mystic | c2f4aa0e5132b72b0d4a23d1a4fa2ff07bb77faf69c8423ad68db9eab09b1182 | Triage

Sharing

General

Target

e74823510942cf2652d1cb04f1bc8cac0369eb6a62ad431cbef2eed833e6ab42.zip
Size

1.2MB
Sample

240402-l7lkcsec71
MD5

e571a8b91cb8ec9a4fe1f24baec556b8
SHA1

35dc3d337622e35865773d2d11cf270048885717
SHA256

c2f4aa0e5132b72b0d4a23d1a4fa2ff07bb77faf69c8423ad68db9eab09b1182
SHA512

b2d2aaa271050c6f8e5703578c5b95744f77ce493631f3ba186a93cfc0978dff26ba9abbbb70bbc5609c144c845a8bf57889c8bb7b72f71138bfff34c78d848c
SSDEEP

24576:k/DN2jLeKX4zzEsKgxqGQFtxWyqketR/rtIMDEdklmNYf5TDe:WgNDEHQlkJm+Jy

Score

10^/10

mystic redline smokeloader breha backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

breha

C2

77.91.124.55:19071

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32

rc4.i32

Targets

- Target
  
  e74823510942cf2652d1cb04f1bc8cac0369eb6a62ad431cbef2eed833e6ab42.exe
- Size
  
  1.2MB
- MD5
  
  536a22121ee569d64ac677f9bb43ffcf
- SHA1
  
  a13d77e09301ad007a6bbc713f676cf3c7f76d75
- SHA256
  
  e74823510942cf2652d1cb04f1bc8cac0369eb6a62ad431cbef2eed833e6ab42
- SHA512
  
  1583bd6d96fb57c661c3acf0ca21e7bd3eb06165a855c815e6bfc604cf7238054bde72c64520b9e45fa1febf6b4219078f1ad5fd2a3c42e4b6f2d44c1dbb759a
- SSDEEP
  
  24576:nyIMbyycgFDgnC72ldi+I6MUrpIiI1imLA3WEdxDjvp2JCMMW:yIsyy3inM2v9I6MQDOLA3fEYt
Score

10^/10

mystic redline smokeloader breha backdoor evasion infostealer persistence stealer trojan
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

mysticredlinesmokeloaderbrehabackdoorevasioninfostealerpersistencestealertrojan