MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7dbfb716abaafac81b085ecccf7b0e870b2ce42866e7559b4a70e1f033752e83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MysticStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7dbfb716abaafac81b085ecccf7b0e870b2ce42866e7559b4a70e1f033752e83
SHA3-384 hash: 9849a4fd2e485e71fe56aa03395ad50ecab1c02dfbc589d03a13a4bfc3d178d6f03c7436b923e393458fad107ac3f320
SHA1 hash: 7e590e60be55a129eba96a85c5b97f67dffaf652
MD5 hash: 976e6d5f53d70ad0616d627e69fccd88
humanhash: friend-romeo-one-saturn
File name:976e6d5f53d70ad0616d627e69fccd88
Download: download sample
Signature MysticStealer
Create hunting rule
File size:1'122'816 bytes
First seen:2023-10-27 23:58:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d880d0ae07cf434dea838358ed4c863f (3 x MysticStealer, 2 x RedLineStealer, 1 x Healer)
ssdeep 24576:2ipkiHWdgAw/26p6AuVGbySOfzkHtxY4sMj:2kWw/26p6dTSeMm4/
Threatray 127 similar samples on MalwareBazaar
TLSH T19335AE2178C08176EEF214F743ECB62A82ADE4B4071526DF46D846EFDB606C17B72687
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe MysticStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
331
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
tmp.exe
Verdict:
Malicious activity
Analysis date:
2023-10-28 01:40:18 UTC
Tags:
sinkhole stealc stealer redline amadey botnet trojan opendir loader
Link:
https://app.any.run/tasks/ccf28aef-0303-4eb7-bcbf-cd145ea69222

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/456793/
Detection(s):
Win.Packed.Pwsx-10012424-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Searching for synchronization primitives
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Sending a custom TCP request
Unauthorized injection to a system process
Gathering data
Verdict:
No Threat
Threat level:
  2.5/10
Confidence:
100%
Tags:
control greyware lolbin
Link:
https://www.filescan.io/uploads/653c4ec7bc703e36b0910bf4/reports/39ec29a5-cb77-49d5-96aa-def74113400e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/7dbfb716abaafac81b085ecccf7b0e870b2ce42866e7559b4a70e1f033752e83
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/5748eba8-7d9c-4d52-8e24-eb135dd6e938
Result
Threat name:
Mystic Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1333591
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Mystic Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7dbfb716abaafac81b085ecccf7b0e870b2ce42866e7559b4a70e1f033752e83
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7dbfb716abaafac81b085ecccf7b0e870b2ce42866e7559b4a70e1f033752e83/
Threat name:
Win32.Trojan.Stealerc
Create hunting rule
Status:
Malicious
First seen:
2023-10-27 23:59:06 UTC
File Type:
PE (Exe)
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pw73ofvlvl5mqgyil3gm66yoq4fszzbim3tvlg2kodq7am3vf2bq._file
Verdict:
malicious
Similar samples:
3932112f1cf166503abed03c187c906c46d61c9d27561519f83ebeb3bb8fa3ac
MysticStealer
5b047686238347125e0f042d7b07c1999002311ad38ed042548dddff17c3ee0b
MysticStealer
5fa249077f0dfcb2f4c1540e6568887b073557da10c6da0a2c1871e40c914189
MysticStealer
7ba93b3f58365c561d0ab9b9bbd4128a41036b574889e6bd20c1b1cfc3c3e149
MysticStealer
7f9a67e0213810c8cfe971c3d5fbdf64f88d771563d6f82401cd43b1409543db
MysticStealer
9602d17014b9c1e507d88bb95d61707b87ccc8bbf6ae28076326d040305776a8
MysticStealer
ada687d54c14b26911b5f37cefcea7568d6987c5aa24a546a1d36840182cb3ef
MysticStealer
dba3ca5e71159adfc7063dec816dcf339a9db5c92bb3df6ba08e431574bdf94a
MysticStealer
df0002f4e0d0740f433a7bb2fbdf8f9c4e2af603b307cd8554d7b139708e3e7c
MysticStealer
e599cdf301bdca7ac814280a10471f47efe703173d844052838e3b9f85caafb8
MysticStealer
+ 117 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/231027-31p3msdc25/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
MD5 hash:
e561df80d8920ae9b152ddddefd13c7c
SHA1 hash:
0d020453f62d2188f7a0e55442af5d75e16e7caf
Link:
https://www.unpac.me/results/29099166-3a68-40e1-acb8-cfea53caef7e/
SH256 hash:
7dbfb716abaafac81b085ecccf7b0e870b2ce42866e7559b4a70e1f033752e83
MD5 hash:
976e6d5f53d70ad0616d627e69fccd88
SHA1 hash:
7e590e60be55a129eba96a85c5b97f67dffaf652
Link:
https://www.unpac.me/results/29099166-3a68-40e1-acb8-cfea53caef7e/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MysticStealer

Executable exe 7dbfb716abaafac81b085ecccf7b0e870b2ce42866e7559b4a70e1f033752e83

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2726336/
Cape
Cape
https://www.capesandbox.com/analysis/456793/

Comments


Avatar
zbet commented on 2023-10-27 23:58:51 UTC

url : hxxp://77.91.68.249/fuza/salo.exe