mystic | 20ec427ba72935b1670d44fa8c7e7730505d950a590b927afe59cb1fe294d4d1 | Triage

Submit
Reports

Overview

overview

Static

static

3

1208eb5fce...91.exe

windows10-2004-x64

Sharing

General

Target

0b95dfd58c4db28132451ed369afb485.bin
Size

1.3MB
Sample

231112-bgyf5acb9v
MD5

8595b2243575e6a82c2e54c23ea9088d
SHA1

ff9244c2681b2a3d2232d92562806ac07135c7f7
SHA256

20ec427ba72935b1670d44fa8c7e7730505d950a590b927afe59cb1fe294d4d1
SHA512

342740c7da99735758ec09210495661a38c5c0047086a2964a3260284249c2bd9a94234dd20a0df8a4fe5368cbbbed2a530b1d4faa5b9459dc947b1f145d9ed9
SSDEEP

24576:bSIMI/URLVMmrQrPSoGca+LtPuzLLwMmcl8txnHYcghhnMUftI4Xv+E+:91/UBVMFDg+yLwF74cghmUftIcj+

Score

10^/10

mystic redline taiga paypal infostealer persistence phishing spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

1208eb5fcec2b7c18202685bd7d17706583d6b207bc15242c316cb27a2de2691.exe

Resource

win10v2004-20231020-en

mystic redline taiga paypal infostealer persistence phishing spyware stealer

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

- Target
  
  1208eb5fcec2b7c18202685bd7d17706583d6b207bc15242c316cb27a2de2691.exe
- Size
  
  1.3MB
- MD5
  
  0b95dfd58c4db28132451ed369afb485
- SHA1
  
  af392d095f93fc50849d3c9f050c9f2c7ed3bcdc
- SHA256
  
  1208eb5fcec2b7c18202685bd7d17706583d6b207bc15242c316cb27a2de2691
- SHA512
  
  064466f1aab68a1fecbe0458a69afe2ec066026309ddc6a2c9556a6aca445173a4a1c1298d6a881fb9778404a42b333e8e7cd9af82c6cd4b3b6489755f6791fe
- SSDEEP
  
  24576:ZyTrbxE4t0ae5IsSCCGeXXDpHOpVLjQ63opRWZ2agMGS3Jbx:MfbjteilZGuMrjQ6cR/arb
Score

10^/10

mystic redline taiga paypal infostealer persistence phishing spyware stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Detected potential entity reuse from brand paypal.
  phishing paypal
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

mysticredlinetaigapaypalinfostealerpersistencephishingspywarestealer

© 2018-2025

Terms | Privacy