MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 209c2d7ecfde3fa3b6b93f4270d7fd57ba37accc202f5a2ff518b1895e29cd8e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MysticStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 209c2d7ecfde3fa3b6b93f4270d7fd57ba37accc202f5a2ff518b1895e29cd8e
SHA3-384 hash: c8939adf3c668b058913ed29f0dfcf5ff379567981d75a0cb3d5b55d0ccb7f77cc4ef1d7cb79dda99c47ee471947f1be
SHA1 hash: e103553c8f6ef7d05b2702e51a97ffcd539be4d3
MD5 hash: 148a3aee3ea8c0c9973daf8912e6e2be
humanhash: illinois-magazine-nebraska-triple
File name:148a3aee3ea8c0c9973daf8912e6e2be
Download: download sample
Signature MysticStealer
Create hunting rule
File size:1'909'248 bytes
First seen:2023-10-23 13:46:01 UTC
Last seen:2023-10-23 15:33:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 037522269f8348aa17add864631a3f22 (6 x MysticStealer, 4 x Smoke Loader, 2 x Formbook)
ssdeep 24576:trsAfSYqe7E9k7d+WNO6a9Dhvh6mJV3I:ttqe7E9rW06a3vlJV3
Threatray 326 similar samples on MalwareBazaar
TLSH T1C4953C1176F92B59F9F30FB85ABAA711487AFC6A8F11C2DF1258504E0C35AD09970B3B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe MysticStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
300
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
148a3aee3ea8c0c9973daf8912e6e2be
Verdict:
Malicious activity
Analysis date:
2023-10-23 13:51:03 UTC
Tags:
stealc stealer
Link:
https://app.any.run/tasks/73d043bd-db0f-4856-aa59-b7a7d212178a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.18704.18638.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
Unauthorized injection to a system process
Gathering data
Verdict:
No Threat
Threat level:
  2.5/10
Confidence:
100%
Tags:
control greyware lolbin
Link:
https://www.filescan.io/uploads/6536791bc2a76fbfed322fb7/reports/1812bc00-a1eb-4646-b2d6-6f9936bc08f1/overview
Verdict:
Malicious
Labled as:
Trojan/Injector.bdh
Link:
https://www.hybrid-analysis.com/sample/209c2d7ecfde3fa3b6b93f4270d7fd57ba37accc202f5a2ff518b1895e29cd8e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a6364da1-23ce-4f0f-b42c-f006ce193d51
Result
Threat name:
Mystic Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1330620
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Writes to foreign memory regions
Yara detected Mystic Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/209c2d7ecfde3fa3b6b93f4270d7fd57ba37accc202f5a2ff518b1895e29cd8e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/209c2d7ecfde3fa3b6b93f4270d7fd57ba37accc202f5a2ff518b1895e29cd8e/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-10-23 14:03:35 UTC
AV detection:
18 of 22 (81.82%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ecoc27wp3y72hnvzh5bhbv75k65dplgmeaxvul7vdcyysxrjzwha._file
Verdict:
malicious
Similar samples:
126c0f9959aa4a01bb5e8254b72b4bac370a12cddded7d815ea09b0894f1ee59
MysticStealer
32fc4939b1ccdd7f7ea0feecb05df65bb4f677961c2f70f5ed7fe26ff081b7d1
MysticStealer
78075b4f4be5aef18593b0fe52478c1bb3e561b0322909b3ba2fb0d4ac866be7
MysticStealer
8c01f096725d70248403986433a2052358112499578c1e5ce68b1363709434bd
MysticStealer
8f231e1ecb926bcf798ec71235260e119e23046e1bb041bc597b8ff2f9ac7b86
MysticStealer
9042afcab837d06d2b0372e15c2b981c253b32e0b0f5e6e2cd57d52c77ba3ce6
MysticStealer
a34c93ea0b22c36b5f59a7971494af06187d95c9f9e5c80723f4de4d651d5345
MysticStealer
af57e0f87312aedf0fe588dc08e4f5453b5ce31bbaa64b9f7b4033261e279a9e
MysticStealer
b224a6c44c1ba5e49b40fc9f5176d6ad1719031f0312d85650174dc29c88276e
MysticStealer
b857534dee49e9485913b54161cfd20ce3a26ebb1b4d4d73a13d88d94bbe017b
MysticStealer
+ 316 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/231023-q2ypysba45/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
a0330d75df7075206cf68d358e3acfc621062f35db43c2521b8ef5e7c9f317f1
MD5 hash:
0635bc911c5748d71a4aed170173481e
SHA1 hash:
6d92ff8b519e4a10759f75f3b3d9e1459ed4ff1b
Link:
https://www.unpac.me/results/d7f40530-f833-426e-880b-732eff2bf472/
SH256 hash:
209c2d7ecfde3fa3b6b93f4270d7fd57ba37accc202f5a2ff518b1895e29cd8e
MD5 hash:
148a3aee3ea8c0c9973daf8912e6e2be
SHA1 hash:
e103553c8f6ef7d05b2702e51a97ffcd539be4d3
Link:
https://www.unpac.me/results/d7f40530-f833-426e-880b-732eff2bf472/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MysticStealer

Executable exe 209c2d7ecfde3fa3b6b93f4270d7fd57ba37accc202f5a2ff518b1895e29cd8e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2723295/

Comments


Avatar
zbet commented on 2023-10-23 13:46:02 UTC

url : hxxp://77.91.68.249/fuza/nalo.exe