mystic | 63b4bf8b0511131d78f6dc8f616924922009b533f349dcc1079d596bb46d0712 | Triage

Sharing

General

Target

63b4bf8b0511131d78f6dc8f616924922009b533f349dcc1079d596bb46d0712
Size

699KB
Sample

240417-qrqxcshe74
MD5

4b9e2543ca5879ea5f896f32254433bd
SHA1

eb5ecb4bbb3b32217ad29700841d84597f3bd972
SHA256

63b4bf8b0511131d78f6dc8f616924922009b533f349dcc1079d596bb46d0712
SHA512

c7d4f9f73cd5561ae50d500ef520ecf6e9281be280d59cc0450e5e60043b5911e745314c0caa6bb29a63f615cd4e6ccb4b6c3b816ec4f4288d026b07cc351015
SSDEEP

12288:AWIkutOr+9VZeeP6s+YKfMg8DxvwKL03G2NoG4rU8fBcaT9s6yX3XdsDHiu:wk/ry2MOYK0gavwKL4G2yPrU8ZcEmNsv

Score

10^/10

mystic redline smokeloader breha backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

breha

C2

77.91.124.55:19071

Targets

- Target
  
  129fc7deea5ab9985c016ed6882e2c5c1f4ef971580862b68fafb0cfe387ee47.exe
- Size
  
  743KB
- MD5
  
  0711e23d2902f70311f03cc4a658362a
- SHA1
  
  801d9c530001ccbb756b09976d2e53ee103deb5a
- SHA256
  
  129fc7deea5ab9985c016ed6882e2c5c1f4ef971580862b68fafb0cfe387ee47
- SHA512
  
  4c0c90d93edd2be0d8cf20e060f3751207d306b9f17d0c3986102c1884d1c9fd4e5d4b168c1f74fb3c6a4b7462a162a2c048173c8b78d073728d1747323cb65b
- SSDEEP
  
  12288:8Mrly90l3AxD1OdMC1kLGed/X/uuAfmVK9WOMJF5E8G6JItDuTuAVhwR7+yi:BycED1On1G3X/rAfBvC5HmWu1R7+yi
Score

10^/10

mystic redline smokeloader breha backdoor evasion infostealer persistence stealer trojan
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

mysticredlinesmokeloaderbrehabackdoorevasioninfostealerpersistencestealertrojan