mystic | aae8a2533740717f592355c2305e15e79bc671db80ad5e4725467ceaa4bbcf52 | Triage

Submit
Reports

Overview

overview

Static

static

3

30befd0887...0c.exe

windows10-2004-x64

Sharing

General

Target

30befd088724719df66035cff6175ec647a4e80ec049eb84ba0a769e08c9e60c.zip
Size

755KB
Sample

231119-3tx5nscg29
MD5

eb122a46cbccfa2bd05a39b0865fc289
SHA1

91a50dde426a4389106a6a8b923217f6bedd051c
SHA256

aae8a2533740717f592355c2305e15e79bc671db80ad5e4725467ceaa4bbcf52
SHA512

fe8c96b61f8c5eadb5a6da5fb0369eac93bb6357c7ea30c8b809c13233ab0dc5f3ad8997441570aeab14e2617d809583438b1d12bfa2bc4ef9cba85ad2cec0ec
SSDEEP

12288:0WcBt7jfbXYr+TlsKjfE1/+kw0pFyCR12A6PK5Q84b0o5ayHOjmgx3t4yyYEpcjJ:DutBTmyfWWx0pFyCgKmv5THOjmgx3ayz

Score

10^/10

mystic smokeloader backdoor paypal persistence phishing stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

30befd088724719df66035cff6175ec647a4e80ec049eb84ba0a769e08c9e60c.exe

Resource

win10v2004-20231023-en

mystic smokeloader backdoor paypal persistence phishing stealer trojan

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://5.42.92.190/fks/index.php

rc4.i32

rc4.i32

Targets

- Target
  
  30befd088724719df66035cff6175ec647a4e80ec049eb84ba0a769e08c9e60c.exe
- Size
  
  799KB
- MD5
  
  06e964d72a34dc9e1cc80e3a8fe9bdeb
- SHA1
  
  58f6a85a578901f1fa64ac9598e47eb121836843
- SHA256
  
  30befd088724719df66035cff6175ec647a4e80ec049eb84ba0a769e08c9e60c
- SHA512
  
  59ceec8e5aa6453ecf8e6fae57251f88a07ad9b34665143c648e252a6f0af75479a5607839bb0a89621938d0afc340c37778b383a431b586ea4f1412304f1bfb
- SSDEEP
  
  24576:ry5rqmZj5AaeuIseC/GRLYDHILx4wqMwFY:e5rNZ9ZetJEGK0F49
Score

10^/10

mystic smokeloader backdoor paypal persistence phishing stealer trojan
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Detected potential entity reuse from brand paypal.
  phishing paypal
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

mysticsmokeloaderbackdoorpaypalpersistencephishingstealertrojan

© 2018-2024

Terms | Privacy