MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93b7965798dc354b575775d75decbdf8610413e6a8a5b27b613061109fbe6a9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MysticStealer

Vendor detections: 9

Intelligence 9 IOCs YARA 7 File information Comments

SHA256 hash:	93b7965798dc354b575775d75decbdf8610413e6a8a5b27b613061109fbe6a9c
SHA3-384 hash:	bb6bdb202375284dd67ff6292fa9a2a417f156cecc53a6c1ad3d4cb13e49517b7d445ea13f8c59b056936b7d3705b41a
SHA1 hash:	93e6d60c3ac6694cd0adb81d714f92f4c385cef8
MD5 hash:	d6de685b4cc8ce0c68eb8fa33bd52e46
humanhash:	three-green-glucose-winter
File name:	file
Download:	download sample
Signature	MysticStealer Create hunting rule
File size:	366'456 bytes
First seen:	2023-09-11 06:00:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	42a9a04d093acea5d87d09e3defddcb0 (32 x Amadey, 26 x RedLineStealer, 2 x MysticStealer)
ssdeep	6144:sPjUiz6DCGbAR/VeDC1tAORMCWjRsX0u9FPOwjKkiurBiIg:sYizaC+UjwkP9MZkiurBiIg
Threatray	730 similar samples on MalwareBazaar
TLSH	T13774AF95B8D1C4F2DC3117360EE0EE7A1D39A9651B590EFB53A48EFE4B233C14626B21
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	andretavare5
Tags:	exe MysticStealer

andretavare5

Sample downloaded from http://77.91.68.238/love/no230.exe

Intelligence

File Origin

# of uploads :

# of downloads :

312

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

No threats detected

Analysis date:

2023-09-11 06:01:13 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/1b88da2a-7062-4412-bd8e-adeb5835667e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/447828/

Detection(s):

SecuriteInfo.com.Win32.CrypterX-gen.29484.25469.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Сreating synchronization primitives

Creating a file in the %temp% directory

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Forced shutdown of a system process

Unauthorized injection to a system process

Gathering data

Verdict:

Malicious

Labled as:

Jaik.Generic

Link:

https://www.hybrid-analysis.com/sample/93b7965798dc354b575775d75decbdf8610413e6a8a5b27b613061109fbe6a9c

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/418fa8fc-85e9-4712-9915-f9f2fda7120e

Result

Threat name:

Mystic Stealer

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1307051

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected Mystic Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/93b7965798dc354b575775d75decbdf8610413e6a8a5b27b613061109fbe6a9c/

Threat name:

Win32.Trojan.Amadey

Status:

Malicious

First seen:

2023-09-11 06:01:17 UTC

File Type:

PE (Exe)

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=so3zmv4y3q2uwv2xoxlv33f57bqqie7gvcs3e63bgbqrbh56nkoa._file

Verdict:

malicious

MysticStealer

37ef517ad91a44700971fea612ba8a63a1d2f4c373a2c92084e13803119270f9

MysticStealer

7f58a7af82d23f8e3d96d59d475f17a532f342850a4ff1b5a002c53244ed3178

MysticStealer

8163cf77c1cdfbe6998a74dd78c0dbbe8ca02c8df9932296dcfe5bada9c48a3f

MysticStealer

b6dbab0251f7dc75749babd8a98c8072df0ae4bd9767198cf2381d667e2222f6

MysticStealer

cca65a9ffc4cc09af8e29a65071ff6b5c2b10086caa8ca201322fab28d46a48d

MysticStealer

d27809504464823d84d0b88ac03760fa68d8a361e9709ded0b3f5cd17ab4edeb

MysticStealer

d523fc3a996f7d29e5ef1071ec0e2ffd6a4cf7fdc73b5750974a1e5e3108ea71

MysticStealer

d710bfb8d4ee7669e489785deccfd7e7cd8c9ccc936b10519615e5a7f3748d86

MysticStealer

edcade63346f48f03b9420c18c0b9c2246b72ea5ea29baf58abbb7fe8b8ce358

MysticStealer

+ 720 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/230911-gqwlsadh8z/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

93b7965798dc354b575775d75decbdf8610413e6a8a5b27b613061109fbe6a9c

MD5 hash:

d6de685b4cc8ce0c68eb8fa33bd52e46

SHA1 hash:

93e6d60c3ac6694cd0adb81d714f92f4c385cef8

Link:

https://www.unpac.me/results/31a5d9f2-67e6-4cf9-b537-53b4880040ab/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/93b7965798dc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/93b7965798dc354b575775d75decbdf8610413e6a8a5b27b613061109fbe6a9c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AppLaunch Create hunting rule
Author:	iam-py-test
Description:	Detect files referencing .Net AppLaunch.exe

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2710216/

Cape

https://www.capesandbox.com/analysis/447828/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample