MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45cf41c3626906fac4b7184a9ae5b215bc0c1655d576efbbfaf3750dd90b38f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MysticStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 5 File information Comments

SHA256 hash:	45cf41c3626906fac4b7184a9ae5b215bc0c1655d576efbbfaf3750dd90b38f0
SHA3-384 hash:	137cf1916a86141c8259a25f7d4b0fdeea184cc81b0141a6ea660d2a6e97b0216e6769151d2ba3e81f449e6b61a45c82
SHA1 hash:	426b00a1c07ddc28281c620411f4ad5626cb150a
MD5 hash:	675cf5bd66f7982adb18a50a23b9f71a
humanhash:	zulu-wolfram-alpha-johnny
File name:	file
Download:	download sample
Signature	MysticStealer Create hunting rule
File size:	402'944 bytes
First seen:	2023-09-19 10:45:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	36723152dcc89be0d0104bd374001ada (74 x MysticStealer, 4 x RedLineStealer, 1 x Amadey)
ssdeep	6144:t/1jEL2jicP5iOo2T8VrSd/sUAOPkli93yhU0E+vdMsu5kmy3k1Sa:t/1eqiG59ouhkI9CYUdtuG3k1Sa
Threatray	94 similar samples on MalwareBazaar
TLSH	T18384BE0035918871C8731CBB15F0A7F84F6FE4B44B91E8EB5BD425AD8E349F24AE257A
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	exe MysticStealer

andretavare5

Sample downloaded from http://77.91.68.238/love/no230.exe

Intelligence

File Origin

# of uploads :

# of downloads :

284

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/449650/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.61167.10763.18777.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file

Delayed writing of the file

Launching a process

Сreating synchronization primitives

Creating a file in the %temp% directory

Sending a custom TCP request

Forced shutdown of a system process

Unauthorized injection to a system process

Gathering data

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

control greyware lolbin

Link:

https://www.filescan.io/uploads/65097beb32ffdb7a7a0b74f8/reports/a783cdca-13d0-4e3b-a8d9-d6d9e0e3ddef/overview

Verdict:

Malicious

Labled as:

Lazy.Generic

Link:

https://www.hybrid-analysis.com/sample/45cf41c3626906fac4b7184a9ae5b215bc0c1655d576efbbfaf3750dd90b38f0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f8104cdf-0204-4390-a1a1-c9e882570d50

Result

Threat name:

Mystic Stealer

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1310708

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Writes to foreign memory regions

Yara detected Mystic Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/45cf41c3626906fac4b7184a9ae5b215bc0c1655d576efbbfaf3750dd90b38f0/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2023-09-19 10:46:06 UTC

File Type:

PE (Exe)

AV detection:

19 of 23 (82.61%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ixhudq3cnedpvrfxdbfjvznscw6ayfsv2v3o7o726n2q3wilhdya._file

Verdict:

malicious

MysticStealer

2217c6d51886c38905818ed541576afa2f1dffe9b5594f0cd73c5ceb214f031d

MysticStealer

4ab986cab2a5143eb0a80a6bef8780c812e69aa068abeb5eefd99c42a24189cf

MysticStealer

4d93491f6edfc910ec40b98e677501e3a036f087cf99d4754a76a3f7c9bdd8a0

MysticStealer

60e23ca016a30b61725f14a51a3c063ec94f95da7337bd341516073e5e221e3c

MysticStealer

649c8ef74e35819c668d35f6d47d9822abb8d039f98dcb4f37e179ca9abe6e14

MysticStealer

9833c4ecbf42d63a6e803708fee8494dc59edd166418fbf5ab233cc78090105e

MysticStealer

bdefdcbdd5af76934913cdfc76ac1785f6df8a5fe32d36e1fbabcf8de754867a

MysticStealer

ca2e937da5449442337ed9e9994754077918222d3cce4e291faf75eaa27aeaeb

MysticStealer

d45ffff83b761de87daf2843ae1f8b0366552aa2ce586206b41846ce2e2a6f62

MysticStealer

+ 84 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/230919-mtys7sge3x/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

f157c80d3dcf3e18a9cee71cf7b7c816ae806cf6640c67079a856f37769d20b1

MD5 hash:

736ab164867addc0d3090f9da59d3991

SHA1 hash:

77c045a454a09a06ba6f10f4aad3a3e9f98bfea3

Link:

https://www.unpac.me/results/c1ad1fe9-879a-4deb-9f86-8d0891330429/

SH256 hash:

45cf41c3626906fac4b7184a9ae5b215bc0c1655d576efbbfaf3750dd90b38f0

MD5 hash:

675cf5bd66f7982adb18a50a23b9f71a

SHA1 hash:

426b00a1c07ddc28281c620411f4ad5626cb150a

Link:

https://www.unpac.me/results/c1ad1fe9-879a-4deb-9f86-8d0891330429/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/45cf41c36269/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/45cf41c3626906fac4b7184a9ae5b215bc0c1655d576efbbfaf3750dd90b38f0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AppLaunch Create hunting rule
Author:	iam-py-test
Description:	Detect files referencing .Net AppLaunch.exe

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NET Create hunting rule
Author:	malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2710216/

Cape

https://www.capesandbox.com/analysis/449650/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample