MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f9de685cc3db3689fda7269ffbbdd5a84cf0697a71150f7cdefa93de4b219a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MysticStealer

Vendor detections: 9

Intelligence 9 IOCs YARA 7 File information Comments

SHA256 hash:	6f9de685cc3db3689fda7269ffbbdd5a84cf0697a71150f7cdefa93de4b219a1
SHA3-384 hash:	06e666837f931db574526804eb1f414e6179fc7504bb7c9655bb378b549e5bfdf09a9362babb0e1b133c05844a0b2e8c
SHA1 hash:	34414abe30647a37fe676a227387b7b0a35df3e5
MD5 hash:	0047317cca809d44c94570d1dc872d97
humanhash:	robin-nitrogen-snake-hamper
File name:	file
Download:	download sample
Signature	MysticStealer Create hunting rule
File size:	366'456 bytes
First seen:	2023-09-11 04:59:48 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	42a9a04d093acea5d87d09e3defddcb0 (32 x Amadey, 26 x RedLineStealer, 2 x MysticStealer)
ssdeep	6144:ZwhUvz6DCGbAR/VeDC1tAOiMCVqaNP7XJ1hz8BuLCrurBiIg:ZxvzaC+Uj9uqa59gurBiIg
Threatray	723 similar samples on MalwareBazaar
TLSH	T14774C00070D091B3D833263A1AF59FB19EFDB6610E31CAEB93E4FE3E4A542D19A74516
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	andretavare5
Tags:	exe MysticStealer

andretavare5

Sample downloaded from http://77.91.68.238/love/no230.exe

Intelligence

File Origin

# of uploads :

# of downloads :

329

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

No threats detected

Analysis date:

2023-09-11 05:00:11 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/0b898418-4f79-413d-ae20-c346b1486db7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/447816/

Detection(s):

Win.Trojan.Jaik-10007916-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Сreating synchronization primitives

Creating a file in the %temp% directory

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Unauthorized injection to a system process

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control greyware lolbin overlay packed

Link:

https://www.filescan.io/uploads/64fe9ed3a2b9c745b28e0c06/reports/387d66f3-a42d-4697-8b71-cbe314a2bc6c/overview

Verdict:

Malicious

Labled as:

Jaik.Generic

Link:

https://www.hybrid-analysis.com/sample/6f9de685cc3db3689fda7269ffbbdd5a84cf0697a71150f7cdefa93de4b219a1

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/5773c90c-86b0-4b90-9f28-c356bdfb64f0

Result

Threat name:

Mystic Stealer

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1307032

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected Mystic Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6f9de685cc3db3689fda7269ffbbdd5a84cf0697a71150f7cdefa93de4b219a1/

Threat name:

Win32.Trojan.CrypterX

Status:

Malicious

First seen:

2023-09-11 05:00:05 UTC

File Type:

PE (Exe)

AV detection:

12 of 38 (31.58%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=n6o6nbomhwzwrh62oju77o65lkcm6buxu4ivb56n56ut3zfsdgqq._file

Verdict:

malicious

MysticStealer

752823538da4481a5c018b006e45632bac790df88df756c6a54291981d953983

MysticStealer

87a93f4ea20e45fe032aa2032650a9fcd2bd9b1f7979e1712b69219f0badb4e5

MysticStealer

9cdf38cb0da9f91a8db0766d4de59676c4231ec590e9b3b29405e7880ce35c64

MysticStealer

a86c40b7336f60749b61736fdb2192f3079baacf4893fe9d572b1891927b7ef6

MysticStealer

b1e2a3c398285245e9f23bcc6ed924620c76a703f6403495e29fd13df598131a

MysticStealer

b6dbab0251f7dc75749babd8a98c8072df0ae4bd9767198cf2381d667e2222f6

MysticStealer

c3de8f808b7c5b3b37549bb8b6bea11463eed6a74532797f9a4214c1b5ea747f

MysticStealer

d03f483c84ba8fec1d84b160c90c7bddf1b7b892dd600ca18fdea9ed7205afa5

MysticStealer

d27809504464823d84d0b88ac03760fa68d8a361e9709ded0b3f5cd17ab4edeb

MysticStealer

+ 713 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/230911-fmzctsdf8x/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

6f9de685cc3db3689fda7269ffbbdd5a84cf0697a71150f7cdefa93de4b219a1

MD5 hash:

0047317cca809d44c94570d1dc872d97

SHA1 hash:

34414abe30647a37fe676a227387b7b0a35df3e5

Link:

https://www.unpac.me/results/c4efbdfb-847c-47a2-b2b1-ea3611234a6e/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6f9de685cc3d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.37

Link:

https://yomi.yoroi.company/submissions/6f9de685cc3db3689fda7269ffbbdd5a84cf0697a71150f7cdefa93de4b219a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AppLaunch Create hunting rule
Author:	iam-py-test
Description:	Detect files referencing .Net AppLaunch.exe

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/447816/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample