MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67a68c48f428159ea9ab8b7820000e06e85f5c471bcf7cc7b878ce37c7c3d204. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MysticStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 67a68c48f428159ea9ab8b7820000e06e85f5c471bcf7cc7b878ce37c7c3d204
SHA3-384 hash: 92ac3b839230dc30670181b3fc82e334470182288144272c380ddf95cbf306a24fe5dc2acb3cc77abbbfc5618f5949da
SHA1 hash: a9f189d7507ec13ed22cc8c03db9b76a391d8e9e
MD5 hash: 5607e0ac649051f774795c424b288164
humanhash: gee-tango-seventeen-venus
File name:5607e0ac649051f774795c424b288164.exe
Download: download sample
Signature MysticStealer
Create hunting rule
File size:355'328 bytes
First seen:2023-09-10 09:15:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 6144:K88y+bnr+Kp0yN90QE+hp1XcQKSLLyCCXxWpPX/g1nTZRm8ny:VMryy90IhXcQo1TZw
Threatray 7 similar samples on MalwareBazaar
TLSH T1A274F203F7D88473D8B52BB458FB03C30B36BDA59E74936B2759985A1CB3690A53132B
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe MysticStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
311
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5607e0ac649051f774795c424b288164.exe
Verdict:
Malicious activity
Analysis date:
2023-09-10 09:18:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/83ea0530-a529-482c-a6c8-2cc4b283ea84

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/447719/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Creating a file
Launching a process
Launching the default Windows debugger (dwwin.exe)
Forced shutdown of a system process
Unauthorized injection to a system process
Gathering data
Gathering data
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/67a68c48f428159ea9ab8b7820000e06e85f5c471bcf7cc7b878ce37c7c3d204
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6537071a-a2eb-4adb-83f0-b0a55cd505ef
Result
Threat name:
Mystic Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1306822
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Mystic Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/67a68c48f428159ea9ab8b7820000e06e85f5c471bcf7cc7b878ce37c7c3d204/
Threat name:
Win32.Trojan.Crifi
Create hunting rule
Status:
Malicious
First seen:
2023-09-09 09:46:26 UTC
File Type:
PE (Exe)
Extracted files:
38
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m6tiyshufakz5knlrn4caaaoa3uf6xchdphxzr5ypdhdpr6d2ica._file
Verdict:
malicious
Similar samples:
01bda45f92bdaf75de7f809024177c873d12b133bb70ee1bec243ab7d3e9e3d7
MysticStealer
0a458d8affc7f401e1c3b2ad52d0eb135dfab6c4a8e79c3d307c4145b184b239
MysticStealer
553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043de
MysticStealer
6846828546f5883942cb40ad28958a9cde3b54b1838851e8b52d33fcbdeae3c7
MysticStealer
6d8404c0dd63242f67e1b776a866215f88362ab760e40f18f4657bef68199e23
MysticStealer
a2f28321fe155d154fee2fa53c6116b193e1c908ea0ae3aa7157ea739f38861d
MysticStealer
cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bc
MysticStealer
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230910-k8f6laga82/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
50dc72d40106c76a664b6d2dba5148cf8d79bd20574772a4eaa6082a58469884
MD5 hash:
846854ae67aeb36658b93ff3c8f31e90
SHA1 hash:
653a588e0b8ffb5a5864f0ec0f01cc61fd948722
Link:
https://www.unpac.me/results/122e34da-ded8-4c0a-977c-88f3429b075d/
SH256 hash:
4fb57a85907eb2202049b1bdb437dd25c31b8fe83ac591a60ad253fdb2b0b267
MD5 hash:
5cc696e41a18b091dee7df78ab921e5c
SHA1 hash:
2bf14d721cf440c6e80a223d087130460229dd8a
Link:
https://www.unpac.me/results/122e34da-ded8-4c0a-977c-88f3429b075d/
SH256 hash:
67a68c48f428159ea9ab8b7820000e06e85f5c471bcf7cc7b878ce37c7c3d204
MD5 hash:
5607e0ac649051f774795c424b288164
SHA1 hash:
a9f189d7507ec13ed22cc8c03db9b76a391d8e9e
Link:
https://www.unpac.me/results/122e34da-ded8-4c0a-977c-88f3429b075d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/67a68c48f428/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/67a68c48f428159ea9ab8b7820000e06e85f5c471bcf7cc7b878ce37c7c3d204

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MysticStealer

Executable exe 67a68c48f428159ea9ab8b7820000e06e85f5c471bcf7cc7b878ce37c7c3d204

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2709614/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/447719/

Comments