mystic | 142fbde8dbd65e26be5497a65ee4995642403e4088ccd1c39a1d4c744fbedb8a

Analysis

max time kernel
132s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
16-11-2023 21:59

Target

NEAS.8923a47ce8bbdad1a40951460f344530.exe
Size

276KB
MD5

8923a47ce8bbdad1a40951460f344530
SHA1

e0cf703275bdcb348eb6e713ffd5dbf04b9a9a4e
SHA256

142fbde8dbd65e26be5497a65ee4995642403e4088ccd1c39a1d4c744fbedb8a
SHA512

368c5c817aa33efd0dda719803acf38354ba7cc064bc4cd8b2638dcd12a8176847b1dce561438b986960849549ef339ae0529eec3bb16633ad8cfdedd4f1101b
SSDEEP

6144:bKWeIhzyZNGuH1Uld95bB/bz3z7Ra/fbJO5m9/7KH:bKWewyvUJ//bzPk9X/7K

Score

10^/10

mystic stealer

Detect Mystic stealer payload 6 IoCs

resource	yara_rule
behavioral2/memory/3068-0-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral2/memory/3068-2-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral2/memory/3068-1-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral2/memory/3068-3-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral2/memory/3068-4-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral2/memory/3068-5-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4104 set thread context of 3068	4104	NEAS.8923a47ce8bbdad1a40951460f344530.exe	92

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 3988	4104	NEAS.8923a47ce8bbdad1a40951460f344530.exe	90
PID 4104 wrote to memory of 3988	4104	NEAS.8923a47ce8bbdad1a40951460f344530.exe	90
PID 4104 wrote to memory of 3988	4104	NEAS.8923a47ce8bbdad1a40951460f344530.exe	90
PID 4104 wrote to memory of 3068	4104	NEAS.8923a47ce8bbdad1a40951460f344530.exe	92
PID 4104 wrote to memory of 3068	4104	NEAS.8923a47ce8bbdad1a40951460f344530.exe	92
PID 4104 wrote to memory of 3068	4104	NEAS.8923a47ce8bbdad1a40951460f344530.exe	92
PID 4104 wrote to memory of 3068	4104	NEAS.8923a47ce8bbdad1a40951460f344530.exe	92
PID 4104 wrote to memory of 3068	4104	NEAS.8923a47ce8bbdad1a40951460f344530.exe	92
PID 4104 wrote to memory of 3068	4104	NEAS.8923a47ce8bbdad1a40951460f344530.exe	92
PID 4104 wrote to memory of 3068	4104	NEAS.8923a47ce8bbdad1a40951460f344530.exe	92
PID 4104 wrote to memory of 3068	4104	NEAS.8923a47ce8bbdad1a40951460f344530.exe	92
PID 4104 wrote to memory of 3068	4104	NEAS.8923a47ce8bbdad1a40951460f344530.exe	92
PID 4104 wrote to memory of 3068	4104	NEAS.8923a47ce8bbdad1a40951460f344530.exe	92

C:\Users\Admin\AppData\Local\Temp\NEAS.8923a47ce8bbdad1a40951460f344530.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.8923a47ce8bbdad1a40951460f344530.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3068

memory/3068-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-2-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-3-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-4-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download