mystic | e58f2bba0f9553d4abef7c4f783f0ae225cc8535b83ef40dd8d532bf0c7e6388 | Triage

Submit
Reports

Overview

overview

Static

static

3

dc1b52ebd2...3d.exe

windows10-2004-x64

Sharing

General

Target

b0446b942eb5241dbe2495a3dff98583.bin
Size

563KB
Sample

231112-dft4escf3t
MD5

83df32d188cf3c346e9c3dcccc799ee0
SHA1

88949b369c83e6adfb6b0d12d2e88c326f0bf29b
SHA256

e58f2bba0f9553d4abef7c4f783f0ae225cc8535b83ef40dd8d532bf0c7e6388
SHA512

d545f91a97fb9e5bc0b0a5b89ae694ecab45445ce29a52fb5bbd69bc60469504201d11e69b33a18bf3d08baf67ce49472c26b9522cf78276e33a0930f3cf1f99
SSDEEP

12288:QxmYGtacIj6V25Nu34PYLKOQ1xpsALGeDb2hmaH8CUyEwh+:+mXIeV23u34KKOcpsBvhm+UyP+

Score

10^/10

mystic redline taiga paypal infostealer persistence phishing stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

dc1b52ebd2aecd0df73ca6d9416a0a4907539fae1fb69fabe81da4afa03eac3d.exe

Resource

win10v2004-20231020-en

mystic redline taiga paypal infostealer persistence phishing stealer

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

- Target
  
  dc1b52ebd2aecd0df73ca6d9416a0a4907539fae1fb69fabe81da4afa03eac3d.exe
- Size
  
  607KB
- MD5
  
  b0446b942eb5241dbe2495a3dff98583
- SHA1
  
  d28dfaa2c39a82197542dd3806d4ab1c84131878
- SHA256
  
  dc1b52ebd2aecd0df73ca6d9416a0a4907539fae1fb69fabe81da4afa03eac3d
- SHA512
  
  e2dbde2c2701fa898945ee3e82ea774372ff675790619f0720221c79c06ff8fe441d5e5c9de2faabf8a50eca07a7f0102648d0e806b2b449e9fdd8a878f570b0
- SSDEEP
  
  12288:mMrVy90k9J81CQog3GhFVYgf9voEGx3oy+z9t2Re65rJob/hGhazc:Xyz9e8QRGh3vebNQt2RBBYgczc
Score

10^/10

mystic redline taiga paypal infostealer persistence phishing stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Detected potential entity reuse from brand paypal.
  phishing paypal
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

mysticredlinetaigapaypalinfostealerpersistencephishingstealer

© 2018-2025

Terms | Privacy