MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bae397ae859869f27a712b1aea44ffa086fdc89109d9bd239f951c37b9b97f40. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MysticStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	bae397ae859869f27a712b1aea44ffa086fdc89109d9bd239f951c37b9b97f40
SHA3-384 hash:	2e70c6ca32951d6fcfd1eb59fd111e877e534bc97e6b5aeed4549d168b4f77881e8377d8f4ba8f6239a7acceb132fcaf
SHA1 hash:	3521d5a46974b3afc7dbdcf301dd7fbe4afbfe5d
MD5 hash:	4a20231a4b36227f3aa172564673f743
humanhash:	undress-snake-juliet-california
File name:	4a20231a4b36227f3aa172564673f743.exe
Download:	download sample
Signature	MysticStealer Create hunting rule
File size:	292'352 bytes
First seen:	2023-10-02 15:19:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f206bf4934412e0139dfd76edfc7dab0 (9 x RedLineStealer, 3 x Amadey, 2 x MysticStealer)
ssdeep	6144:5U+Elo4WGFw16Hczc71vS6zXGLgWYa5iYG6ox:5U+ElodKHcQ711zXkgWH5iYKx
Threatray	888 similar samples on MalwareBazaar
TLSH	T1DB54AE8139C594B6D2B2103554A0BBB4E77FE6342EA41A67374F07AE3F3C1D0EA39562
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	abuse_ch
Tags:	exe MysticStealer

Intelligence

File Origin

# of uploads :

# of downloads :

274

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

https://coossa.com/soft9w/idm-download-with-crack-64-bit-2023.7z?c=yfHsiY20iOiJXaW5kb3dzIiwic3MiOiIxNjg5MTA0Njc2IiwicnMiOiIyNjM3IiwiZHMiOiIyNjU0NTUifXw

Verdict:

Malicious activity

Analysis date:

2023-10-02 13:52:53 UTC

Tags:

privateloader evasion opendir loader risepro stealer lumma redline smoke fabookie stealc tofsee botnet amadey trojan miner teamspy remote phonk ransomware stop vidar arkei g0njxa

Link:

https://app.any.run/tasks/abc1d6c5-a8c4-43ca-bce5-048ca54c69e6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/452634/

Detection(s):

Win.Packed.Pwsx-10009665-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Modifying a system executable file

Delayed writing of the file

Launching a process

Сreating synchronization primitives

Creating a file in the %temp% directory

Launching the default Windows debugger (dwwin.exe)

Forced shutdown of a system process

Infecting executable files

Unauthorized injection to a system process

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control greyware lolbin

Link:

https://www.filescan.io/uploads/651adfa383a0c6425d051899/reports/9e1783e5-e689-4684-bbf0-f724c93d9241/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/bae397ae859869f27a712b1aea44ffa086fdc89109d9bd239f951c37b9b97f40

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9ab70588-921e-498e-a55d-ba8ce5b472d5

Result

Threat name:

Mystic Stealer

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1318009

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected Mystic Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bae397ae859869f27a712b1aea44ffa086fdc89109d9bd239f951c37b9b97f40/

Threat name:

Win32.Trojan.Smokeloader

Status:

Malicious

First seen:

2023-10-02 10:02:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 22 (90.91%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xlrzpluftbu7e6trfmnourh7ucdp3serbhm32i47suodponzp5aa._file

Verdict:

malicious

MysticStealer

2671df33d98422ce8d514bcd99d32c399676aa8e815c3a03b914b85077c9ec40

MysticStealer

2ccc5bfb0096bb4869d51df3a095fed92c32e9d871132b696446cb491176d842

MysticStealer

4dbfaea634739b44fe148e93d5d3d2881d79c96c9fb0fc715e1094162b8ebc31

MysticStealer

7ccebb35a6047b4f54b86986f3c18a6676a242e6eb11ebba584dace0a1f18f7e

MysticStealer

8222ee950ed5797be9775e4f663b77bcfd2cd167e3c507a64728f4caf01158cc

MysticStealer

8e852368e36d267568f5450acd0a0bfab83d904cf432084d2b6078b3d34fc9ca

MysticStealer

b619a632e1960193c43461bc257bf44289790e27a6fc9e0160e78a104661aa25

MysticStealer

d99ad61e2c82cdee34498ec86c2eb31e39dd2be6c3469bf37f425f584b385bae

MysticStealer

eb3d0d631eba885dfd0f9125726dc5722d778e84ff84674799f37e640ac7916f

MysticStealer

+ 878 additional samples on MalwareBazaar

Result

Malware family:

mystic

Score:

10/10

Tags:

family:mystic stealer

Link:

https://tria.ge/reports/231002-sqqw3sdf43/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Mystic

Unpacked files

SH256 hash:

69c3c07646fee6357420e43f14db68b57af322b522367e148f601a6bb6af1bbd

MD5 hash:

e7ebba2a615bf0a8458bcefbc7c5c827

SHA1 hash:

5cabb23245c346b70a22753e26402a091bfd1022

Link:

https://www.unpac.me/results/9b1be6c6-c4bb-465b-998a-dec09a6b395c/

SH256 hash:

bae397ae859869f27a712b1aea44ffa086fdc89109d9bd239f951c37b9b97f40

MD5 hash:

4a20231a4b36227f3aa172564673f743

SHA1 hash:

3521d5a46974b3afc7dbdcf301dd7fbe4afbfe5d

Link:

https://www.unpac.me/results/9b1be6c6-c4bb-465b-998a-dec09a6b395c/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bae397ae8598/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NET Create hunting rule
Author:	malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/452634/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample