mystic | c741e309cca1439b9dde1d6c5ad9678582165daf6370aaf4c13c05cf36441cd2 | Triage

Submit
Reports

Overview

overview

Static

static

3

41f0991208...75.exe

windows10-2004-x64

Sharing

General

Target

c741e309cca1439b9dde1d6c5ad9678582165daf6370aaf4c13c05cf36441cd2
Size

838KB
Sample

240417-qkewhsha93
MD5

6f76be38bc20e99c7ff4a5a143809be8
SHA1

a7f70b183e9f6a1078e16b157d479b74ce59df6a
SHA256

c741e309cca1439b9dde1d6c5ad9678582165daf6370aaf4c13c05cf36441cd2
SHA512

6ba1741a37d99eaef2aa6632daecf96b475d36250fa7784f999b05e67580aad82f1eb43643aa78cef0291bee404eb486d90d59c3c1c73e47abb88aa3ad3c836d
SSDEEP

24576:0ANlFgrmgEncyTXvqRnfhUNq6+erZRkYvvatrreyJ0FcW:armdzqRfhAhroQytr6yscW

Score

10^/10

mystic redline smokeloader breha backdoor evasion infostealer persistence stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

41f0991208cc07eea00889cb551d4f34f6c640459920bdf3bd09346cb300f975.exe

Resource

win10v2004-20240412-en

mystic redline smokeloader breha backdoor evasion infostealer persistence stealer trojan

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

breha

C2

77.91.124.55:19071

Targets

- Target
  
  41f0991208cc07eea00889cb551d4f34f6c640459920bdf3bd09346cb300f975.exe
- Size
  
  882KB
- MD5
  
  c2874e64dc4a713e5f1a394c132d9382
- SHA1
  
  f8e8f6448660d3bde3affda3a4534e24d2bd6074
- SHA256
  
  41f0991208cc07eea00889cb551d4f34f6c640459920bdf3bd09346cb300f975
- SHA512
  
  95c339e5bab30ea79de68e97ab6ea06cc0520807610bcf9b25267b8150b718078b28243a5347e51ad89f09fc736bd35cb077222b576992e6361b64b7ec316b45
- SSDEEP
  
  12288:tMr1y90Jd4rJMuNnRX3l8dI2YcKoPLByw4yNkz1sLw1m5pPT4zVyc8kvjRMbHaCE:oy44plHolDkz1AIeCzAc9yJIixO+8
Score

10^/10

mystic redline smokeloader breha backdoor evasion infostealer persistence stealer trojan
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Impair Defenses

Disable or Modify Tools

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

mysticredlinesmokeloaderbrehabackdoorevasioninfostealerpersistencestealertrojan

© 2018-2024

Terms | Privacy