MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84e1510d77d05b85f1fe20cd46d829577ecf4305a4de79aad850d92c778b3c14. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MysticStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84e1510d77d05b85f1fe20cd46d829577ecf4305a4de79aad850d92c778b3c14
SHA3-384 hash: 841514c06af49076efef0f575d18a2bd03be27b5f45c807e697378a1408772840bf11dab36de84a462e9e2b5e32b03b2
SHA1 hash: 51bedb46f18129de4f23630eae8fbe72a1fb8f7d
MD5 hash: 6ceb919c5d1f4372aaf32ed0d8a9cf57
humanhash: equal-alanine-hot-oven
File name:file
Download: download sample
Signature MysticStealer
Create hunting rule
File size:350'208 bytes
First seen:2023-09-13 15:23:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 35646f486d46399590ccfc4635584429 (28 x RedLineStealer, 5 x MysticStealer, 3 x Smoke Loader)
ssdeep 6144:2PJiKL/yfYb5B+BO99c0s0ZVtAOMgKra8LOtPbPXRG7C1rE9:2J//yfYb5BIQZVtS3QbJGEA9
Threatray 411 similar samples on MalwareBazaar
TLSH T12274AF0071C1813AD97212304EF89675653AB85107E79EEFE7B4DB3E0B271C2A7F2699
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe MysticStealer


Avatar
andretavare5
Sample downloaded from http://77.91.68.238/love/no230.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
282
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-09-13 15:26:53 UTC
Tags:
stealc stealer
Link:
https://app.any.run/tasks/aa96e00d-07ad-4c0b-9238-3d042cd9cead

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/448431/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.25836.20666.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
Creating a file in the %temp% directory
Unauthorized injection to a system process
Gathering data
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin
Link:
https://www.filescan.io/uploads/6501d4137aa68bd3a1f91205/reports/5c5b40c6-5f76-4fd0-8b35-c3dfaec89d40/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/84e1510d77d05b85f1fe20cd46d829577ecf4305a4de79aad850d92c778b3c14
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d6afdae2-eb04-4a16-a5b5-902c36f2b828
Result
Threat name:
Mystic Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1308100
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Mystic Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/84e1510d77d05b85f1fe20cd46d829577ecf4305a4de79aad850d92c778b3c14/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-09-13 15:24:05 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qtqvcdlx2bnyl4p6edgunwbjk57m6qyfutphtkwykdmsy54lhqka._file
Verdict:
malicious
Similar samples:
0b3223083eaa3ebc47f2f4a941f772266491e54760d438659af6f49268bfc1e2
MysticStealer
12da01e0dd4183f27ac316d4e8889a249df778610dc574fd624e68e287693146
MysticStealer
147c14a6ee47d73dcfaad142dd47e180a00f6a7c31bc8ffa6f233519fab1d594
MysticStealer
3ef776a8fd33572a6d5d0225f6d42f9b95ee578ceec903dc0f86e257884efe1a
MysticStealer
4257603f3ebc986c59d5dd7ca93f69d52a4c673c1eae2c2e53eb7060cb15336c
MysticStealer
8bddf5692870039eab6cd7d3e179c62b4802b2df9b51986e99c3bc6dcf3c025b
MysticStealer
945f463cf0dbc25cf7832992b2bc18093e41a52fc68bb40489912522022ed5ce
MysticStealer
a1d81d22551ba0d1149b5e2e0de18870ac73e90aaf36f6c52ae6edea0d084814
MysticStealer
ce1a8d6d6d69ef76b01ad35d455588034b39c7f89464c1c83bead936d2b433d9
MysticStealer
fa6ca34a7b4ca335c3456aeaac237fb2257e820accb5a2f09fcaff5df7035dfb
MysticStealer
+ 401 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230913-ss2flada8z/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
a1b57164515e9b99cd5f81828edede575cb99613db08fa0ebed662aaa6399d64
MD5 hash:
4dedb29e4796d9c5d7454715aec2fdc4
SHA1 hash:
4c3e0853dd83d7fe493675700bb8e8375b96cad8
Link:
https://www.unpac.me/results/07ee3aa7-7b87-4537-9263-db432094dc00/
SH256 hash:
84e1510d77d05b85f1fe20cd46d829577ecf4305a4de79aad850d92c778b3c14
MD5 hash:
6ceb919c5d1f4372aaf32ed0d8a9cf57
SHA1 hash:
51bedb46f18129de4f23630eae8fbe72a1fb8f7d
Link:
https://www.unpac.me/results/07ee3aa7-7b87-4537-9263-db432094dc00/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/84e1510d77d0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/84e1510d77d05b85f1fe20cd46d829577ecf4305a4de79aad850d92c778b3c14

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/448431/

Comments