mystic | 6e8d5e60ae6429b7178e7f5b681709b7369e503cea731a00b6f9970a9fbf984b | Triage

Sharing

General

Target

2f831cc2089b767cfca2c178440b3080412146a7509b45c937654105d0043056.zip
Size

1.2MB
Sample

240402-l7fzwaec5z
MD5

7bf4550aee36b6346a9f67a4863bd56e
SHA1

cdcc32ac9b540acd53bd5c88504d5b751fd485f1
SHA256

6e8d5e60ae6429b7178e7f5b681709b7369e503cea731a00b6f9970a9fbf984b
SHA512

6fd79c1d4e96850059ff423f3c024b71c9f81adeead28995337c6ad557f9f2e89cddde7664be9de0f16dd5d8958629c71285a539c0d3c06da9b8361b4dbe604c
SSDEEP

24576:ap2D5ee9ZAo0yu2IR1DIQjORZAO+yFc++i6HQkYKC0GE5:229ee9SoMbiMORZA9yFbCQkYKCVa

Score

10^/10

mystic redline smokeloader breha backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

breha

C2

77.91.124.55:19071

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32

rc4.i32

Targets

- Target
  
  2f831cc2089b767cfca2c178440b3080412146a7509b45c937654105d0043056.exe
- Size
  
  1.2MB
- MD5
  
  c12d133679d23b8140a252b1e7a808d2
- SHA1
  
  5ea0e77daa476f58fc3a568112615fc6782758d3
- SHA256
  
  2f831cc2089b767cfca2c178440b3080412146a7509b45c937654105d0043056
- SHA512
  
  e25e92df78309fb1c348a9de5bbead54bf3828a9f5466d1e5751d4188c50624ece31b4c1e00c5df2a09a742466d5dd3ec8537c7c9674e20edb7952063c11cc25
- SSDEEP
  
  24576:tyNwo5Daz1zj7bxni+qI6eLPc9ADDe6e0lPHuCiVyvjf+VsWydYDN3cc/:INw11Dbh9qIXQ9AHTekOs4fydYh33
Score

10^/10

mystic redline smokeloader breha backdoor evasion infostealer persistence stealer trojan
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

mysticredlinesmokeloaderbrehabackdoorevasioninfostealerpersistencestealertrojan