MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b6457f9fa9fa653bf15f9fe7878bf7d10c95febeb6632434d6500be7684d88c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MysticStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 4 File information Comments

SHA256 hash:	6b6457f9fa9fa653bf15f9fe7878bf7d10c95febeb6632434d6500be7684d88c
SHA3-384 hash:	e2759db13361911ec182b0a13d2b2107ccf5ceffd8a80a932754202263c6db50ded613d8c3cb295dbea55f12c8ceb41d
SHA1 hash:	ede2645f9f99aa8f394f92fabe80c2f9bb75f3d6
MD5 hash:	1e53a3f93da0648299f85c9e638d0faa
humanhash:	delaware-kansas-monkey-december
File name:	file
Download:	download sample
Signature	MysticStealer Create hunting rule
File size:	1'827'328 bytes
First seen:	2023-10-05 19:47:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b092678fc438a3bc6ea71ba0ea4cfa08 (12 x RedLineStealer, 4 x MysticStealer, 2 x Stealc)
ssdeep	24576:oxY5A0vimILMPcVZT6gH/A2Z36a9DhvhNYGzgEf:e0vimILMP4l6SAO36a3vRz/f
Threatray	974 similar samples on MalwareBazaar
TLSH	T113851A1176F95B59F5F30FB85ABAA611087ABC6ADF11C2DF1265908E0C20BD18970F3B
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	jstrosch
Tags:	exe MysticStealer

Intelligence

File Origin

# of uploads :

# of downloads :

304

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.Siggen21.25551.17474.10210.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Сreating synchronization primitives

Creating a file in the %temp% directory

Launching the default Windows debugger (dwwin.exe)

Unauthorized injection to a system process

Gathering data

Verdict:

No Threat

Threat level:

2.5/10

Confidence:

100%

Tags:

control greyware lolbin

Link:

https://www.filescan.io/uploads/651f12f91e07d7e1e9b2f661/reports/95f2958e-25b1-4e37-b5c1-5df13a0c7181/overview

Verdict:

Malicious

Labled as:

Babar.Generic

Link:

https://www.hybrid-analysis.com/sample/6b6457f9fa9fa653bf15f9fe7878bf7d10c95febeb6632434d6500be7684d88c

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/79d17bf0-2717-4aa3-9680-dc10143778c4

Result

Threat name:

Mystic Stealer

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1320549

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found malware configuration

Injects a PE file into a foreign processes

Writes to foreign memory regions

Yara detected Mystic Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6b6457f9fa9fa653bf15f9fe7878bf7d10c95febeb6632434d6500be7684d88c/

Threat name:

Win32.Trojan.Amadey

Status:

Malicious

First seen:

2023-10-05 19:48:10 UTC

File Type:

PE (Exe)

AV detection:

16 of 23 (69.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nnsfp6p2t6tfhpyv7h7hq6f7puimsx7l5ntdeq2nmual45ue3cga._file

Verdict:

malicious

MysticStealer

1987fa932269167c15f0f0026cc65c68e3163362164d8440cba2c889586d2cdb

MysticStealer

4beaa05abbc9c61649f59a90870cf295699f35a90c02b4059a220bb281ca4150

MysticStealer

6b4dffdcad76a50d5c6268c998e23b297eb666174e871973f3b7684b13cfec2a

MysticStealer

6ba71b02669ff6b6e939e334fd5b2aa907bfd3f54215c19df094be1cd5b948f8

MysticStealer

7cee21efe664b45e95adfee598c563075da57fb4adda965868025141e4208f3b

MysticStealer

9361752c41ba1a8271983e2451036b39ad776462de60b4497af5b37f057767f7

MysticStealer

99ddf87908c8aee01cc6d189f9a9fd8979e8b7d7e118cc47096bf2adb1092d2f

MysticStealer

d5575d0469bb88aa7204a9b8d9d60a81fefef6834726b9394e811a70ee2ca57d

MysticStealer

e74240f9fbac8f981723e4e160355350161bfccf4abdce906ddc4b0407e7b3fc

MysticStealer

+ 964 additional samples on MalwareBazaar

Result

Malware family:

mystic

Score:

10/10

Tags:

family:mystic stealer

Link:

https://tria.ge/reports/231005-yh5cdseh4t/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Detect Mystic stealer payload

Mystic

Malware Config

C2 Extraction:

http://5.42.92.211/loghub/master

Unpacked files

SH256 hash:

4e0e4660d283270ae7abac2520b0bbd19324ff879c079ddb771c072bc7bbf60e

MD5 hash:

9550b6022fcadfa9c2b6ed54f716b5eb

SHA1 hash:

0f2056f10af352f7c96cd0be0ab10538688512c2

Link:

https://www.unpac.me/results/e40b3e3c-b91f-4669-bdb8-67276418cb35/

SH256 hash:

6b6457f9fa9fa653bf15f9fe7878bf7d10c95febeb6632434d6500be7684d88c

MD5 hash:

1e53a3f93da0648299f85c9e638d0faa

SHA1 hash:

ede2645f9f99aa8f394f92fabe80c2f9bb75f3d6

Link:

https://www.unpac.me/results/e40b3e3c-b91f-4669-bdb8-67276418cb35/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6b6457f9fa9f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6b6457f9fa9fa653bf15f9fe7878bf7d10c95febeb6632434d6500be7684d88c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NET Create hunting rule
Author:	malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MysticStealer

exe 6b6457f9fa9fa653bf15f9fe7878bf7d10c95febeb6632434d6500be7684d88c

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2716638/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample