mystic | 2c5f03af869d1d37d9492e0773ac9370dbbbb7f98ef143d01eaab2c0664bb935 | Triage

Sharing

General

Target

2c5f03af869d1d37d9492e0773ac9370dbbbb7f98ef143d01eaab2c0664bb935
Size

1.0MB
Sample

240817-y5jzzaxfjp
MD5

db4a23dcf72244c48018e9fe9d9adf62
SHA1

9e7e5e1e2061917685b60e7b14d72379a31d9884
SHA256

2c5f03af869d1d37d9492e0773ac9370dbbbb7f98ef143d01eaab2c0664bb935
SHA512

4dd419dedc5b03460e2a236bcd91ce726d08b1a8753bf7da216ff9b15655f2c8aa2f25ebc9e04fa1f1b2c82196d6cd14f108b0a0674e6e348520679e2ff60955
SSDEEP

24576:PyN08Cw6700HN8mkhicALPpKaSRuWyS6xDoevxM9w6KiT3n0:aNtu00tCQ2/ypoeay6KiTX

Score

10^/10

mystic redline smokeloader grome backdoor discovery evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

grome

C2

77.91.124.86:19084

Targets

- Target
  
  2c5f03af869d1d37d9492e0773ac9370dbbbb7f98ef143d01eaab2c0664bb935
- Size
  
  1.0MB
- MD5
  
  db4a23dcf72244c48018e9fe9d9adf62
- SHA1
  
  9e7e5e1e2061917685b60e7b14d72379a31d9884
- SHA256
  
  2c5f03af869d1d37d9492e0773ac9370dbbbb7f98ef143d01eaab2c0664bb935
- SHA512
  
  4dd419dedc5b03460e2a236bcd91ce726d08b1a8753bf7da216ff9b15655f2c8aa2f25ebc9e04fa1f1b2c82196d6cd14f108b0a0674e6e348520679e2ff60955
- SSDEEP
  
  24576:PyN08Cw6700HN8mkhicALPpKaSRuWyS6xDoevxM9w6KiT3n0:aNtu00tCQ2/ypoeay6KiTX
Score

10^/10

mystic redline smokeloader grome backdoor discovery evasion infostealer persistence stealer trojan
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

mysticredlinesmokeloadergromebackdoordiscoveryevasioninfostealerpersistencestealertrojan