mystic | b4bf15b8ec19f52c7e48ebfdd1fc298b81c344a66ced797b747ced364160b3e2 | Triage

Sharing

General

Target

b4bf15b8ec19f52c7e48ebfdd1fc298b81c344a66ced797b747ced364160b3e2N
Size

1.3MB
Sample

241027-pwk18sxeng
MD5

ddd0ccccdae6c3029264f6c8c590f740
SHA1

d571de3c5685afecccadb4b986396c2b71d0319b
SHA256

b4bf15b8ec19f52c7e48ebfdd1fc298b81c344a66ced797b747ced364160b3e2
SHA512

266c1de909a8e31075c81fdb0438b8a323a22ffb81f770a7828b4d7389be51c3ebb79f94490c697f69f2b807ccf947ffc2bf1dcb869a6913725fbdfc8ac43ae5
SSDEEP

24576:uy/HWQpuiWicr7jYdiLnpaT263Xh+d1XrflaXYF229a0VAvvnVzEupkq5Bc:9/HppuiajU+M3kfjl59a0VMaupk

Score

10^/10

mystic redline smokeloader breha backdoor discovery evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

mystic

C2

http://5.42.92.211/

Extracted

Family

redline

Botnet

breha

C2

77.91.124.55:19071

Targets

- Target
  
  b4bf15b8ec19f52c7e48ebfdd1fc298b81c344a66ced797b747ced364160b3e2N
- Size
  
  1.3MB
- MD5
  
  ddd0ccccdae6c3029264f6c8c590f740
- SHA1
  
  d571de3c5685afecccadb4b986396c2b71d0319b
- SHA256
  
  b4bf15b8ec19f52c7e48ebfdd1fc298b81c344a66ced797b747ced364160b3e2
- SHA512
  
  266c1de909a8e31075c81fdb0438b8a323a22ffb81f770a7828b4d7389be51c3ebb79f94490c697f69f2b807ccf947ffc2bf1dcb869a6913725fbdfc8ac43ae5
- SSDEEP
  
  24576:uy/HWQpuiWicr7jYdiLnpaT263Xh+d1XrflaXYF229a0VAvvnVzEupkq5Bc:9/HppuiajU+M3kfjl59a0VMaupk
Score

10^/10

mystic redline smokeloader breha backdoor discovery evasion infostealer persistence stealer trojan
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- Mystic family
  mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Smokeloader family
  smokeloader
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

mysticredlinesmokeloaderbrehabackdoordiscoveryevasioninfostealerpersistencestealertrojan