MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2dcabb7757046fa4178695fdfa481b1bb309f0264ee5bc4be4326476e33ec082. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MistStealer

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	2dcabb7757046fa4178695fdfa481b1bb309f0264ee5bc4be4326476e33ec082
SHA3-384 hash:	24ebeb7a6b894c37e04a730d8af864130f710c5d6eb8686496053350721faeac3e9c608e817ebe46a5965ec185c71426
SHA1 hash:	61bcc321594759d282c7aaf84cb7a4a4d116c778
MD5 hash:	5c5bfde7bc82aa30b6377b63422b52ca
humanhash:	princess-football-december-hawaii
File name:	Mist.Buld_1.exe
Download:	download sample
Signature	MistStealer Create hunting rule
File size:	397'824 bytes
First seen:	2020-06-11 22:40:07 UTC
Last seen:	2020-06-11 23:38:34 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:gzHOpBXcoeAGO1sw2vQe/jQFEFec/Uthtu:gzHOThjOvQe/jQ+Feeg
Threatray	80 similar samples on MalwareBazaar
TLSH	B0842301E5ADFAEFD58CDB794F4F451655B56B2134B2CBEF68C0E0208A53381286B2E7
Reporter	James_inthe_box
Tags:	exe MistStealer

Intelligence

File Origin

# of uploads :

2

# of downloads :

91

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/7857/

Detection(s):

SecuriteInfo.com.Variant.MSILPerseus.224461.31736.403.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Kryptik

Status:

Malicious

First seen:

2020-06-11 06:53:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

1

AV detection:

24 of 30 (80.00%)

Threat level:

5/5

Verdict:

malicious

Similar samples:

2ca9c5bc5c8a79c61dff4cfd84a8f5272f6fb25eb936b9175e19a4af540473e6

4ece7a3cd6313c022ce3d30028a8af4f4f4da6a35efcddb8136b4bb5520fdb21

73a8ad379a2f6efec0754119102727765066db33a4f8b4a0aed21608bdb0cdfd

9068f4fcfd2aa78ed5130d7af1f70bafe3388d3443991c372cb430bb64eb9a82

9efca9fb9aadcdec3f3e23fda67899c67dda0d7178636a5691e15d6b62e01649

ccb7e7ea08121c1d3d37739b4273e750843fe2296d24ae69a8efb686adbf53c3

d59f4326de544446fc05984fc4ed5d1b2bd32cbeecaad97474af2ac24befeb67

e4b9d743c8ae9db1c7232c68e57d98efb5906a00b00ad5d9ab105ef1695de7c8

e9f48ee07c060bd829f28387a16c8eba4ef1d2fb475fc03a09d944cc858b77fb

f60a52512773b52def9ba9ce8aad61144d2cf351f6bc04d1c5a13abef8f3b89b

+ 70 additional samples on MalwareBazaar

Result

Malware family:

echelon

Score:

10/10

Tags:

family:agenttesla family:echelon discovery keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201109-ftdljyy6c6/

Behaviour

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Looks up external IP address via web service

Checks installed software on the system

Reads user/profile data of web browsers

Executes dropped EXE

AgentTesla Payload

Echelon log file

AgentTesla

Echelon

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

Cape

https://www.capesandbox.com/analysis/7857/

Cape

Cape

https://www.capesandbox.com/analysis/7854/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample