MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b224a6c44c1ba5e49b40fc9f5176d6ad1719031f0312d85650174dc29c88276e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MysticStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b224a6c44c1ba5e49b40fc9f5176d6ad1719031f0312d85650174dc29c88276e
SHA3-384 hash: 52e7c8a257f924a88ab22c014000a3be6aad4159d1a354e99564f9ed60c1505b01cce5fdb08c44ffaf50b272fccdd9aa
SHA1 hash: 49de8afad3ea0ff58ef987d4866fc36781092808
MD5 hash: 0e5e7da39bcd6310211bd83eca5cbfd1
humanhash: twelve-two-mississippi-muppet
File name:0e5e7da39bcd6310211bd83eca5cbfd1
Download: download sample
Signature MysticStealer
Create hunting rule
File size:1'909'248 bytes
First seen:2023-10-23 12:59:54 UTC
Last seen:2023-10-23 13:34:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 037522269f8348aa17add864631a3f22 (6 x MysticStealer, 4 x Smoke Loader, 2 x Formbook)
ssdeep 24576:jrAAfSYqe7E9k7d+WNO6a9DhvhDyg3fI:jRqe7E9rW06a3v8+
Threatray 235 similar samples on MalwareBazaar
TLSH T18A952C1176F94B59FAF30FB85ABA6612087AFC698F11CADF1251508E0D31AD09970F3B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe MysticStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
297
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0e5e7da39bcd6310211bd83eca5cbfd1
Verdict:
Malicious activity
Analysis date:
2023-10-23 13:05:06 UTC
Tags:
stealc stealer
Link:
https://app.any.run/tasks/5a4aafdf-a052-4399-93a5-08d0c2fb881a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.5562.6836.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
Unauthorized injection to a system process
Gathering data
Verdict:
No Threat
Threat level:
  2.5/10
Confidence:
100%
Tags:
control greyware lolbin
Link:
https://www.filescan.io/uploads/65366e544678fc28dfc61006/reports/3b17fb51-2594-4491-955b-eb2afb89ba6a/overview
Verdict:
Malicious
Labled as:
Trojan/Injector.bdh
Link:
https://www.hybrid-analysis.com/sample/b224a6c44c1ba5e49b40fc9f5176d6ad1719031f0312d85650174dc29c88276e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/53d0fac3-2751-40a2-b10b-7993dd83816c
Result
Threat name:
Mystic Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1330582
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Writes to foreign memory regions
Yara detected Mystic Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b224a6c44c1ba5e49b40fc9f5176d6ad1719031f0312d85650174dc29c88276e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b224a6c44c1ba5e49b40fc9f5176d6ad1719031f0312d85650174dc29c88276e/
Threat name:
Win32.Trojan.Stealerc
Create hunting rule
Status:
Malicious
First seen:
2023-10-23 13:05:59 UTC
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wisknrcmdos6jg2a7spvc5wwvulrsay7amjnqvsqc5g4fheie5xa._file
Verdict:
malicious
Similar samples:
08c0d32c5801467454e923599e74fc5c10ff0db6d152d9e5f67a303203e33db4
MysticStealer
126c0f9959aa4a01bb5e8254b72b4bac370a12cddded7d815ea09b0894f1ee59
MysticStealer
32fc4939b1ccdd7f7ea0feecb05df65bb4f677961c2f70f5ed7fe26ff081b7d1
MysticStealer
5daa9d2d50d75fe0d91f2330e679aad02de3a841cceec9fcff74a55aa0b835a2
MysticStealer
8c01f096725d70248403986433a2052358112499578c1e5ce68b1363709434bd
MysticStealer
9042afcab837d06d2b0372e15c2b981c253b32e0b0f5e6e2cd57d52c77ba3ce6
MysticStealer
9db10dca22b6e4b610d74316f7a94f758d32f077666c0b775e9f0f13234f30ff
MysticStealer
af57e0f87312aedf0fe588dc08e4f5453b5ce31bbaa64b9f7b4033261e279a9e
MysticStealer
b857534dee49e9485913b54161cfd20ce3a26ebb1b4d4d73a13d88d94bbe017b
MysticStealer
c6d732d8b01afa98d6bf5012c45309107f9866e63aaf7351a35240a945a20925
MysticStealer
+ 225 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/231023-p8metsgg51/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
a0330d75df7075206cf68d358e3acfc621062f35db43c2521b8ef5e7c9f317f1
MD5 hash:
0635bc911c5748d71a4aed170173481e
SHA1 hash:
6d92ff8b519e4a10759f75f3b3d9e1459ed4ff1b
Link:
https://www.unpac.me/results/7a90a134-26fa-4b6e-82e9-3398664c9eee/
SH256 hash:
b224a6c44c1ba5e49b40fc9f5176d6ad1719031f0312d85650174dc29c88276e
MD5 hash:
0e5e7da39bcd6310211bd83eca5cbfd1
SHA1 hash:
49de8afad3ea0ff58ef987d4866fc36781092808
Link:
https://www.unpac.me/results/7a90a134-26fa-4b6e-82e9-3398664c9eee/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b224a6c44c1b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MysticStealer

Executable exe b224a6c44c1ba5e49b40fc9f5176d6ad1719031f0312d85650174dc29c88276e

(this sample)

  
Delivery method
Distributed via web download

Comments


Avatar
zbet commented on 2023-10-23 12:59:55 UTC

url : hxxp://77.91.68.249/fuza/nalo.exe