MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68b82c10f03604ad1d6cf6247fc63752b8b48c4a463dc6c2a8e815befa299877. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MysticStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 68b82c10f03604ad1d6cf6247fc63752b8b48c4a463dc6c2a8e815befa299877
SHA3-384 hash: a2b66259743ae690a6e1a5ef8dea67dc074a1681560d5c7dae62619f3953b9776fcf54cf9241647913146eeac1fadd66
SHA1 hash: 558cbc1b1f92d999572b6d95ad7364ec068f78dc
MD5 hash: fdeff32a3dee124e84c36f5f389fea78
humanhash: march-magazine-quebec-sweet
File name:file
Download: download sample
Signature MysticStealer
Create hunting rule
File size:374'272 bytes
First seen:2023-09-18 20:58:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 36723152dcc89be0d0104bd374001ada (74 x MysticStealer, 4 x RedLineStealer, 1 x Amadey)
ssdeep 6144:I6xjEE2jicP5iOo2T8VrSd/sUAOqUlECmFpES1ZLb78RjbWrkk1Sa:I6xJqiG59oukUqCmQSD9wk1Sa
Threatray 532 similar samples on MalwareBazaar
TLSH T16C84AFD5B4D14477DCB100368AE5CBB14939A4600B7B25AFB7F50EBF4FA82D08239B66
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe MysticStealer


Avatar
andretavare5
Sample downloaded from http://77.91.68.238/love/no230.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
310
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-09-18 21:01:19 UTC
Tags:
stealc stealer
Link:
https://app.any.run/tasks/8e1a62ee-fdbb-4263-8c12-b82d80828892

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/449467/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.61167.25934.27383.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Delayed writing of the file
Launching a process
Сreating synchronization primitives
Creating a file in the %temp% directory
Unauthorized injection to a system process
Gathering data
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
control greyware lolbin
Link:
https://www.filescan.io/uploads/6508ba1734be449f0116cf0d/reports/e6982550-f31b-4949-a4ff-5da338cbb315/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/68b82c10f03604ad1d6cf6247fc63752b8b48c4a463dc6c2a8e815befa299877
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e92701c4-5385-4050-a05b-967cfb2f1c5b
Result
Threat name:
Mystic Stealer, Amadey, Fabookie, RedLin
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1310366
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Detected unpacking (creates a PE file in dynamic memory)
DLL side loading technique detected
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Update Standalone Installer command line found (may be used to bypass UAC)
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Fabookie
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1310366 Sample: file.exe Startdate: 18/09/2023 Architecture: WINDOWS Score: 100 164 hugersi.com 2->164 166 host-host-file8.com 2->166 168 19 other IPs or domains 2->168 206 Snort IDS alert for network traffic 2->206 208 Found malware configuration 2->208 210 Malicious sample detected (through community Yara rule) 2->210 212 13 other signatures 2->212 15 file.exe 1 2->15         started        18 EgE38Ue8uh8Oxvx.exe 1 2->18         started        20 Bqwriz1mHrw6s97.exe 2 2->20         started        22 3 other processes 2->22 signatures3 process4 signatures5 276 Contains functionality to inject code into remote processes 15->276 278 Writes to foreign memory regions 15->278 280 Allocates memory in foreign processes 15->280 24 AppLaunch.exe 25 15->24         started        29 conhost.exe 15->29         started        31 AppLaunch.exe 15->31         started        282 Injects a PE file into a foreign processes 18->282 33 conhost.exe 18->33         started        35 AppLaunch.exe 18->35         started        37 AppLaunch.exe 18->37         started        process6 dnsIp7 184 5.42.92.211, 49985, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 24->184 146 C:\Users\user\AppData\...gE38Ue8uh8Oxvx.exe, PE32 24->146 dropped 148 C:\Users\user\AppData\...\Bqwriz1mHrw6s97.exe, PE32 24->148 dropped 150 C:\Users\user\AppData\...\OAFmpA2xzkirrCdq, SQLite 24->150 dropped 152 C:\Users\user\...\OAFmpA2xzkirrCdq.dll, PE32 24->152 dropped 268 Found many strings related to Crypto-Wallets (likely being stolen) 24->268 270 Tries to harvest and steal browser information (history, passwords, etc) 24->270 272 DLL side loading technique detected 24->272 274 Tries to steal Crypto Currency Wallets 24->274 39 EgE38Ue8uh8Oxvx.exe 1 24->39         started        42 Bqwriz1mHrw6s97.exe 4 24->42         started        45 cmd.exe 1 24->45         started        47 cmd.exe 1 24->47         started        file8 signatures9 process10 dnsIp11 250 Machine Learning detection for dropped file 39->250 252 Writes to foreign memory regions 39->252 254 Allocates memory in foreign processes 39->254 256 Injects a PE file into a foreign processes 39->256 49 AppLaunch.exe 39->49         started        52 conhost.exe 39->52         started        54 Conhost.exe 39->54         started        186 77.91.124.82 ECOTEL-ASRU Russian Federation 42->186 258 Antivirus detection for dropped file 42->258 260 Multi AV Scanner detection for dropped file 42->260 262 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 42->262 264 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 42->264 266 Uses schtasks.exe or at.exe to add and modify task schedules 45->266 56 conhost.exe 45->56         started        58 schtasks.exe 1 45->58         started        60 conhost.exe 47->60         started        62 schtasks.exe 1 47->62         started        signatures12 process13 signatures14 192 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 49->192 194 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 49->194 196 Maps a DLL or memory area into another process 49->196 198 2 other signatures 49->198 64 explorer.exe 49->64 injected process15 dnsIp16 158 5.42.65.80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 64->158 160 77.91.68.29 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 64->160 162 6 other IPs or domains 64->162 122 C:\Users\user\AppData\Roaming\cujacfj, PE32 64->122 dropped 124 C:\Users\user\AppData\Local\Temp\C8EA.exe, PE32 64->124 dropped 126 C:\Users\user\AppData\Local\Temp\B3AA.exe, PE32 64->126 dropped 128 6 other files (5 malicious) 64->128 dropped 200 System process connects to network (likely due to code injection or exploit) 64->200 202 Benign windows process drops PE files 64->202 204 Hides that the sample has been downloaded from the Internet (zone.identifier) 64->204 69 7AD3.exe 64->69         started        72 C8EA.exe 64->72         started        75 8CB8.exe 64->75         started        78 4 other processes 64->78 file17 signatures18 process19 dnsIp20 222 Machine Learning detection for dropped file 69->222 224 Writes to foreign memory regions 69->224 226 Allocates memory in foreign processes 69->226 80 AppLaunch.exe 69->80         started        83 conhost.exe 69->83         started        138 C:\Users\user\AppData\Local\...\toolspub2.exe, PE32 72->138 dropped 140 C:\Users\user\AppData\Local\Temp\ss41.exe, PE32+ 72->140 dropped 142 C:\...\31839b57a4f11171d6abc8bbc4451ee4.exe, PE32 72->142 dropped 228 Antivirus detection for dropped file 72->228 230 Multi AV Scanner detection for dropped file 72->230 85 ss41.exe 72->85         started        188 185.215.113.25 WHOLESALECONNECTIONSNL Portugal 75->188 232 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 75->232 234 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 75->234 236 Tries to steal Crypto Currency Wallets 75->236 89 conhost.exe 75->89         started        190 162.33.179.91 CORENETUS United States 78->190 144 C:\Users\user\AppData\Local\Temp\RMqUzi.cpl, PE32 78->144 dropped 238 Found many strings related to Crypto-Wallets (likely being stolen) 78->238 240 Injects a PE file into a foreign processes 78->240 91 chrome.exe 78->91         started        93 control.exe 78->93         started        95 chrome.exe 78->95         started        97 4 other processes 78->97 file21 signatures22 process23 dnsIp24 118 C:\Users\user\AppData\Local\...\x9649817.exe, PE32 80->118 dropped 120 C:\Users\user\AppData\Local\...\k9867718.exe, PE32 80->120 dropped 99 x9649817.exe 80->99         started        170 app.nnnaajjjgc.com 154.221.26.108 HKKFGL-AS-APHKKwaifongGroupLimitedHK Seychelles 85->170 172 z.nnnaajjjgc.com 156.236.72.121 HKKFGL-AS-APHKKwaifongGroupLimitedHK Seychelles 85->172 242 Multi AV Scanner detection for dropped file 85->242 244 Detected unpacking (creates a PE file in dynamic memory) 85->244 246 Windows Update Standalone Installer command line found (may be used to bypass UAC) 85->246 248 Tries to harvest and steal browser information (history, passwords, etc) 85->248 174 192.168.11.20, 443, 49984, 49985 unknown unknown 91->174 176 239.255.255.250 unknown Reserved 91->176 103 chrome.exe 91->103         started        106 rundll32.exe 93->106         started        108 chrome.exe 95->108         started        file25 signatures26 process27 dnsIp28 134 C:\Users\user\AppData\Local\...\x2874320.exe, PE32 99->134 dropped 136 C:\Users\user\AppData\Local\...\j1931851.exe, PE32 99->136 dropped 218 Antivirus detection for dropped file 99->218 220 Machine Learning detection for dropped file 99->220 110 x2874320.exe 99->110         started        178 play.google.com 142.250.31.138 GOOGLEUS United States 103->178 180 clients.l.google.com 142.251.16.138 GOOGLEUS United States 103->180 182 6 other IPs or domains 103->182 file29 signatures30 process31 file32 154 C:\Users\user\AppData\Local\...\x0932777.exe, PE32 110->154 dropped 156 C:\Users\user\AppData\Local\...\i6149773.exe, PE32 110->156 dropped 284 Antivirus detection for dropped file 110->284 286 Machine Learning detection for dropped file 110->286 114 x0932777.exe 110->114         started        signatures33 process34 file35 130 C:\Users\user\AppData\Local\...\h8358733.exe, PE32 114->130 dropped 132 C:\Users\user\AppData\Local\...\g9964171.exe, PE32 114->132 dropped 214 Antivirus detection for dropped file 114->214 216 Machine Learning detection for dropped file 114->216 signatures36
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/68b82c10f03604ad1d6cf6247fc63752b8b48c4a463dc6c2a8e815befa299877/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-09-18 20:59:05 UTC
File Type:
PE (Exe)
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nc4cyehqgyck2hlm6ysh7rrxkk4ljdckiy64nqvi5ak356rjtb3q._file
Verdict:
malicious
Similar samples:
1b4f869d662e4a6c96c415395e7702ea2b0343efc9eff1e40e25bc1f52b4efd5
MysticStealer
34c748ea2ad85363bf38a50a0d8cd6933156373e96c282da49d64366de1e4837
MysticStealer
4578c742a5f65b98222dc0ea0cf056d03ae552c0914564dfd8a09b297e3544f8
MysticStealer
63dc80c95e350b9722e4132f2456d57f346cb362029e506ebad41e308b9f0418
MysticStealer
6ae5cbcfe47e3f76e33f2a1e936036dda580b9e5aedb242ca28df0f1f056ea6b
MysticStealer
7deac712ad74eb7f7c017378bcffa748684c1df7fd6a1729d4f64c2eef58e73c
MysticStealer
8653efc33615e4cd6946f561ebde231f0c963988ba91098513f9985345ae2385
MysticStealer
8e7adf851319e10b5d3bf362173ded2def6dfcdfc322debf9135abd8e8995ab7
MysticStealer
9775e909b6ba80b037e76499a993042e672800a07541516339a844346af0ba51
MysticStealer
dcda132b6230809b65aa53fc7ac3b5ea6b0b706c4ce1cc2f303821fbd348e964
MysticStealer
+ 522 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230918-zsp6wseh67/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
c542f888ac01d2b3476b3e68e97e4b45c3ecbc5c7c86d58068fc073dcfa9261e
MD5 hash:
38d82f87ad1b4c6d0787bc2e7ad6f26e
SHA1 hash:
29c3de119f81e49e2ce60990310d2991dc2fc796
Link:
https://www.unpac.me/results/e490b340-202a-44dd-b80d-aea8d955e9f4/
SH256 hash:
68b82c10f03604ad1d6cf6247fc63752b8b48c4a463dc6c2a8e815befa299877
MD5 hash:
fdeff32a3dee124e84c36f5f389fea78
SHA1 hash:
558cbc1b1f92d999572b6d95ad7364ec068f78dc
Link:
https://www.unpac.me/results/e490b340-202a-44dd-b80d-aea8d955e9f4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/68b82c10f036/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/68b82c10f03604ad1d6cf6247fc63752b8b48c4a463dc6c2a8e815befa299877

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/449467/

Comments