MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d8404c0dd63242f67e1b776a866215f88362ab760e40f18f4657bef68199e23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MysticStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d8404c0dd63242f67e1b776a866215f88362ab760e40f18f4657bef68199e23
SHA3-384 hash: b451349efe45bad382f6ea9377086a89f174c672b6506962c3ba7bdff14bfaf496ccb09d379f9b8de76cf1bfd4c92176
SHA1 hash: f11c52af5d0ba6e1e3a8d9eb7ecad7e76d2aa65c
MD5 hash: 3f6cd06c9501a3d416c40183780965d3
humanhash: neptune-winter-pizza-sixteen
File name:3f6cd06c9501a3d416c40183780965d3.exe
Download: download sample
Signature MysticStealer
Create hunting rule
File size:355'328 bytes
First seen:2023-09-10 09:15:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 6144:Kfy+bnr+Gp0yN90QE/hp1XcQKSLLyti417fwNQslEvJNQoXgBDDZaWIX/L:FMrGy90NhXcQe1UQsyBaK6DNah
Threatray 5 similar samples on MalwareBazaar
TLSH T1DC74F113F6D9C433DCB52B7058F702C30B3ABDA65978925F2391695A0CB2684B93277B
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe MysticStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
285
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3f6cd06c9501a3d416c40183780965d3.exe
Verdict:
Malicious activity
Analysis date:
2023-09-10 09:18:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b5bb65c6-ceb1-4d08-b33b-8da2328c93df

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/447717/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Creating a file
Launching a process
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Forced shutdown of a system process
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack CAB control explorer greyware installer lolbin lolbin packed rundll32 setupapi shell32
Link:
https://www.filescan.io/uploads/64fd8953d3406611cfaef30c/reports/ffe44a55-67f6-438d-b069-827f57f50c4a/overview
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/6d8404c0dd63242f67e1b776a866215f88362ab760e40f18f4657bef68199e23
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/07110e5a-9a7c-4c2f-872d-159081594384
Result
Threat name:
Mystic Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1306824
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Mystic Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6d8404c0dd63242f67e1b776a866215f88362ab760e40f18f4657bef68199e23/
Threat name:
Win32.Trojan.Crifi
Create hunting rule
Status:
Malicious
First seen:
2023-09-09 07:29:38 UTC
File Type:
PE (Exe)
Extracted files:
38
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nwcajqg5mmsc6z7bw53kqzrbl6edmkvxmdsa6ghumv5662aztyrq._file
Verdict:
malicious
Similar samples:
01bda45f92bdaf75de7f809024177c873d12b133bb70ee1bec243ab7d3e9e3d7
MysticStealer
0a458d8affc7f401e1c3b2ad52d0eb135dfab6c4a8e79c3d307c4145b184b239
MysticStealer
553ed1c32456c7ba998e802e16f976818eb109e7b194315f53a6f2348fe043de
MysticStealer
6846828546f5883942cb40ad28958a9cde3b54b1838851e8b52d33fcbdeae3c7
MysticStealer
cb36894a3120fb5f7c510a4a512a3afd02cf9eee4738aea162db6ae35379f3bc
MysticStealer
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230910-k8f6laga21/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
50dc72d40106c76a664b6d2dba5148cf8d79bd20574772a4eaa6082a58469884
MD5 hash:
846854ae67aeb36658b93ff3c8f31e90
SHA1 hash:
653a588e0b8ffb5a5864f0ec0f01cc61fd948722
Link:
https://www.unpac.me/results/b436889f-4208-4619-9b15-c7c35f9a360f/
SH256 hash:
4402b60cc734585e097269cd01bd8e1b1cfef4c64c80e62a305493e580230813
MD5 hash:
79abe8a0e58cd12bb1455f95c04e617a
SHA1 hash:
19a3ef0245d876ebc68119f0490fb2c08f314534
Link:
https://www.unpac.me/results/b436889f-4208-4619-9b15-c7c35f9a360f/
SH256 hash:
6d8404c0dd63242f67e1b776a866215f88362ab760e40f18f4657bef68199e23
MD5 hash:
3f6cd06c9501a3d416c40183780965d3
SHA1 hash:
f11c52af5d0ba6e1e3a8d9eb7ecad7e76d2aa65c
Link:
https://www.unpac.me/results/b436889f-4208-4619-9b15-c7c35f9a360f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6d8404c0dd63/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6d8404c0dd63242f67e1b776a866215f88362ab760e40f18f4657bef68199e23

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MysticStealer

Executable exe 6d8404c0dd63242f67e1b776a866215f88362ab760e40f18f4657bef68199e23

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2710046/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/447717/

Comments