MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 885d6abe4ce4819b6ae96807220378f5b48496df0c2908e1965340465d77f77c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MysticStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 885d6abe4ce4819b6ae96807220378f5b48496df0c2908e1965340465d77f77c
SHA3-384 hash: 2dc7e816c9d7ca667b5a441c36e6afbf28b27a775a2720cc34f018e032de4dd00f9bcf154fecc06f41360aafb6a760a7
SHA1 hash: 960334e5824882b27a5e3e73ae703b4de2ed0e02
MD5 hash: 563ea0b001de039977dda41650318bf8
humanhash: princess-equal-quebec-illinois
File name:file
Download: download sample
Signature MysticStealer
Create hunting rule
File size:364'544 bytes
First seen:2023-09-29 10:29:18 UTC
Last seen:2023-09-29 11:47:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 96baacc90461fcd4b5d9fcc50047c098 (37 x MysticStealer, 26 x Amadey, 15 x RedLineStealer)
ssdeep 6144:diTeW/s5GqrO5aXnfEGIXWPvZAOPydefHB1fjcSVPx6t6mv6BCBD4FVs0BC+:RmcGqrOk86xJfHBVjPPx6t6mA0Ss0BC+
Threatray 680 similar samples on MalwareBazaar
TLSH T1AC74BFD970D28073DC71C6314AD4AFB4CCBC7D7148A29B5F63F43ABE4A681819166B3A
TrID 56.8% (.EXE) InstallShield setup (43053/19/16)
13.8% (.EXE) Win64 Executable (generic) (10523/12/4)
8.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe MysticStealer


Avatar
andretavare5
Sample downloaded from http://77.91.68.239/wase/zor40.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
285
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Inject4.61510.14329.26809.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
Creating a file in the %temp% directory
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a system process
Gathering data
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
control greyware lolbin
Link:
https://www.filescan.io/uploads/6516a72c0870810f01891d4d/reports/f3fed607-59bf-4c3b-ad9a-9fbeb41354e9/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/885d6abe4ce4819b6ae96807220378f5b48496df0c2908e1965340465d77f77c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/97ffa43a-9e1b-457d-8081-34167325f8fc
Result
Threat name:
Mystic Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1316381
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Mystic Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/885d6abe4ce4819b6ae96807220378f5b48496df0c2908e1965340465d77f77c/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rbowvpsm4sazw2xjnadsea3y6w2ijfw7bquqrymwknaemxlx656a._file
Verdict:
malicious
Similar samples:
7ccf52e16a13ed7087427bcdb05c85971b0d9796a5884287573166da46ad50f1
MysticStealer
7d99eb634d001b9dc8667d34cf8f0ae1a067e69dbd366e63af156a592017d254
MysticStealer
c3da5d3a789a0d72a7273ab2fc33cc228831ba03164667f62232a5ec039832aa
MysticStealer
c6c7cf1fe98df6ad9cef8cc1cb280df3a5a71de48f0ab014f02076791bfa118c
MysticStealer
d331612139ce264eb3770d828b8242a1e04e8a81af38fc3300647deb6a896060
MysticStealer
db88b3051a1aae088cb21fb88d1df75ac86553e6be3ec3903caf4501f05a4211
MysticStealer
eef26490e77fe02338150f05b2134d053736d33b448d2e5309778921cd7cf610
MysticStealer
f6f01d9bb11a8815d92f74da8ee5754a0dc789920e2f0674b3bc2d95a0f930b9
MysticStealer
fa96f32dffc26c286f041c805998e70bb94f3ece02d1e791b5b604880aba297c
MysticStealer
+ 670 additional samples on MalwareBazaar
Result
Malware family:
mystic
Create hunting rule
Score:
  10/10
Tags:
family:mystic stealer
Link:
https://tria.ge/reports/230929-mjs5zabb36/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Mystic
Unpacked files
SH256 hash:
033a63ee3b12456eaa45fd39381cdd5b5a0914f0e2a6e5e028775b235a3e152d
MD5 hash:
a261b06141fb8cdd61c07a0b92373fde
SHA1 hash:
b4d94af76652fdd5f48f3774db3d9bed0a461ff5
Link:
https://www.unpac.me/results/4319b184-1b29-4f7b-9ddf-8278ad5f5250/
SH256 hash:
885d6abe4ce4819b6ae96807220378f5b48496df0c2908e1965340465d77f77c
MD5 hash:
563ea0b001de039977dda41650318bf8
SHA1 hash:
960334e5824882b27a5e3e73ae703b4de2ed0e02
Link:
https://www.unpac.me/results/4319b184-1b29-4f7b-9ddf-8278ad5f5250/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/885d6abe4ce4819b6ae96807220378f5b48496df0c2908e1965340465d77f77c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2713788/

Comments