mystic | d4e27a41b35f51b9321900005c3756709528106589c243985388da67b235a965 | Triage

Submit
Reports

Overview

overview

Static

static

3

dridex

windows10-2004-x64

Sharing

General

Target

d4e27a41b35f51b9321900005c3756709528106589c243985388da67b235a965
Size

1.1MB
Sample

231113-pr7pfada74
MD5

f7cc460709084241dad1d356f42a9b35
SHA1

5fd54d8667e92f740e3f3aa43a94555dd54b1454
SHA256

d4e27a41b35f51b9321900005c3756709528106589c243985388da67b235a965
SHA512

268feb2974f85ee1b16c9474ccd50495e7209e1df59e24f93764256c059d7590995229046c53739e1cd81225d38248985c4aae9a7d759858e983d925c5a3fc07
SSDEEP

24576:Wy27ihXkOL5rMfH9arGyXs/KkvRPkWBxae8nsy9lD4:l27ixkOLsa94RPkWnGD

Score

10^/10

mystic redline taiga evasion infostealer persistence spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

d4e27a41b35f51b9321900005c3756709528106589c243985388da67b235a965.exe

Resource

win10v2004-20231023-en

mystic redline taiga evasion infostealer persistence spyware stealer trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

- Target
  
  d4e27a41b35f51b9321900005c3756709528106589c243985388da67b235a965
- Size
  
  1.1MB
- MD5
  
  f7cc460709084241dad1d356f42a9b35
- SHA1
  
  5fd54d8667e92f740e3f3aa43a94555dd54b1454
- SHA256
  
  d4e27a41b35f51b9321900005c3756709528106589c243985388da67b235a965
- SHA512
  
  268feb2974f85ee1b16c9474ccd50495e7209e1df59e24f93764256c059d7590995229046c53739e1cd81225d38248985c4aae9a7d759858e983d925c5a3fc07
- SSDEEP
  
  24576:Wy27ihXkOL5rMfH9arGyXs/KkvRPkWBxae8nsy9lD4:l27ixkOLsa94RPkWnGD
Score

10^/10

mystic redline taiga evasion infostealer persistence spyware stealer trojan
- Detect Mystic stealer payload
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

mysticredlinetaigaevasioninfostealerpersistencespywarestealertrojan

© 2018-2025

Terms | Privacy