MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32fc4939b1ccdd7f7ea0feecb05df65bb4f677961c2f70f5ed7fe26ff081b7d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MysticStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 32fc4939b1ccdd7f7ea0feecb05df65bb4f677961c2f70f5ed7fe26ff081b7d1
SHA3-384 hash: 287c243870705e7a221f37cd3f153310faf43f78405247dfa8b4999053013d0f669ab03bf7fc726f421c051cf2d8dcbb
SHA1 hash: 0cd8ab83d4cbc7e1ec8968d51507ddd35376badb
MD5 hash: 354aee23414eea4e38d041b45b5cb7ae
humanhash: idaho-mirror-beryllium-arizona
File name:354aee23414eea4e38d041b45b5cb7ae
Download: download sample
Signature MysticStealer
Create hunting rule
File size:1'909'248 bytes
First seen:2023-10-23 12:11:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 037522269f8348aa17add864631a3f22 (6 x MysticStealer, 4 x Smoke Loader, 2 x Formbook)
ssdeep 24576:frYAfSYqe7E9kzd+WNO6a9Dhvh2bakbUI:fxqe7E9DW06a3v6akY
Threatray 314 similar samples on MalwareBazaar
TLSH T168952C1176F94B59FAF31BB85BBA6611087AFC699F11C3DF1250508E0E31AD0A970B37
TrID 39.5% (.EXE) InstallShield setup (43053/19/16)
28.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.6% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter zbetcheckin
Tags:32 exe MysticStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
325
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
354aee23414eea4e38d041b45b5cb7ae
Verdict:
Suspicious activity
Analysis date:
2023-10-23 12:13:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5f8a7137-61ef-40f5-b364-6a3575077b33

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.21405.26884.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
Forced shutdown of a system process
Unauthorized injection to a system process
Gathering data
Verdict:
No Threat
Threat level:
  2.5/10
Confidence:
100%
Tags:
control greyware lolbin
Link:
https://www.filescan.io/uploads/653663184678fc28dfc5fc2c/reports/b39b1f1d-79ed-446b-b231-d8e2d0cd06c4/overview
Verdict:
Malicious
Labled as:
Trojan/Injector.bdh
Link:
https://www.hybrid-analysis.com/sample/32fc4939b1ccdd7f7ea0feecb05df65bb4f677961c2f70f5ed7fe26ff081b7d1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0de4e90f-66e5-460b-bec8-ec0edfeeaa05
Result
Threat name:
Mystic Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1330556
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Writes to foreign memory regions
Yara detected Mystic Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/32fc4939b1ccdd7f7ea0feecb05df65bb4f677961c2f70f5ed7fe26ff081b7d1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/32fc4939b1ccdd7f7ea0feecb05df65bb4f677961c2f70f5ed7fe26ff081b7d1/
Threat name:
Win32.Trojan.Stealc
Create hunting rule
Status:
Malicious
First seen:
2023-10-23 13:10:14 UTC
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gl6esonrztox67va73wlaxpwlo2pm54wdqxxb5pnp7rg74ebw7iq._file
Verdict:
malicious
Similar samples:
08c0d32c5801467454e923599e74fc5c10ff0db6d152d9e5f67a303203e33db4
MysticStealer
0d2075b728700bacfa79dc4138df8e89a8d3a67221f612d2997968598b6285b3
MysticStealer
5daa9d2d50d75fe0d91f2330e679aad02de3a841cceec9fcff74a55aa0b835a2
MysticStealer
75ec6c815f4ca762223a0ad901defff84ae8338f4ad9970a7a606bdb1514fd99
MysticStealer
8c01f096725d70248403986433a2052358112499578c1e5ce68b1363709434bd
MysticStealer
9db10dca22b6e4b610d74316f7a94f758d32f077666c0b775e9f0f13234f30ff
MysticStealer
af57e0f87312aedf0fe588dc08e4f5453b5ce31bbaa64b9f7b4033261e279a9e
MysticStealer
b857534dee49e9485913b54161cfd20ce3a26ebb1b4d4d73a13d88d94bbe017b
MysticStealer
c6d732d8b01afa98d6bf5012c45309107f9866e63aaf7351a35240a945a20925
MysticStealer
f29f199df3da80d14283b9ab186ab9515221b10d917319f0cc3c27e09330c5f3
MysticStealer
+ 304 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/231023-pc65csad35/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
a0330d75df7075206cf68d358e3acfc621062f35db43c2521b8ef5e7c9f317f1
MD5 hash:
0635bc911c5748d71a4aed170173481e
SHA1 hash:
6d92ff8b519e4a10759f75f3b3d9e1459ed4ff1b
Link:
https://www.unpac.me/results/b966230e-bcf7-4638-aac7-257f76f57c29/
SH256 hash:
32fc4939b1ccdd7f7ea0feecb05df65bb4f677961c2f70f5ed7fe26ff081b7d1
MD5 hash:
354aee23414eea4e38d041b45b5cb7ae
SHA1 hash:
0cd8ab83d4cbc7e1ec8968d51507ddd35376badb
Link:
https://www.unpac.me/results/b966230e-bcf7-4638-aac7-257f76f57c29/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/32fc4939b1cc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MysticStealer

Executable exe 32fc4939b1ccdd7f7ea0feecb05df65bb4f677961c2f70f5ed7fe26ff081b7d1

(this sample)

  
Delivery method
Distributed via web download

Comments


Avatar
zbet commented on 2023-10-23 12:11:36 UTC

url : hxxp://77.91.68.249/fuza/nalo.exe