mystic | 653c7aaf5687a35596964be15daf0e34ed9eb8b53525d88301a2d2ad9ae1b410 | Triage

Submit
Reports

Overview

overview

Static

static

3

01fcc207b8...f6.exe

windows10-2004-x64

Sharing

General

Target

653c7aaf5687a35596964be15daf0e34ed9eb8b53525d88301a2d2ad9ae1b410
Size

833KB
Sample

240417-qhh56aae3x
MD5

888801282cf5706a50105205fd008743
SHA1

2a65180ddf10caa1ff7884f5463792ea15c84434
SHA256

653c7aaf5687a35596964be15daf0e34ed9eb8b53525d88301a2d2ad9ae1b410
SHA512

e7fd95c6c12a54c7effc90a2f61001f8a0605e500815170ffdf6a48bff258386b9a393ebfada987dda14ce05f6f548a434124b08f56edcfcd345a72923ab69f9
SSDEEP

24576:ytGws+YhcWUEocLQ/cqH/hBhRuiQaIoDYc1F3Z:y4f+YhLUnjEqH/RkiQaI0Y6b

Score

10^/10

mystic redline smokeloader breha backdoor evasion infostealer persistence stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

01fcc207b82abf8b833a8c63d79f3aa448c563bedd29e430d7a7eb306f102cf6.exe

Resource

win10v2004-20240412-en

mystic redline smokeloader breha backdoor evasion infostealer persistence stealer trojan

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

breha

C2

77.91.124.55:19071

Targets

- Target
  
  01fcc207b82abf8b833a8c63d79f3aa448c563bedd29e430d7a7eb306f102cf6.exe
- Size
  
  877KB
- MD5
  
  c3db948a2f5d3c222f9765880a13becf
- SHA1
  
  cff5b6d7a7a61f55fd168c180e551e2c56e3326f
- SHA256
  
  01fcc207b82abf8b833a8c63d79f3aa448c563bedd29e430d7a7eb306f102cf6
- SHA512
  
  57800406d43c6d5820f9b086243bd74b3d83a4e467c22ed39dc8eeb87a162decf34806063099b333787a7e62695bf3b5855b2a8171478ee516827f22ae133753
- SSDEEP
  
  24576:oy7yqLG+0QglMZcRWf0HdeDSbWTlrRtPKYG3Xuv4:vuf4WRWf0sxrOYG3+v
Score

10^/10

mystic redline smokeloader breha backdoor evasion infostealer persistence stealer trojan
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Impair Defenses

Disable or Modify Tools

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

mysticredlinesmokeloaderbrehabackdoorevasioninfostealerpersistencestealertrojan

© 2018-2024

Terms | Privacy