MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5cfaf3fea4ae7c8bf6e7226fd319aeb960a87e8bfb7b15e9c86f220cfa7c5ddc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MysticStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 5 File information Comments

SHA256 hash:	5cfaf3fea4ae7c8bf6e7226fd319aeb960a87e8bfb7b15e9c86f220cfa7c5ddc
SHA3-384 hash:	62b70a64376f6824c38987f7ccf9920d478dbc188a21cc695bdd84dc259dd9bea988cb0a10a895c33cd1462cc8a06ca5
SHA1 hash:	df610fe6aee0686913905c24b0518e4e15932460
MD5 hash:	b045b1ad5f9c23bec59af102feb4bcc0
humanhash:	green-maine-failed-missouri
File name:	file
Download:	download sample
Signature	MysticStealer Create hunting rule
File size:	396'288 bytes
First seen:	2023-09-12 12:12:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	29c8b785823d6c11cf3aae5ebbb5f0e6 (8 x RedLineStealer, 6 x MysticStealer, 1 x Smoke Loader)
ssdeep	12288:hJ88kfMfnuis006jmRNhsjzNtEMyUzRdG:hW8kfGnbsZ4DzR4
TLSH	T18784AFD174D2C671E17335324668DAB4567DF860072C4ACB63DCCA3E8B225D26B3A9E3
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	andretavare5
Tags:	exe MysticStealer

andretavare5

Sample downloaded from http://77.91.68.238/love/no230.exe

Intelligence

File Origin

# of uploads :

# of downloads :

316

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-09-12 12:13:37 UTC

Tags:

stealc stealer

Link:

https://app.any.run/tasks/02353950-a023-4d45-9f68-4f49830912a7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/448165/

Detection(s):

Win.Malware.Exploitx-9967939-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Sending a custom TCP request

Forced shutdown of a system process

Unauthorized injection to a system process

Gathering data

Verdict:

No Threat

Threat level:

10/10

Confidence:

100%

Tags:

control greyware lolbin

Link:

https://www.filescan.io/uploads/650055cf482c0b85d556eaf5/reports/31684394-7898-4bbc-a9e9-432a63c89cbd/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/5cfaf3fea4ae7c8bf6e7226fd319aeb960a87e8bfb7b15e9c86f220cfa7c5ddc

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/837c01fa-3eb2-4d48-8d5f-0cc97ebb7931

Result

Threat name:

Mystic Stealer

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1308639

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected Mystic Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5cfaf3fea4ae7c8bf6e7226fd319aeb960a87e8bfb7b15e9c86f220cfa7c5ddc/

Threat name:

Win32.Trojan.Synder

Status:

Malicious

First seen:

2023-09-12 12:13:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 23 (78.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lt5ph7vevz6ix5xhejx5ggnoxfqkq7ul7n5rl2oin4raz6t4lxoa._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/230912-pdqtrscb9y/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

ff5bb0b2d444da2f2b4dc82a2f49e46b6ceac0ee3785a492e48ecbcf1aa07541

MD5 hash:

90af8bdd5d34fd126e143b41691d16cf

SHA1 hash:

a08e5ce49113713669114175e26cdb34e5ba93f2

Link:

https://www.unpac.me/results/5d79b95c-2e88-442e-9711-9bf778ca93b9/

SH256 hash:

5cfaf3fea4ae7c8bf6e7226fd319aeb960a87e8bfb7b15e9c86f220cfa7c5ddc

MD5 hash:

b045b1ad5f9c23bec59af102feb4bcc0

SHA1 hash:

df610fe6aee0686913905c24b0518e4e15932460

Link:

https://www.unpac.me/results/5d79b95c-2e88-442e-9711-9bf778ca93b9/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5cfaf3fea4ae/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5cfaf3fea4ae7c8bf6e7226fd319aeb960a87e8bfb7b15e9c86f220cfa7c5ddc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AppLaunch Create hunting rule
Author:	iam-py-test
Description:	Detect files referencing .Net AppLaunch.exe

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NET Create hunting rule
Author:	malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/448165/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample