MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e2fd37d4bb8cc4166498114d887a99f84122f6990cbfc2fe7047c8d41e866da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MysticStealer

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	7e2fd37d4bb8cc4166498114d887a99f84122f6990cbfc2fe7047c8d41e866da
SHA3-384 hash:	24e866bc6547e149132d23cf14a1fa43dfabf6aa8161b47605fcbbb7755a9cda0148c25bae5bfc15950b4735a087fd34
SHA1 hash:	7daa97964d11a0bb1af7921c81fb43a06ae16016
MD5 hash:	17fa8319d0f676b0a4e69d629e3b46a3
humanhash:	maine-stairway-hamper-april
File name:	17fa8319d0f676b0a4e69d629e3b46a3.exe
Download:	download sample
Signature	MysticStealer Create hunting rule
File size:	946'176 bytes
First seen:	2023-09-20 16:44:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ccc0dba82ee571a2525935dd8b932dc3 (1 x MysticStealer)
ssdeep	6144:TNz+5SS9e1jf5dRV5mH8kzRAv/cAOzA1toyJWlKT6yVRVUKxAPIzWxMTYgK11jW6:TNip9e1jf5p5Usv/c26KxAPISkkW5cC
Threatray	8 similar samples on MalwareBazaar
TLSH	T14515AE117592C472D9B115344CE5DAB9563DBC204A208AEB73DC3F3FBF707929632A2A
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	007861494d591920 (2 x RecordBreaker, 1 x Vidar, 1 x MysticStealer)
Reporter	abuse_ch
Tags:	exe MysticStealer

Intelligence

File Origin

# of uploads :

# of downloads :

291

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

17fa8319d0f676b0a4e69d629e3b46a3.exe

Verdict:

No threats detected

Analysis date:

2023-09-20 16:48:02 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d151037f-1124-4f90-8639-962303e69353

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/450096/

Detection(s):

SecuriteInfo.com.W32.Kryptik.HCYC.tr.19505.2828.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control greyware lolbin packed

Link:

https://www.filescan.io/uploads/650b219332ffdb7a7a0d6dcf/reports/305d90a8-1733-470e-aef2-55261a382908/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/7e2fd37d4bb8cc4166498114d887a99f84122f6990cbfc2fe7047c8d41e866da

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1e8d7943-8892-445f-a5a4-0ee3463c0de3

Result

Threat name:

Mystic Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1311729

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (creates a PE file in dynamic memory)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Mystic Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7e2fd37d4bb8cc4166498114d887a99f84122f6990cbfc2fe7047c8d41e866da/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2023-09-20 11:33:30 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

12 of 23 (52.17%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pyx5g7klxdgeczsjqeknrb5jt6cbel3jsdf7yl7har6i2qpim3na._file

Verdict:

malicious

MysticStealer

381916d6fb7edc9c8173fe16c87eed4c133c5ee9eaaa721f3d69eb3db044c06f

MysticStealer

43ebad7b690eed2164234bd2dcba6646388b446cfa1d33f96eb2df0856be493c

MysticStealer

5c2833101e79e8c712a57d535d0cb91c125cbad3f1ac80a8cd099c28e760f70d

MysticStealer

6e290ef176583f474273aef569f08534a3991270af0d8eee984fa6ffee054550

MysticStealer

83a9ea78c40585a5d9ca27ee574c375153a25e4f5b926f9d830605888783b793

MysticStealer

c5d94ebbb93873b30d30b837844a4749ebe9a901f55b833d0c7dc041f140e8a1

MysticStealer

cfeb98ac590bbca55621dd6d499ac146da9053b046bfaa7b98b9d66752ddda7d

MysticStealer

Result

Malware family:

mystic

Score:

10/10

Tags:

family:mystic spyware stealer

Link:

https://tria.ge/reports/230920-t9dxashe2s/

Behaviour

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Loads dropped DLL

Reads user/profile data of web browsers

Mystic

Unpacked files

SH256 hash:

7e2fd37d4bb8cc4166498114d887a99f84122f6990cbfc2fe7047c8d41e866da

MD5 hash:

17fa8319d0f676b0a4e69d629e3b46a3

SHA1 hash:

7daa97964d11a0bb1af7921c81fb43a06ae16016

Link:

https://www.unpac.me/results/20414418-76de-4325-a7ef-cef9cc017012/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7e2fd37d4bb8cc4166498114d887a99f84122f6990cbfc2fe7047c8d41e866da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/450096/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample