mystic | cd67c542f9ef299cdb204865370238968f3de6db21a6fd2a0355b5eff417340b | Triage

Submit
Reports

Overview

overview

Static

static

3

1bb910ccfc...f0.exe

windows10-2004-x64

Sharing

General

Target

1bb910ccfc726f1c6617c7569e2811a7a372d042b48de2ad0843de01d741c6f0.zip
Size

1.4MB
Sample

240402-l7fdcaec5w
MD5

9c8039c5420532a003b618843422bc45
SHA1

d3519e265b6d07a1ebc60dfff2c71e3b2f33a008
SHA256

cd67c542f9ef299cdb204865370238968f3de6db21a6fd2a0355b5eff417340b
SHA512

388d16d6db21334935f174d9cd9ab3ee2c8c03554d649afce6892ac9e0d065400eb2006832c2a1e3dda9383722b034e7f06a938dffd92ad0245a0507ad16b75e
SSDEEP

24576:wLSYxI2TBvcMhIp52Kek5K4OZV6Fmi3ln+fXGeuo4EYE+AJAWhpJTy9prvUVTIk9:wL7PTBvc64deV4U6AXGeuo4JE+ArTy9G

Score

10^/10

mystic redline smokeloader breha backdoor evasion infostealer persistence stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

1bb910ccfc726f1c6617c7569e2811a7a372d042b48de2ad0843de01d741c6f0.exe

Resource

win10v2004-20231215-en

mystic redline smokeloader breha backdoor evasion infostealer persistence stealer trojan

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Extracted

Family

mystic

C2

http://5.42.92.211/

Extracted

Family

redline

Botnet

breha

C2

77.91.124.55:19071

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32

rc4.i32

Targets

- Target
  
  1bb910ccfc726f1c6617c7569e2811a7a372d042b48de2ad0843de01d741c6f0.exe
- Size
  
  1.4MB
- MD5
  
  5d78bd8ce2cb424e2fb1d9faf86c293b
- SHA1
  
  30bf439a716af76f6395c4458e4a9d057a3a8bb0
- SHA256
  
  1bb910ccfc726f1c6617c7569e2811a7a372d042b48de2ad0843de01d741c6f0
- SHA512
  
  02e1c2aaa080faf638786ae256714e291fb9fd696b35b0e6a67e4082b2be88f52cc1065b0b88e64d05d55c1305a1e0b2992f582a3cd4ff23c99e0cbee3391ed3
- SSDEEP
  
  24576:zywTlIF0FA5pNwu10bl7CkjibvYXoxgofHDsYcKAkw8Ygbn16h6S3KL9oEt:GUlIWa0tCYsQ+gofTKkwLs6hJKB
Score

10^/10

mystic redline smokeloader breha backdoor evasion infostealer persistence stealer trojan
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

mysticredlinesmokeloaderbrehabackdoorevasioninfostealerpersistencestealertrojan

© 2018-2024

Terms | Privacy