-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads