mystic | 5e6329c4057eee1f3013f8b81d2ae3a295083dbf4706ced807a18beb5eb4891c | Triage

Sharing

General

Target

f0c223a0f7a1c23a6ae1841202d16dce212051ac42777add4007b408db029df7.zip
Size

988KB
Sample

240402-l7lv5aeg62
MD5

b894c19633a85f2890cb2b08e313f8c8
SHA1

66795f8faec629432527ed7f4ffb19e02e1f0f08
SHA256

5e6329c4057eee1f3013f8b81d2ae3a295083dbf4706ced807a18beb5eb4891c
SHA512

5d096276f4563b7d27a78fea29a7e1b8616cde86fe3f6bbae7774dd71a69097d01020f9c7b7744e0cfcf8cb1b3e1992d2e7ee4d6a4dda4ef3752674743ac52e1
SSDEEP

24576:ftM5opNmwJuZryJ9Q0GQ5FP7gXRQ5E9TQSYdyLf2:ftumUVxyc6uQ5wTQSYU72

Score

10^/10

mystic redline smokeloader breha backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

breha

C2

77.91.124.55:19071

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32

rc4.i32

Targets

- Target
  
  f0c223a0f7a1c23a6ae1841202d16dce212051ac42777add4007b408db029df7.exe
- Size
  
  1.0MB
- MD5
  
  c950caba89c136b14c906d38f7705adc
- SHA1
  
  ba023ef7430cd3a188b4bcd56b41179124c49209
- SHA256
  
  f0c223a0f7a1c23a6ae1841202d16dce212051ac42777add4007b408db029df7
- SHA512
  
  7e0da561f46ecadf20246d1ef4c45fa04edbbbdaa48655245b2cb6bf7bd03c346698233564e678ade872aaba7802a4674539dd3070e35852ba4d492c47cf9ab6
- SSDEEP
  
  24576:sye5TtacpZF9mvLPTEXVXTLBpbibKhYqw5Kk:be7bF9lvXbiyYL5
Score

10^/10

mystic redline smokeloader breha backdoor evasion infostealer persistence stealer trojan
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

mysticredlinesmokeloaderbrehabackdoorevasioninfostealerpersistencestealertrojan