mystic

General

Target

4d79758e41cd0ffaf6aafe0aad2bd0a0a53f1f3ef3276165651e558e38b41fcc
Size

1.6MB
Sample

231113-mzs5xacc3y
MD5

cfc383f83b8a9cbdf82816d795916b54
SHA1

fe9f626c6e75e2c22cb858be39feb7ad5edc4538
SHA256

4d79758e41cd0ffaf6aafe0aad2bd0a0a53f1f3ef3276165651e558e38b41fcc
SHA512

cc69269e8c637c3da9e6a72fdcc5750349913354c49718d92778d2d169d6657307e5cdfa02ddcef4adb3c69e1d2fcfd1db8432de83febf027d8f0b7f20d1dc02
SSDEEP

24576:0yv4XGzJaxC1lGgeJIsWB3GwaxD6XER75+5Tmzh6a+3+lavDxYYSXE1XON+mX:Dg2lax0Rey1JGR+0Ro5MhB+35v1rp

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

- Target
  
  4d79758e41cd0ffaf6aafe0aad2bd0a0a53f1f3ef3276165651e558e38b41fcc
- Size
  
  1.6MB
- MD5
  
  cfc383f83b8a9cbdf82816d795916b54
- SHA1
  
  fe9f626c6e75e2c22cb858be39feb7ad5edc4538
- SHA256
  
  4d79758e41cd0ffaf6aafe0aad2bd0a0a53f1f3ef3276165651e558e38b41fcc
- SHA512
  
  cc69269e8c637c3da9e6a72fdcc5750349913354c49718d92778d2d169d6657307e5cdfa02ddcef4adb3c69e1d2fcfd1db8432de83febf027d8f0b7f20d1dc02
- SSDEEP
  
  24576:0yv4XGzJaxC1lGgeJIsWB3GwaxD6XER75+5Tmzh6a+3+lavDxYYSXE1XON+mX:Dg2lax0Rey1JGR+0Ro5MhB+35v1rp
Score

10^/10

mystic redline taiga google paypal evasion infostealer persistence phishing spyware stealer trojan
- Detect Mystic stealer payload
- Detected google phishing page
  phishing google
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Detected potential entity reuse from brand paypal.
  phishing paypal
- Suspicious use of SetThreadContext
behavioral1