mystic | e6aa20368721aeec8e64beff67d53f56dfac03e8febb3a4e093ff176406cdd70 | Triage

Submit
Reports

Overview

overview

Static

static

3

415bc14784...f2.exe

windows10-2004-x64

Sharing

General

Target

a56d4229df13e8297b82f3c974e74660.bin
Size

1.3MB
Sample

231113-c475hsfg7w
MD5

de7e5ac1fa8f40a2ec8158ad8af3441c
SHA1

401ac45ae08eb47b330ed7856b5d9e89cf26903a
SHA256

e6aa20368721aeec8e64beff67d53f56dfac03e8febb3a4e093ff176406cdd70
SHA512

78a9ee8ccf6e0bb27b70d7b2f3372e2be31454f4b789bd5b206c0089850d089cdd860e8eb9df7a61799a01989b823c34bf3fea12c26425fcbd22974c65dc8148
SSDEEP

24576:dKUkoRt0jVL7W40SFr6tlg4wdZ+ljfeS8c7NiTNTMa9yg9mjRS:dKUkOI1aOZ0eHAQTMaQgwjRS

Score

10^/10

mystic redline taiga paypal infostealer persistence phishing spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

415bc147845345d629141179ad0997b55e1f50b6c6a73d35168254e89932d7f2.exe

Resource

win10v2004-20231023-en

mystic redline taiga paypal infostealer persistence phishing spyware stealer

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

- Target
  
  415bc147845345d629141179ad0997b55e1f50b6c6a73d35168254e89932d7f2.exe
- Size
  
  1.3MB
- MD5
  
  a56d4229df13e8297b82f3c974e74660
- SHA1
  
  15895825cc3c1733bcd73e04c6f1a01da7f44ecd
- SHA256
  
  415bc147845345d629141179ad0997b55e1f50b6c6a73d35168254e89932d7f2
- SHA512
  
  9f9211bc8c2fd538f9627052b555f53cab669ec7e41485294c0bdc9573264cabd0ec93b865468f2cc3788416b18e46ac3e3b556863fa365bcdf07bb9af722348
- SSDEEP
  
  24576:myeEJn2bHOtaewIsnClGsWGDE9O24ukaVXwo0gu9Yw1M0xj1tlkHbNNBjWV:1eEJ2Soe3mMGC8RkaXwodw1MS7lk7NNo
Score

10^/10

mystic redline taiga paypal infostealer persistence phishing spyware stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Detected potential entity reuse from brand paypal.
  phishing paypal
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

mysticredlinetaigapaypalinfostealerpersistencephishingspywarestealer

© 2018-2025

Terms | Privacy