MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c4e0cb607d432343219b41d78c2ec5dd75cd61337e01004ddbd2a25678afd2f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MysticStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c4e0cb607d432343219b41d78c2ec5dd75cd61337e01004ddbd2a25678afd2f2
SHA3-384 hash: 808fab408f174fd49d6902df9b2a92442568331d8c38cebd29d674f881b86bff1ec9fc8b7b5380a4c8ea8d6815c097e7
SHA1 hash: dcda71537ac11519b263f6afc002f0714175a95e
MD5 hash: a940041c46398589b82411421e1da99c
humanhash: speaker-music-table-artist
File name:file
Download: download sample
Signature MysticStealer
Create hunting rule
File size:717'176 bytes
First seen:2023-09-21 17:57:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f15d7c61281219835473a0dcb1929653 (35 x MysticStealer, 5 x RedLineStealer, 3 x Smoke Loader)
ssdeep 6144:f6vGALXgBEIy8wluzNcq/PVucQpbupc5YLu2+OYAO57ehy8wCmhM7vJQ8xWyvfr:SHXgFysVucQpb03UMwc1Nx/r
Threatray 241 similar samples on MalwareBazaar
TLSH T131E4AF2174E08475EEE330BA46EC7A3601EDE4B4476575CF1BDC47EAD3232C26A3256A
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter andretavare5
Tags:exe MysticStealer


Avatar
andretavare5
Sample downloaded from http://77.91.68.238/love/no230.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
284
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/450480/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.61280.12405.21288.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/650c842af1b40cb0d62028f7/reports/fd41d226-505f-4b8d-8a09-5d5368ffec53/overview
Verdict:
Malicious
Labled as:
Troj/Krypt
Link:
https://www.hybrid-analysis.com/sample/c4e0cb607d432343219b41d78c2ec5dd75cd61337e01004ddbd2a25678afd2f2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8a08861b-3a0f-450f-867b-eae8cf4ae30f
Result
Threat name:
Mystic Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1312543
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Mystic Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c4e0cb607d432343219b41d78c2ec5dd75cd61337e01004ddbd2a25678afd2f2/
Threat name:
Win32.Trojan.MysticStealer
Create hunting rule
Status:
Malicious
First seen:
2023-09-21 17:58:05 UTC
File Type:
PE (Exe)
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ytqmwyd5imrugim3ihlyylwf3v242yjtpyaqato32krfm6fp2lza._file
Verdict:
unknown
Similar samples:
38bf240eaa89c43f4aebcfbcef9b12669417c9b9a9aa60fb5cf4a916e2889bff
MysticStealer
4adce3703406ddd76f486198dcc8932b1ad17119e77340543dfc347e705adb88
MysticStealer
710e50bedb77792743e3e5389f609110ea064c3fe50cd1e35242b9db53101a0c
MysticStealer
969858a1d4ca4c9fcc44f5d3a688bd460c9fe118f2b854e03640c5c2a4f78fa5
MysticStealer
ce8c9483ccfee44272881aa17481ac3928048ab93e9de22e60e339c4c348efd0
MysticStealer
d65457967ab5ef2ac43c210821d99a3ccdfe8fdc07c7eedb79c577ac06aaac84
MysticStealer
d8c3fa92ed236454106a3392ce00dd820c8b69f284f293603240ffb1a5a593a3
MysticStealer
e3cabefa48d70d737194e71275e2ecba91380dc6af1e4b0615d7e05e3499c8c9
MysticStealer
e3cb5911ee3e585999a4e90ab561746e1704b590d0b5422a6fac0dbfe10b0f1a
MysticStealer
fb536e35b2dffa546ddc963fe30734746b7aee6abb7c6ce1553c38db97c37377
MysticStealer
+ 231 additional samples on MalwareBazaar
Result
Malware family:
mystic
Create hunting rule
Score:
  10/10
Tags:
family:mystic stealer
Link:
https://tria.ge/reports/230921-wj6kqsbg33/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Mystic
Unpacked files
SH256 hash:
181b3a2ecf70826f833d5ab235ca8c18411fb1eae9bd8f6aafe08157f8877389
MD5 hash:
dfb3beca6f4af7a5ee9089538fc44209
SHA1 hash:
a2c30367c4a8479ce05f5d887a4ac6000b236b57
Link:
https://www.unpac.me/results/be78d26a-aeb4-487a-9e59-bb01fd2b1aaa/
SH256 hash:
c4e0cb607d432343219b41d78c2ec5dd75cd61337e01004ddbd2a25678afd2f2
MD5 hash:
a940041c46398589b82411421e1da99c
SHA1 hash:
dcda71537ac11519b263f6afc002f0714175a95e
Link:
https://www.unpac.me/results/be78d26a-aeb4-487a-9e59-bb01fd2b1aaa/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c4e0cb607d43/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/c4e0cb607d432343219b41d78c2ec5dd75cd61337e01004ddbd2a25678afd2f2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/450480/
  
URLhaus
https://urlhaus.abuse.ch/url/2710216/

Comments