MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b3223083eaa3ebc47f2f4a941f772266491e54760d438659af6f49268bfc1e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MysticStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0b3223083eaa3ebc47f2f4a941f772266491e54760d438659af6f49268bfc1e2
SHA3-384 hash: 0498ac2d349c0bf0872454a9c2496d64577c3a89838e2c87ba416e66f02b43fab3b8c611f645eb00e2fcf221e29ecf08
SHA1 hash: 8144ff421541a655dbf4800602ff899e81f5215c
MD5 hash: 23ac2c404baeb9f12324358b0b763274
humanhash: alpha-artist-sad-zebra
File name:file
Download: download sample
Signature MysticStealer
Create hunting rule
File size:350'208 bytes
First seen:2023-09-13 14:00:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 35646f486d46399590ccfc4635584429 (28 x RedLineStealer, 5 x MysticStealer, 3 x Smoke Loader)
ssdeep 6144:M+liKL/yfYb5B+BO99c0s0ZVtAORgeU0E+dBUBJNnMACb+a/6ZJ2Ey+q8E1pXIE9:Nl//yfYb5BIQZVtvc0NudaaUd9
Threatray 466 similar samples on MalwareBazaar
TLSH T141749D0378D59072D9A31A344EE7D7B709BDB8714B91BEEF57801A2ACFA06D2D730642
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe MysticStealer


Avatar
andretavare5
Sample downloaded from http://77.91.68.238/love/no230.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
290
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-09-13 14:01:45 UTC
Tags:
stealc stealer
Link:
https://app.any.run/tasks/da82b37d-79ee-4ff2-a7af-a324115bfbea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/448405/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.21060.15699.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
Creating a file in the %temp% directory
Unauthorized injection to a system process
Gathering data
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin
Link:
https://www.filescan.io/uploads/6501c09e9bae8a378555727f/reports/9f56030f-1067-4adc-a8ec-d1c01e2d52e2/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/0b3223083eaa3ebc47f2f4a941f772266491e54760d438659af6f49268bfc1e2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4d5e8136-f31d-4dee-8768-a8f214011a3c
Result
Threat name:
Mystic Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1308156
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Mystic Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0b3223083eaa3ebc47f2f4a941f772266491e54760d438659af6f49268bfc1e2/
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2023-09-13 14:01:05 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
9 of 23 (39.13%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bmzcgcb6vi7lyr7s6suud53sezsjdzkhmdkdqzm2632je2f7yhra._file
Verdict:
malicious
Similar samples:
147c14a6ee47d73dcfaad142dd47e180a00f6a7c31bc8ffa6f233519fab1d594
MysticStealer
17e9943c01ded30ef2334a1c43f3c38206e824fb6e4be3db4bf75745350a584e
MysticStealer
5891b75cbd95202a3fb0f13c8db03ed77954597f35298fc89e04a70714717768
MysticStealer
79039f6afc98e7200b02000f9bfca78bbb332d19034734ee89b2dd3ece87fa17
MysticStealer
8bddf5692870039eab6cd7d3e179c62b4802b2df9b51986e99c3bc6dcf3c025b
MysticStealer
a1d81d22551ba0d1149b5e2e0de18870ac73e90aaf36f6c52ae6edea0d084814
MysticStealer
ce1a8d6d6d69ef76b01ad35d455588034b39c7f89464c1c83bead936d2b433d9
MysticStealer
fa6ca34a7b4ca335c3456aeaac237fb2257e820accb5a2f09fcaff5df7035dfb
MysticStealer
+ 456 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230913-rbh29afa48/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
a1b57164515e9b99cd5f81828edede575cb99613db08fa0ebed662aaa6399d64
MD5 hash:
4dedb29e4796d9c5d7454715aec2fdc4
SHA1 hash:
4c3e0853dd83d7fe493675700bb8e8375b96cad8
Link:
https://www.unpac.me/results/57337b88-d516-4fb3-9ac2-dcc0d787b430/
SH256 hash:
0b3223083eaa3ebc47f2f4a941f772266491e54760d438659af6f49268bfc1e2
MD5 hash:
23ac2c404baeb9f12324358b0b763274
SHA1 hash:
8144ff421541a655dbf4800602ff899e81f5215c
Link:
https://www.unpac.me/results/57337b88-d516-4fb3-9ac2-dcc0d787b430/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0b3223083eaa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0b3223083eaa3ebc47f2f4a941f772266491e54760d438659af6f49268bfc1e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/448405/

Comments