mystic

Sharing

Copy URL

Twitter E-mail

General

Target

forc.exe_pw_infected.zip
Size

1.6MB
Sample

231111-3atyxaca2y
MD5

092f3dcdf8515813daf31c984d67b298
SHA1

3edc5abd58bc6aedca364cc403dbf223bed987b0
SHA256

0b97349ab62a3582989a397e3bfb760fac9a40c9b1ccd66762becaa4fe9f6240
SHA512

7bdccc578bc622c8150792c7311f227fca5166b2b59689e5aab91256e49ce0d0635831239ccb9559c49a995e2b04726cadcd35be6734a4be0f087197358f8eb0
SSDEEP

49152:FRMcnNZeT/QYhYHBGPtNsk3BnCbCTMG3Gjd:LM4NYT/QYeBGPjBn4CTMcGR

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Extracted

Family

mystic

http://5.42.92.43/loghub/master

Targets

- Target
  
  0x0006000000022d82-27
- Size
  
  895KB
- MD5
  
  966bb61b67f2df4c3aee9c816ccf62f0
- SHA1
  
  5265091f55f08db3ad6a3444734f3d952da29be5
- SHA256
  
  568304fbc1788754abb840da009924951af700eaee56cc476808d8c8a1b89a29
- SHA512
  
  56556645684a3eaf498c85244b7232926ee9c9fefd973d2610d070a0b04dddccac9a5d607d44ec9aee0345c192a0d872f4ddf14292df3cbe0c4d61a7acf1c5b9
- SSDEEP
  
  12288:jqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaOT2:jqDEvCTbMWu7rQYlBQcBiT6rprG8a22
Score

10^/10

google phishing paypal
- Detected google phishing page
  phishing google
- Detected potential entity reuse from brand paypal.
  phishing paypal
behavioral1 behavioral2 behavioral3
- Target
  
  0x0006000000022d83-182
- Size
  
  276KB
- MD5
  
  9da18462094598c8f3aa4362df1c3a11
- SHA1
  
  8b9babe7903214bb3dd4e6d85dc946f022e51a36
- SHA256
  
  2e20217dcf30dc1859d7ee61dd1d2432173f955adc59d51587af8e606dbadd7a
- SHA512
  
  9e526426933e974e533c2de60bb9685b52b82e4e5e5c8466f515a883335e457812ff6e15d5506279a69483fee8004a480c17a76035d84c9aee0a94d7d481cb0b
- SSDEEP
  
  6144:3KWeIhzyZNGutFgaVg5z2yOht19EvdfcqpD6xqKY/moKavQfKH:3KWewyYBODYFvggdQfK
Score

10^/10

mystic stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- Suspicious use of SetThreadContext
behavioral4 behavioral5 behavioral6
- Target
  
  0x0007000000022d5d-278
- Size
  
  624KB
- MD5
  
  2686ac4ee184aa7d3828858ca46484da
- SHA1
  
  3dd1955f6c81bf71d4c5af2be05a45c5642c2294
- SHA256
  
  89639459a0974d1d066ac1c7721890d4c73198c55952c368264956a56e4f5485
- SHA512
  
  d10b7d3b297758cb43abc45088b85822a6f479d8262070f5285fcc75e9c1e4b276ff93a4c54b3949aa639112a850477d42294244dd006a0fde11778bc39980a4
- SSDEEP
  
  12288:PKWewyw2dX0HWhWwTZ56Hfnrn9dQCi8y2hmB9bnjqvcOnMaN2VyK:m02dXHV5GxdQr8ronROnL
Score

6^/10

spyware
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral7 behavioral8 behavioral9
- Target
  
  0x0007000000022d6c-248
- Size
  
  315KB
- MD5
  
  90f917f67243bc0de6565d04b7659115
- SHA1
  
  7d7238641a645652dee1616eeaae243ed7222753
- SHA256
  
  42c8dbd8bbf726eb4e1df943867a71d5fdc33647d0994dd07335f61dfa334bd9
- SHA512
  
  5b691f850fb1d08d1bebc2ed37a6684a39fb61b52d3f652b37872cea55813ab626d32b545496a7012930c06aa5f1c138ee262a7dfa6b22123f213e4ecfbb9b8c
- SSDEEP
  
  3072:nBDKjKe4hrdze4XmuWdNa7+XednUeYV+xdSejT7a3u4m66MUlKczDGZ0w6R8QHaD:xKWeIhzyZNGuWj/OTLiR8e/I0WIlKH
Score

10^/10

redline taiga infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Suspicious use of SetThreadContext
behavioral10 behavioral11 behavioral12
- Target
  
  0x0007000000022d7e-20
- Size
  
  656KB
- MD5
  
  8bc0ffc145c52a896ed8d8e2f7ca412c
- SHA1
  
  50d345a2ddc1121fbea5316664ceff4315963bd4
- SHA256
  
  6d8581f717f7e4d8414d61dca0970e4ce60b987c0f2d3f5aedc015f72bd27232
- SHA512
  
  27d1ddee77e023238f2d356c47bd6697ed96ec49123cb550e7bb689ce2014b85ae8f5f1fb101517d0b119415bbb8957683c9b6fc8b43d9485b27d7b3aa656167
- SSDEEP
  
  12288:NMrly90V0NA0H7Gae/4IC50pCCHGN0PLvYMXiYQbDL6q/nVby24F:UyIiaaewIsgCQGIgYDw/A2c
Score

10^/10

mystic google persistence phishing stealer paypal
- Detect Mystic stealer payload
- Detected google phishing page
  phishing google
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Detected potential entity reuse from brand paypal.
  phishing paypal
- Suspicious use of SetThreadContext
behavioral13 behavioral14 behavioral15

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Detected google phishing page

Detected potential entity reuse from brand paypal.

Detect Mystic stealer payload

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

RedLine

RedLine payload

Suspicious use of SetThreadContext

Detect Mystic stealer payload

Detected google phishing page

Mystic

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

AutoIT Executable

Detected potential entity reuse from brand paypal.

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15