mystic | d76363fb0952e0e8a501993147336a6fd4cdeae856b368f6becbd6ee3cf7c8d2 | Triage

Submit
Reports

Overview

overview

Static

static

3

NEAS.1ab3f...70.exe

windows10-2004-x64

Sharing

General

Target

NEAS.1ab3f74677fe62ec9d6959388a529e70.exe
Size

782KB
Sample

231118-b1py4ahg5y
MD5

1ab3f74677fe62ec9d6959388a529e70
SHA1

2235cccb92b7879f67afece71414352f5f31db79
SHA256

d76363fb0952e0e8a501993147336a6fd4cdeae856b368f6becbd6ee3cf7c8d2
SHA512

9cd55d2ce21c7c099e5ac2e5c1f0deae50b797d4acefd9d2ef693ba8b3f6be9db6d090b77ed0b8e6433c71894ad0f4f262db399f69c7ea45fdfa4812e0a4f6b8
SSDEEP

12288:IMryy90+oPlyfKDkD8jzy1Jcyaex4IC5mpCPHGlNPLvTMXiYQtDOJHE3kUxhCUZb:qyfoPMX1aeuIsyC/G/LYD18

Score

10^/10

mystic redline sectoprat smokeloader @ytlogsbot pixelfresh backdoor evasion infostealer persistence rat stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

NEAS.1ab3f74677fe62ec9d6959388a529e70.exe

Resource

win10v2004-20231023-en

mystic redline sectoprat smokeloader @ytlogsbot pixelfresh backdoor evasion infostealer persistence rat stealer trojan

windows10-2004-x64

23 signatures

150 seconds

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://5.42.92.190/fks/index.php

rc4.i32

rc4.i32

Extracted

Family

redline

Botnet

pixelfresh

C2

194.49.94.11:80

Extracted

Family

redline

Botnet

@ytlogsbot

C2

194.169.175.235:42691

Targets

- Target
  
  NEAS.1ab3f74677fe62ec9d6959388a529e70.exe
- Size
  
  782KB
- MD5
  
  1ab3f74677fe62ec9d6959388a529e70
- SHA1
  
  2235cccb92b7879f67afece71414352f5f31db79
- SHA256
  
  d76363fb0952e0e8a501993147336a6fd4cdeae856b368f6becbd6ee3cf7c8d2
- SHA512
  
  9cd55d2ce21c7c099e5ac2e5c1f0deae50b797d4acefd9d2ef693ba8b3f6be9db6d090b77ed0b8e6433c71894ad0f4f262db399f69c7ea45fdfa4812e0a4f6b8
- SSDEEP
  
  12288:IMryy90+oPlyfKDkD8jzy1Jcyaex4IC5mpCPHGlNPLvTMXiYQtDOJHE3kUxhCUZb:qyfoPMX1aeuIsyC/G/LYD18
Score

10^/10

mystic redline sectoprat smokeloader @ytlogsbot pixelfresh backdoor evasion infostealer persistence rat stealer trojan
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Stops running service(s)
  evasion
- Executes dropped EXE
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

mysticredlinesectopratsmokeloader@ytlogsbotpixelfreshbackdoorevasioninfostealerpersistenceratstealertrojan

© 2018-2024

Terms | Privacy