MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17874d042ca52b918e577180116a6ba514ac9b28f78b93390c15667bfbd907b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MysticStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 7 File information Comments

SHA256 hash:	17874d042ca52b918e577180116a6ba514ac9b28f78b93390c15667bfbd907b7
SHA3-384 hash:	8f293300963db31220d79e1c76484f0b4aa00a0e88f72da3838e203c41cee22aaa5ccafa7cc808d468cad855dcc90681
SHA1 hash:	8d72a34764bcf7a44b9d2ab4a0223b7c0f6f18c1
MD5 hash:	25a5da3833b888c1d7ca822dc58473d4
humanhash:	vegan-nitrogen-texas-music
File name:	SecuriteInfo.com.Heuristic.HEUR.AGEN.1303827.31705.7328
Download:	download sample
Signature	MysticStealer Create hunting rule
File size:	717'176 bytes
First seen:	2023-09-21 13:40:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f15d7c61281219835473a0dcb1929653 (35 x MysticStealer, 5 x RedLineStealer, 3 x Smoke Loader)
ssdeep	6144:t6vGALXgBEIy8wluzNcq/PVucQpvPy0LhjTpsltNI2wDOjhGMdG3LZ0cfzzvfr:wHXgFysVucQpxj9GXwDOkMdGGcfPr
Threatray	224 similar samples on MalwareBazaar
TLSH	T155E49F2074A4C1B1DDE730BE5EDCB63256BCE4F0074895CB17D81FFAD6606C0A6366AA
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	SecuriteInfoCom
Tags:	exe MysticStealer

Intelligence

File Origin

# of uploads :

# of downloads :

271

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Heuristic.HEUR.AGEN.1303827.31705.7328

Verdict:

Malicious activity

Analysis date:

2023-09-21 13:45:53 UTC

Tags:

stealc stealer

Link:

https://app.any.run/tasks/bce6fd04-1d99-4071-a613-aee9f0f89c5a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/450377/

Detection(s):

SecuriteInfo.com.Heuristic.HEUR.AGEN.1303827.31705.7328.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware masquerade overlay packed

Link:

https://www.filescan.io/uploads/650c47f133582f234efe7dab/reports/e5c05a6f-b801-48ae-916e-ab2da1462bea/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/17874d042ca52b918e577180116a6ba514ac9b28f78b93390c15667bfbd907b7

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Sysinternals

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/2d44109e-f769-47cd-ba48-6f74f0f9f2c4

Result

Threat name:

Mystic Stealer

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1312307

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected Mystic Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/17874d042ca52b918e577180116a6ba514ac9b28f78b93390c15667bfbd907b7/

Threat name:

Win32.Trojan.MysticStealer

Status:

Malicious

First seen:

2023-09-21 13:41:07 UTC

File Type:

PE (Exe)

AV detection:

19 of 23 (82.61%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=c6du2bbmuuvzddsxogabc2tluukkzgzi66fzgoimcvthx66za63q._file

Verdict:

unknown

MysticStealer

3c9d50d6791011c6b0c5e8496f6764bafbd43a7a5d7d066339f5d2934b2e92e7

MysticStealer

41127a0dd4f3be76754f36402f6a1cf140927a76b1ab17e4fae8316667732325

MysticStealer

4adce3703406ddd76f486198dcc8932b1ad17119e77340543dfc347e705adb88

MysticStealer

61869767e1899f64864c266ce0bb34bdb6e3db7ce39627d307d8ba851bd9521e

MysticStealer

82ce3787697876604a28b268e23f49fd5a2feb5a5d472fbc8232e26f244d8b2e

MysticStealer

c24740dcd219e014f566641c26b8b67864156d4e915867fa37d93d0b514f871a

MysticStealer

ce15ea12f4f64cc602840302cf2a82169bb65746787cd9d0eadd58b45a5ab8d1

MysticStealer

ce8c9483ccfee44272881aa17481ac3928048ab93e9de22e60e339c4c348efd0

MysticStealer

e3cb5911ee3e585999a4e90ab561746e1704b590d0b5422a6fac0dbfe10b0f1a

MysticStealer

+ 214 additional samples on MalwareBazaar

Result

Malware family:

mystic

Score:

10/10

Tags:

family:mystic stealer

Link:

https://tria.ge/reports/230921-qy4f2aac68/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Mystic

Unpacked files

SH256 hash:

bb30309eb812ec97ec2a42016a9a027c488e684cda876f92e9ff64a687550679

MD5 hash:

4d48f9fec6414a537c4bcec69a185d69

SHA1 hash:

49993349e3d9b8de4cb4add65dc5131d1e7d1cd3

Link:

https://www.unpac.me/results/035bac0b-0e39-46ff-babd-38c990b4f910/

SH256 hash:

17874d042ca52b918e577180116a6ba514ac9b28f78b93390c15667bfbd907b7

MD5 hash:

25a5da3833b888c1d7ca822dc58473d4

SHA1 hash:

8d72a34764bcf7a44b9d2ab4a0223b7c0f6f18c1

Link:

https://www.unpac.me/results/035bac0b-0e39-46ff-babd-38c990b4f910/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/17874d042ca5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.91

Link:

https://yomi.yoroi.company/submissions/17874d042ca52b918e577180116a6ba514ac9b28f78b93390c15667bfbd907b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/450377/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample