MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b16c56f47b2e373f0f6551be8eba30ea305db58854cddf3cf057d4be30105fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MysticStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 6 File information Comments

SHA256 hash:	5b16c56f47b2e373f0f6551be8eba30ea305db58854cddf3cf057d4be30105fa
SHA3-384 hash:	2746a094b93054af8519854ab76e87dbae055a9ef58a78cdfeb9818795499233cfba38d11f2ce3abe0c16a92d73ec59b
SHA1 hash:	5ecf0ddd79f89522e886df5cab2952b222ef1b27
MD5 hash:	a42bb7431a9eb078470d4a62553e2045
humanhash:	mango-undress-seven-triple
File name:	a42bb7431a9eb078470d4a62553e2045.exe
Download:	download sample
Signature	MysticStealer Create hunting rule
File size:	387'448 bytes
First seen:	2023-10-06 14:13:37 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	06ede52fcc31e4900f4f1a7060fce645 (10 x RedLineStealer, 6 x Stealc, 5 x Amadey)
ssdeep	6144:/4ZSM92pCryG4kfjSGwEi56AOnGFeQDGjxdby+rf7qwDyenyneDymPB50D:/4Zd2wryNSE9DG1d+07DyenyneQD
Threatray	767 similar samples on MalwareBazaar
TLSH	T13184AE00B4D0C873E823013608D8DB775E7D7D614BA695EB1BA8DBBDDE607C097362A6
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe MysticStealer

Intelligence

File Origin

# of uploads :

# of downloads :

261

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.11791.18486.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Сreating synchronization primitives

Creating a file in the %temp% directory

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Unauthorized injection to a system process

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control greyware lolbin overlay packed

Link:

https://www.filescan.io/uploads/6520162b426c8727d6f12293/reports/0e43ec7b-8c08-4907-a319-8c8e5953950e/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/5b16c56f47b2e373f0f6551be8eba30ea305db58854cddf3cf057d4be30105fa

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/36667e7b-9911-4b87-baf7-e4c2b516d86b

Result

Threat name:

Mystic Stealer

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1321005

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected Mystic Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5b16c56f47b2e373f0f6551be8eba30ea305db58854cddf3cf057d4be30105fa/

Threat name:

Win32.Trojan.Stealerc

Status:

Malicious

First seen:

2023-10-06 13:52:52 UTC

File Type:

PE (Exe)

AV detection:

22 of 37 (59.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lmlmk32hwlrxh4hwkun6r25db2rqlw2yqvgn346pav6uxyybax5a._file

Verdict:

malicious

MysticStealer

4465e8c20f4e65e979521f058a3dfbeaa1e7d886589ff031957153c0a57a4860

MysticStealer

7a266b1d528127259dc89f9d9410b19c5ab55247034db6e4ec8f37c1b51bee79

MysticStealer

ae2f8d58e78cfe8df09b337a75f79795aab3f565776be32e35cc8ee2d747599f

MysticStealer

b7c5d625ee15f20255a9989081cb9297f429df6f0eaaeaa1e4abbfd4a146e698

MysticStealer

bbe39345895cdaa196904e095fc9e5f7075db082d3e507cf5c1f55d4867c515a

MysticStealer

c078f1672e8579d652410aa02ab6ea386a7e22ed78ad50905e823619e1e21149

MysticStealer

ff606d2b2815f58f2b5aea9653995de2ce548b8227ed9d0d9d7f2ed51a510a99

MysticStealer

+ 757 additional samples on MalwareBazaar

Result

Malware family:

mystic

Score:

10/10

Tags:

family:mystic stealer

Link:

https://tria.ge/reports/231006-rjzpzacf3y/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Detect Mystic stealer payload

Mystic

Malware Config

C2 Extraction:

http://5.42.92.211/loghub/master

Unpacked files

SH256 hash:

4e0e4660d283270ae7abac2520b0bbd19324ff879c079ddb771c072bc7bbf60e

MD5 hash:

9550b6022fcadfa9c2b6ed54f716b5eb

SHA1 hash:

0f2056f10af352f7c96cd0be0ab10538688512c2

Link:

https://www.unpac.me/results/bb89160d-74d6-4bdf-8c07-9b60aed3fe1d/

SH256 hash:

5b16c56f47b2e373f0f6551be8eba30ea305db58854cddf3cf057d4be30105fa

MD5 hash:

a42bb7431a9eb078470d4a62553e2045

SHA1 hash:

5ecf0ddd79f89522e886df5cab2952b222ef1b27

Link:

https://www.unpac.me/results/bb89160d-74d6-4bdf-8c07-9b60aed3fe1d/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5b16c56f47b2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5b16c56f47b2e373f0f6551be8eba30ea305db58854cddf3cf057d4be30105fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample