MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 247f6e76bc4ecf62e34d929c0ab37c30530b78c52a742743f74204fa7f80265e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MysticStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 7 File information Comments

SHA256 hash:	247f6e76bc4ecf62e34d929c0ab37c30530b78c52a742743f74204fa7f80265e
SHA3-384 hash:	bc0f9f89351575e18913b40393b8eaa15c027a634d9eed5ba0fd2bbaf1d61266382be9c2af06ef0d9049bd1554cb1be0
SHA1 hash:	51f89fa4c7b060ce6407a5af39b6bf2d12064340
MD5 hash:	c4f578121a8dd41ade334be1ed14c883
humanhash:	burger-golf-three-social
File name:	file
Download:	download sample
Signature	MysticStealer Create hunting rule
File size:	717'176 bytes
First seen:	2023-09-21 22:00:09 UTC
Last seen:	2023-09-21 22:31:02 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f15d7c61281219835473a0dcb1929653 (35 x MysticStealer, 5 x RedLineStealer, 3 x Smoke Loader)
ssdeep	6144:N6vGALXgBEIy8wluzNcq/PVucQpZU7VwokfEOAX1YwO62KGCvK0qvfr:gHXgFysVucQp4VwoxvXWG2KPFWr
Threatray	263 similar samples on MalwareBazaar
TLSH	T11BE49D25389046B2EFE228B646ECBB3545FDD0F0475659DB03D90FFFD2206C1AA3259A
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	andretavare5
Tags:	exe MysticStealer

andretavare5

Sample downloaded from http://77.91.68.238/love/no230.exe

Intelligence

File Origin

# of uploads :

# of downloads :

294

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-09-22 09:25:00 UTC

Tags:

stealc stealer

Link:

https://app.any.run/tasks/7cf8b35a-b5f9-47ee-952b-8b6bbf19cbd7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/450505/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.61280.18621.14520.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/650cbd200870810f0183ff53/reports/c6b72371-67fa-41ed-aeff-8a7080d8ff6c/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/247f6e76bc4ecf62e34d929c0ab37c30530b78c52a742743f74204fa7f80265e

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/82f94962-48af-410f-9b18-2da2cb536368

Result

Threat name:

Mystic Stealer

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1312658

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Contains functionality to inject code into remote processes

Found stalling execution ending in API Sleep call

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected Mystic Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/247f6e76bc4ecf62e34d929c0ab37c30530b78c52a742743f74204fa7f80265e/

Threat name:

Win32.Trojan.MysticStealer

Status:

Malicious

First seen:

2023-09-21 22:01:07 UTC

File Type:

PE (Exe)

AV detection:

19 of 23 (82.61%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=er7w45v4j3hwfy2nskoavm34gbjqw6gffj2coq7xiicpu74aezpa._file

Verdict:

unknown

MysticStealer

710e50bedb77792743e3e5389f609110ea064c3fe50cd1e35242b9db53101a0c

MysticStealer

969858a1d4ca4c9fcc44f5d3a688bd460c9fe118f2b854e03640c5c2a4f78fa5

MysticStealer

c4e0cb607d432343219b41d78c2ec5dd75cd61337e01004ddbd2a25678afd2f2

MysticStealer

d65457967ab5ef2ac43c210821d99a3ccdfe8fdc07c7eedb79c577ac06aaac84

MysticStealer

d8c3fa92ed236454106a3392ce00dd820c8b69f284f293603240ffb1a5a593a3

MysticStealer

e3cabefa48d70d737194e71275e2ecba91380dc6af1e4b0615d7e05e3499c8c9

MysticStealer

e3cb5911ee3e585999a4e90ab561746e1704b590d0b5422a6fac0dbfe10b0f1a

MysticStealer

fb536e35b2dffa546ddc963fe30734746b7aee6abb7c6ce1553c38db97c37377

MysticStealer

fe265258046223bb8f78e71ac0ed7a498650229971ec3c59089b930893c21c19

MysticStealer

+ 253 additional samples on MalwareBazaar

Result

Malware family:

mystic

Score:

10/10

Tags:

family:mystic stealer

Link:

https://tria.ge/reports/230921-1w7qsaag3y/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Mystic

Unpacked files

SH256 hash:

181b3a2ecf70826f833d5ab235ca8c18411fb1eae9bd8f6aafe08157f8877389

MD5 hash:

dfb3beca6f4af7a5ee9089538fc44209

SHA1 hash:

a2c30367c4a8479ce05f5d887a4ac6000b236b57

Link:

https://www.unpac.me/results/662e4000-29ea-4016-a71b-78e49bd6aa45/

SH256 hash:

247f6e76bc4ecf62e34d929c0ab37c30530b78c52a742743f74204fa7f80265e

MD5 hash:

c4f578121a8dd41ade334be1ed14c883

SHA1 hash:

51f89fa4c7b060ce6407a5af39b6bf2d12064340

Link:

https://www.unpac.me/results/662e4000-29ea-4016-a71b-78e49bd6aa45/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/247f6e76bc4e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/247f6e76bc4ecf62e34d929c0ab37c30530b78c52a742743f74204fa7f80265e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2710216/

Cape

https://www.capesandbox.com/analysis/450505/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample