mystic | a555775d27b965ad4eef2919173dda2965e9a9752c64abea96104b2905bf6fc9 | Triage

Sharing

General

Target

NEAS.a4fab58cfff9ddd79c0d4cdfd8de4020.exe
Size

643KB
Sample

231112-216jysdd4x
MD5

a4fab58cfff9ddd79c0d4cdfd8de4020
SHA1

7326e468fcd49b5c381d5f188906ba94ed3ee0c5
SHA256

a555775d27b965ad4eef2919173dda2965e9a9752c64abea96104b2905bf6fc9
SHA512

f3fe80b2fc5795a74e885997eccfee1e8628c425aa525721280e834baf3c04d99b4f33e00d02971089980c089d423e0ebbf8a33c60dd42199a91e015e70157e9
SSDEEP

12288:DMrIy901z3rVYOcLE89QaDJnxuUPFWJeeVbIgHSicWtr:fyGDrVXoJnxTdCeUIgbntr

Score

10^/10

mystic smokeloader backdoor evasion persistence stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32

rc4.i32

Targets

- Target
  
  NEAS.a4fab58cfff9ddd79c0d4cdfd8de4020.exe
- Size
  
  643KB
- MD5
  
  a4fab58cfff9ddd79c0d4cdfd8de4020
- SHA1
  
  7326e468fcd49b5c381d5f188906ba94ed3ee0c5
- SHA256
  
  a555775d27b965ad4eef2919173dda2965e9a9752c64abea96104b2905bf6fc9
- SHA512
  
  f3fe80b2fc5795a74e885997eccfee1e8628c425aa525721280e834baf3c04d99b4f33e00d02971089980c089d423e0ebbf8a33c60dd42199a91e015e70157e9
- SSDEEP
  
  12288:DMrIy901z3rVYOcLE89QaDJnxuUPFWJeeVbIgHSicWtr:fyGDrVXoJnxTdCeUIgbntr
Score

10^/10

mystic smokeloader backdoor evasion persistence stealer trojan
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

mysticsmokeloaderbackdoorevasionpersistencestealertrojan