MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aab85a9a6323947e92b0921feac50363225abdde280c6afd0662362535829b80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MysticStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	aab85a9a6323947e92b0921feac50363225abdde280c6afd0662362535829b80
SHA3-384 hash:	33ef61ddaeb6dcf3a24debe74150089db208416f4a8412fc34c233e1d08e05cbfb0c010a8397d4bcf768f4dd61c0f9cc
SHA1 hash:	4521c8cf6dee8269e69fb1e0202ac6fb8e3a97be
MD5 hash:	6a60ccc7dc556bc5b9a24ac58576143c
humanhash:	leopard-timing-oscar-tennessee
File name:	SecuriteInfo.com.Trojan.Inject4.61247.16302.14978
Download:	download sample
Signature	MysticStealer Create hunting rule
File size:	1'075'200 bytes
First seen:	2023-09-21 08:38:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	275c1ac8a0a90e452d90c6b023f705b9 (6 x MysticStealer, 4 x RedLineStealer, 1 x AgentTesla)
ssdeep	12288:MoewdPenEp953bXeu5W2fo8oBNFJQxBTTASKuLpv+5nixAEuutPQHnyghR5:sAPenEp953bpfo8Un+TMSoyYyghz
Threatray	163 similar samples on MalwareBazaar
TLSH	T16A359E217DD09172EEE221BB82ECBA35416DD0B4C72516CF16D8D7EEEB602C17B31692
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	SecuriteInfoCom
Tags:	exe MysticStealer

Intelligence

File Origin

# of uploads :

# of downloads :

280

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Trojan.Inject4.61247.16302.14978

Verdict:

Malicious activity

Analysis date:

2023-09-21 08:40:15 UTC

Tags:

stealc stealer

Link:

https://app.any.run/tasks/d81a0514-dd4a-4538-b266-181f88313cc0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/450301/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.61247.16302.14978.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Сreating synchronization primitives

Creating a file in the %temp% directory

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Unauthorized injection to a system process

Gathering data

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

control greyware lolbin

Link:

https://www.filescan.io/uploads/650c012cf1b40cb0d61fce2a/reports/31b696d9-6434-4f10-9676-9f1d7398ed1f/overview

Verdict:

Malicious

Labled as:

GenKryptik.GOBL trojan

Link:

https://www.hybrid-analysis.com/sample/aab85a9a6323947e92b0921feac50363225abdde280c6afd0662362535829b80

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Sysinternals

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/7c631911-0a4d-4dc5-87ea-eb6598eb8b47

Result

Threat name:

Mystic Stealer

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1312125

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected Mystic Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/aab85a9a6323947e92b0921feac50363225abdde280c6afd0662362535829b80/

Threat name:

Win32.Trojan.MysticStealer

Status:

Malicious

First seen:

2023-09-21 07:07:10 UTC

File Type:

PE (Exe)

AV detection:

24 of 38 (63.16%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vk4fvgtdeokh5evqsip6vridmmrfvpo6faggv7igmi3cknmctoaa._file

Verdict:

unknown

MysticStealer

27a3062b432b89e7ccab967f0e0d77dfbddd0c837ad65bca573d3545228a2063

MysticStealer

5f7a493b62d573b0559fca032defa29287c77280217ba21a5d5c20c9a4d798fb

MysticStealer

7dedf613bef159a338fa71ae8e77e11899f9f5314ac3ebbb63c70d24537c3c73

MysticStealer

99e0a3b18cb3e7cc6efbfc4330995241ec60acf24d3488eeb5785cda6202e643

MysticStealer

be7f7cad13d7b9f6ca0519f08d8f729deaf721d0d72e28b629a04850375fc202

MysticStealer

c1570e142748ee7b87a4996b2472cd560eace8beae33b627209a97ef4190a46f

MysticStealer

c24740dcd219e014f566641c26b8b67864156d4e915867fa37d93d0b514f871a

MysticStealer

d12822384d1a1247a9dd4328f574418c195ba317e1de5511a2abd79868ff6d4d

MysticStealer

e8702ab87212b08e09958c604a9e039aa5c403888edafd401a29abc4cbb864fb

MysticStealer

+ 153 additional samples on MalwareBazaar

Result

Malware family:

mystic

Score:

10/10

Tags:

family:mystic stealer

Link:

https://tria.ge/reports/230921-kkanxaeh21/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Mystic

Unpacked files

SH256 hash:

bb30309eb812ec97ec2a42016a9a027c488e684cda876f92e9ff64a687550679

MD5 hash:

4d48f9fec6414a537c4bcec69a185d69

SHA1 hash:

49993349e3d9b8de4cb4add65dc5131d1e7d1cd3

Link:

https://www.unpac.me/results/3900cc86-a2ea-4dae-9e6a-33b40dd153cc/

SH256 hash:

aab85a9a6323947e92b0921feac50363225abdde280c6afd0662362535829b80

MD5 hash:

6a60ccc7dc556bc5b9a24ac58576143c

SHA1 hash:

4521c8cf6dee8269e69fb1e0202ac6fb8e3a97be

Link:

https://www.unpac.me/results/3900cc86-a2ea-4dae-9e6a-33b40dd153cc/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/aab85a9a6323/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/aab85a9a6323947e92b0921feac50363225abdde280c6afd0662362535829b80

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NET Create hunting rule
Author:	malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/450301/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample