MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9602d17014b9c1e507d88bb95d61707b87ccc8bbf6ae28076326d040305776a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MysticStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 4 File information Comments

SHA256 hash:	9602d17014b9c1e507d88bb95d61707b87ccc8bbf6ae28076326d040305776a8
SHA3-384 hash:	3d0b939c5a5809ed0e10967e975f26982ec0e1fad202c3c2a959127263ea14b3ad3d65c72dbd786813590d90c69dbff7
SHA1 hash:	39bbd5603ca9683979f8077dfc3f97ab38974c5c
MD5 hash:	0f7cfd3410d3656af64fd28bb3edb980
humanhash:	romeo-ten-freddie-juliet
File name:	2LU7635.exe
Download:	download sample
Signature	MysticStealer Create hunting rule
File size:	1'122'816 bytes
First seen:	2023-10-27 17:13:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d880d0ae07cf434dea838358ed4c863f (3 x MysticStealer, 2 x RedLineStealer, 1 x Healer)
ssdeep	12288:46ygL5y6zHWdgAw/26p6LT9LLnM6GbSy9opulOdjlOus8Fr4bI0iqhfGdniG:0C5yqHWdgAw/26p6Xy6GbSROMh4F
Threatray	121 similar samples on MalwareBazaar
TLSH	T153359E3138C09571EEEA10B742EDFB2982ADD6A0071556DF76DC16EEC7606C36B326C2
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	Anonymous
Tags:	exe MysticStealer

Intelligence

File Origin

# of uploads :

# of downloads :

329

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

bus50.exe

Verdict:

Malicious activity

Analysis date:

2023-10-27 17:39:44 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/08474191-ff70-428c-b11e-cc37f1e5e837

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/456769/

Detection(s):

Win.Packed.Pwsx-10012424-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Searching for synchronization primitives

Сreating synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Searching for the window

Forced shutdown of a system process

Unauthorized injection to a system process

Gathering data

Verdict:

No Threat

Threat level:

2.5/10

Confidence:

100%

Tags:

control greyware lolbin

Link:

https://www.filescan.io/uploads/653befdc72356e4f29e8155a/reports/4b30666f-13ad-4cbe-b529-146cb18485af/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/9602d17014b9c1e507d88bb95d61707b87ccc8bbf6ae28076326d040305776a8

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/8f76c0b9-ee0b-4962-928a-5fb0a036c9e7

Result

Threat name:

Mystic Stealer

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1333444

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected Mystic Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/9602d17014b9c1e507d88bb95d61707b87ccc8bbf6ae28076326d040305776a8

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9602d17014b9c1e507d88bb95d61707b87ccc8bbf6ae28076326d040305776a8/

Threat name:

Win32.Trojan.Stealerc

Status:

Malicious

First seen:

2023-10-27 17:14:06 UTC

File Type:

PE (Exe)

AV detection:

17 of 23 (73.91%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sybnc4auxha6kb6yro4v2ylqpod4zsf362xcqb3de3ieamcxo2ua._file

Verdict:

malicious

MysticStealer

57635a3e961e37e2193a038c9e90dd73b6841c1b316f8d128137a80fba61495c

MysticStealer

6f3aaa08baa55d61dd0e518e6847e47c323f2d3dcbaabe2e3c5299ebb7138b7e

MysticStealer

71898823e2f461b674aa28804eedc70188b30535a366c7fa60decc23f8c851dc

MysticStealer

7ba93b3f58365c561d0ab9b9bbd4128a41036b574889e6bd20c1b1cfc3c3e149

MysticStealer

7f9a67e0213810c8cfe971c3d5fbdf64f88d771563d6f82401cd43b1409543db

MysticStealer

9856a3f642fe8b44230b453100df51a456c7f4f27341fc02b2039283cb8cc946

MysticStealer

ada687d54c14b26911b5f37cefcea7568d6987c5aa24a546a1d36840182cb3ef

MysticStealer

dba3ca5e71159adfc7063dec816dcf339a9db5c92bb3df6ba08e431574bdf94a

MysticStealer

df0002f4e0d0740f433a7bb2fbdf8f9c4e2af603b307cd8554d7b139708e3e7c

MysticStealer

+ 111 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/231027-vrzayshf33/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea

MD5 hash:

e561df80d8920ae9b152ddddefd13c7c

SHA1 hash:

0d020453f62d2188f7a0e55442af5d75e16e7caf

Link:

https://www.unpac.me/results/5eb33070-7212-41d3-a95b-9ea4420641bd/

SH256 hash:

9602d17014b9c1e507d88bb95d61707b87ccc8bbf6ae28076326d040305776a8

MD5 hash:

0f7cfd3410d3656af64fd28bb3edb980

SHA1 hash:

39bbd5603ca9683979f8077dfc3f97ab38974c5c

Link:

https://www.unpac.me/results/5eb33070-7212-41d3-a95b-9ea4420641bd/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9602d17014b9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NET Create hunting rule
Author:	malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/456769/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample