mystic | 03dc6b4a462c0fdbeeca91c17bae2a9c367bfef5b5986113d1860736e8680432 | Triage

Submit
Reports

Overview

overview

Static

static

3

4e9ba42bf5...9b.exe

windows10-2004-x64

Sharing

General

Target

4e9ba42bf509f0f21b0a1f5761950e1a3dbdd82dc290dbf5e7bef53f8dc9449b.zip
Size

1.2MB
Sample

240402-l7gw6sec6v
MD5

fa5fbc96026a2f79bfe48326c456e1f8
SHA1

c3214d7d589324072e552edbee07d9822e0979ad
SHA256

03dc6b4a462c0fdbeeca91c17bae2a9c367bfef5b5986113d1860736e8680432
SHA512

170a80400c203401b2cdb003467250de4db4f2cf75545ebff467f4d7ebf3acfb8cd1ba29db6b438a2e1b66fe6101da468fa8714491d0d82f8d12b66b6c8d4f43
SSDEEP

24576:UZkmeM1isiXJ0W7eDoEU4EJ0OhlFEr+AEG3iu1n979qmCTyl:UZk5MO0q/EG1ErQG5n979GTW

Score

10^/10

mystic redline smokeloader breha backdoor evasion infostealer persistence stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

4e9ba42bf509f0f21b0a1f5761950e1a3dbdd82dc290dbf5e7bef53f8dc9449b.exe

Resource

win10v2004-20240226-en

mystic redline smokeloader breha backdoor evasion infostealer persistence stealer trojan

windows10-2004-x64

24 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

breha

C2

77.91.124.55:19071

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32

rc4.i32

Targets

- Target
  
  4e9ba42bf509f0f21b0a1f5761950e1a3dbdd82dc290dbf5e7bef53f8dc9449b.exe
- Size
  
  1.2MB
- MD5
  
  77ea53409cd3cbb2b02ab8f98ca0329b
- SHA1
  
  36a3125d8efe9d3f0f0f1329145e9ce894f019b7
- SHA256
  
  4e9ba42bf509f0f21b0a1f5761950e1a3dbdd82dc290dbf5e7bef53f8dc9449b
- SHA512
  
  06f30ceaa0c504f4589b8b9a209a2cf35452af89733fc230e3b2d01a6c15d7a208e2e45a90cafb9bc288ec32cd29d9665196f919c5aab3f369cda97571d3637b
- SSDEEP
  
  24576:WyJSoyMQCEgp7EvcxDyV7gK7i+Ce3Dcc9pwodSu+rdjVxrvkx8kY7lIcjiK11tPI:lJJyMXHpgv8y9gw9CezF9qgSu+rRVx71
Score

10^/10

mystic redline smokeloader breha backdoor evasion infostealer persistence stealer trojan
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

mysticredlinesmokeloaderbrehabackdoorevasioninfostealerpersistencestealertrojan

© 2018-2024

Terms | Privacy