mystic | a9aa8d9cc16c47c491e3fd152af49bdd40b70bba39f365fe0471707e7c11e34b | Triage

Submit
Reports

Overview

overview

Static

static

3

bb32ea7d56...c6.exe

windows10-2004-x64

Sharing

General

Target

ac306b384e51e4e70c374d6cfaf43bb9.bin
Size

1.2MB
Sample

231114-c8tspagb3y
MD5

ce53de1b3bdbf119817285ffa2a6a9a0
SHA1

8226e26f2e3fd4cf1d60702d062967f7803c5fbb
SHA256

a9aa8d9cc16c47c491e3fd152af49bdd40b70bba39f365fe0471707e7c11e34b
SHA512

b834167c4795baad096e86aad7e0d600339659fa607ec2e6f47862094805eedaa257c2c3ce4e18d58c52c2ab2312e569c58c4a7526f3ab2c9486e009cd3e96e7
SSDEEP

24576:GytMzvc5Ivz9TSb9oNGexqENyaWxlIIy97yU1P69kroV3sks0P:Gyt6E5I79TSSvDoXypv/oVR

Score

10^/10

mystic redline taiga paypal infostealer persistence phishing spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

bb32ea7d56902a74dc94787ab68593ef8eef937157e9cdd50eac8fcf2f36dac6.exe

Resource

win10v2004-20231020-en

mystic redline taiga paypal infostealer persistence phishing spyware stealer

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

redline

Botnet

taiga

C2

5.42.92.51:19057

Targets

- Target
  
  bb32ea7d56902a74dc94787ab68593ef8eef937157e9cdd50eac8fcf2f36dac6.exe
- Size
  
  1.3MB
- MD5
  
  ac306b384e51e4e70c374d6cfaf43bb9
- SHA1
  
  e39453aeb15b662ff2e946b7fe72dd0e69a7a73a
- SHA256
  
  bb32ea7d56902a74dc94787ab68593ef8eef937157e9cdd50eac8fcf2f36dac6
- SHA512
  
  435688a7668c3f09490e49b92e3da471f58883f84e60868ac72cb1c340bb6d02444535142effbe6205b58d1d7fc8853c977568f7560008625347a2b79a88a695
- SSDEEP
  
  24576:Dye30QZcF5h3/M0QZ3eae9IshCMGGCdD8bDdN+TKf0EhxTYnOKjVgQ9FDfEUpeRb:We3gTrQ9neu4JGbaz3YO099FDL
Score

10^/10

mystic redline taiga paypal infostealer persistence phishing spyware stealer
- Detect Mystic stealer payload
- Mystic
  Mystic is an infostealer written in C++.
  stealer mystic
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Executes dropped EXE
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Detected potential entity reuse from brand paypal.
  phishing paypal
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

mysticredlinetaigapaypalinfostealerpersistencephishingspywarestealer

© 2018-2025

Terms | Privacy