MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 447b333ac04a8b9189d0304c8c0cfd911661f214e6bbdf40bd5ab27d1631f391. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MysticStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 447b333ac04a8b9189d0304c8c0cfd911661f214e6bbdf40bd5ab27d1631f391
SHA3-384 hash: 37c9b80bbf472aba1f56246b7c6366ea068163dbdb7a45c2536a92dd5cd317b4f6aa9782a46aa73cab556fce39a6a58c
SHA1 hash: dba181e4c4f83cf955dbd4af41f2b9400078b2a4
MD5 hash: 6022a8d865e5331598bad504e6f4de37
humanhash: oranges-sixteen-georgia-july
File name:6022a8d865e5331598bad504e6f4de37.exe
Download: download sample
Signature MysticStealer
Create hunting rule
File size:1'109'504 bytes
First seen:2023-10-30 05:53:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b11c9cd467b185b2c3a0a894930ee4ee (5 x MysticStealer, 3 x RedLineStealer)
ssdeep 12288:AC9ock3XEA29ADR87kHCYbw13Re0bUjnZk5uWSeT0twCRMnJu3KK:Alp3F29Ad87kHCQWReguGdJu3
Threatray 236 similar samples on MalwareBazaar
TLSH T13D359E2079C09171EDE220F68BBEB629826DD0B4071555FB06D86BFED7602C16F326B7
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe MysticStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
320
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/457034/
Detection(s):
Win.Packed.Pwsx-10012424-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin
Link:
https://www.filescan.io/uploads/653f44ffbc703e36b0932e88/reports/dca287fc-8b63-482b-b688-04873b0cb836/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/447b333ac04a8b9189d0304c8c0cfd911661f214e6bbdf40bd5ab27d1631f391
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f155e6b4-6773-4fca-a047-c1806f9d186e
Result
Threat name:
Mystic Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1334059
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Mystic Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/447b333ac04a8b9189d0304c8c0cfd911661f214e6bbdf40bd5ab27d1631f391
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/447b333ac04a8b9189d0304c8c0cfd911661f214e6bbdf40bd5ab27d1631f391/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-10-29 12:02:38 UTC
File Type:
PE (Exe)
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ir5tgowajkfzdcoqgbgiydh5selgd4qu42556qf5lkzh2frr6oiq._file
Verdict:
malicious
Similar samples:
31111863184999972398bd14df902dc5f24dae8549b4b734c6981501ecb0efa9
MysticStealer
4280e6e70fceb92c11d7de42e14854783d09a551769b9117097cd4a5affe3b35
MysticStealer
7f7d7e4b47a92c89715bc074780bf03e2b41d67498e7ee5d435102d5ff8aa8a9
MysticStealer
afd16a178685cbd5fab13e133a2d4db5122ec638f936474547fde620c9660070
MysticStealer
c6954a8566262d8395ac3861a1dffe990bbce05ef20750716aa63703981a3fbf
MysticStealer
e776c8b8f6577d90f9fe9a73224690befcdd6a8060ca326c75ec9d5e5b1bd4b8
MysticStealer
f7864ce4882075fe298e7d312067b9ca244e15aaf4884d755f372580f34a42bd
MysticStealer
fc3d4ee5d3ac9aa5dcda865ff30e2805a6606794070f6331298c65d4390b3c58
MysticStealer
ff1dffb89fbb43e42796b56bca4bfe0878568bcbb62f0503b583aea2c3218e2c
MysticStealer
+ 226 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/231030-glw2rada62/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
MD5 hash:
e561df80d8920ae9b152ddddefd13c7c
SHA1 hash:
0d020453f62d2188f7a0e55442af5d75e16e7caf
Link:
https://www.unpac.me/results/98f760e5-5ff7-4b9f-80d3-926108ae8c06/
SH256 hash:
447b333ac04a8b9189d0304c8c0cfd911661f214e6bbdf40bd5ab27d1631f391
MD5 hash:
6022a8d865e5331598bad504e6f4de37
SHA1 hash:
dba181e4c4f83cf955dbd4af41f2b9400078b2a4
Link:
https://www.unpac.me/results/98f760e5-5ff7-4b9f-80d3-926108ae8c06/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/447b333ac04a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/447b333ac04a8b9189d0304c8c0cfd911661f214e6bbdf40bd5ab27d1631f391

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MysticStealer

Executable exe 447b333ac04a8b9189d0304c8c0cfd911661f214e6bbdf40bd5ab27d1631f391

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2726336/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/457034/

Comments