mystic | 83f9ac8f5c2c168f911f7c15829ee95c60cf3124533493e7d4af8fccd21808c1 | Triage

Submit
Reports

Overview

overview

Static

static

3

3fa03f784e...df.exe

windows10-2004-x64

Sharing

General

Target

83f9ac8f5c2c168f911f7c15829ee95c60cf3124533493e7d4af8fccd21808c1
Size

833KB
Sample

240417-qwf8qabd5z
MD5

64bbc061089c7a84132fa2854986efb8
SHA1

49e26964dcb86b1a50f1e176161bdc12265d40be
SHA256

83f9ac8f5c2c168f911f7c15829ee95c60cf3124533493e7d4af8fccd21808c1
SHA512

0eacdffa23e41f697d82276d88076f875e53b0d6db16da00ad4aa522ec1ca6bc994773ea1e06ec1753dbbe04289404183234687dd4bcabe85796a7f962bd0612
SSDEEP

24576:VCRQbTkDVD0grJRFmsAjwNxr8yr8pe/rMqeBH13:H/kDVog1RgD8xr8yope/rMjV

Score

10^/10

mystic redline smokeloader breha backdoor evasion infostealer persistence stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

3fa03f784ec205ddfffcf521bd6cdb53b46ad6ed6fd84ec4ecd85c545c8e2edf.exe

Resource

win10v2004-20240412-en

mystic redline smokeloader breha backdoor evasion infostealer persistence stealer trojan

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

breha

C2

77.91.124.55:19071

Targets

- Target
  
  3fa03f784ec205ddfffcf521bd6cdb53b46ad6ed6fd84ec4ecd85c545c8e2edf.exe
- Size
  
  876KB
- MD5
  
  066bb534adef3007b59a440df554a6c6
- SHA1
  
  2bd0c128ee738a1761ada12b9f097b8fa82a49ed
- SHA256
  
  3fa03f784ec205ddfffcf521bd6cdb53b46ad6ed6fd84ec4ecd85c545c8e2edf
- SHA512
  
  4174a8b175a1ba4aa8fd1d9b0bb51224cf6a9b6d6b00a0d08841716a203b540e02d3df6119d0ba6f99beb26a2704bbb7a61b04cefabe6a2d9efe618c2330a97c
- SSDEEP
  
  24576:AykgzpSUtBf1kZd2NqLeHdcOBla4TyouFzZRf3gD:HkWpV1kWHj84eTZR/g
Score

10^/10

mystic redline smokeloader breha backdoor evasion infostealer persistence stealer trojan
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Impair Defenses

Disable or Modify Tools

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

mysticredlinesmokeloaderbrehabackdoorevasioninfostealerpersistencestealertrojan

© 2018-2024

Terms | Privacy