MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cba3ff53c4db0c051f35467eeeeff02101ed254e77bf7c52d06ae56f076e4c85. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MysticStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 7 File information Comments

SHA256 hash:	cba3ff53c4db0c051f35467eeeeff02101ed254e77bf7c52d06ae56f076e4c85
SHA3-384 hash:	5d6cc631df3c4c8abfbcb221f1091df441105033145e5508b9dd3557322be19aefd283ab9fbd7849ce19e31cbfb3c8b6
SHA1 hash:	4f46d893542e0057ab3974dbb78aaf3740e9289c
MD5 hash:	b3bf121408333b33a341d719b507d33d
humanhash:	spring-seven-idaho-mockingbird
File name:	file
Download:	download sample
Signature	MysticStealer Create hunting rule
File size:	717'176 bytes
First seen:	2023-09-21 14:03:18 UTC
Last seen:	2023-09-21 14:40:36 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f15d7c61281219835473a0dcb1929653 (35 x MysticStealer, 5 x RedLineStealer, 3 x Smoke Loader)
ssdeep	6144:c6vPALOgBE8y8wl5zNci/6VucQZMEtPv22qrwmIWzlNPzlKpZ7ssr:FgOgxyKVucQZrW2qrI6DLQdr
Threatray	102 similar samples on MalwareBazaar
TLSH	T1C2E49E1178B081B6FDE230B642ECB77101BEF4B4474555CB06D81FFEE6646C0A73AA9A
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	andretavare5
Tags:	exe MysticStealer

andretavare5

Sample downloaded from http://77.91.68.238/love/no230.exe

Intelligence

File Origin

# of uploads :

# of downloads :

288

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-09-21 14:04:48 UTC

Tags:

stealc stealer

Link:

https://app.any.run/tasks/37666297-f2ab-4d11-9137-98a01581a7b9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/450397/

Detection(s):

SecuriteInfo.com.Win32.DropperX-gen.16158.11288.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/650c4d5333582f234efe824f/reports/9f3af19d-a9fe-4b1e-88c3-f042f755965b/overview

Verdict:

Malicious

Labled as:

Troj/Krypt

Link:

https://www.hybrid-analysis.com/sample/cba3ff53c4db0c051f35467eeeeff02101ed254e77bf7c52d06ae56f076e4c85

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Sysinternals

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/c301daa4-b1fa-492a-96d6-4b90916b9148

Result

Threat name:

Mystic Stealer

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1312352

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Contains functionality to inject code into remote processes

Found stalling execution ending in API Sleep call

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected Mystic Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cba3ff53c4db0c051f35467eeeeff02101ed254e77bf7c52d06ae56f076e4c85/

Threat name:

Win32.Trojan.MysticStealer

Status:

Malicious

First seen:

2023-09-21 14:04:06 UTC

File Type:

PE (Exe)

AV detection:

18 of 23 (78.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zor76u6e3mgakhzviz7o537qeea62jkoo67xyuwqnlsw6b3ojscq._file

Verdict:

unknown

MysticStealer

32866fae6c5dd6f1843c684c36c6deb8f942afe66ba081c2eb86da997f7db25f

MysticStealer

386cd47f4060dc5fb5186c8257f778653e2ce2c9b42edcc44f0b5d27953b3d0a

MysticStealer

4719ed476debe539f2920aebc93035bbbeb7897f8692bbf2115b8639dde710a4

MysticStealer

4adce3703406ddd76f486198dcc8932b1ad17119e77340543dfc347e705adb88

MysticStealer

b070ba5155d934c38b5726cf96a0764966f6bd35191129730ffe36650fd4932a

MysticStealer

ce8c9483ccfee44272881aa17481ac3928048ab93e9de22e60e339c4c348efd0

MysticStealer

d91dbe7098f37ae7b86aa0a328fca18860dc7e9171fea3e07643b032ae1c5a5d

MysticStealer

e3cb5911ee3e585999a4e90ab561746e1704b590d0b5422a6fac0dbfe10b0f1a

MysticStealer

ed311e8496352c740680e63bb9fd2445f8432a4ca8d47637f37e3588dc475591

MysticStealer

+ 92 additional samples on MalwareBazaar

Result

Malware family:

mystic

Score:

10/10

Tags:

family:mystic stealer

Link:

https://tria.ge/reports/230921-rc9atsad67/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Mystic

Unpacked files

SH256 hash:

181b3a2ecf70826f833d5ab235ca8c18411fb1eae9bd8f6aafe08157f8877389

MD5 hash:

dfb3beca6f4af7a5ee9089538fc44209

SHA1 hash:

a2c30367c4a8479ce05f5d887a4ac6000b236b57

Link:

https://www.unpac.me/results/9b9e8980-df19-466d-bd0e-f4699110fd71/

SH256 hash:

cba3ff53c4db0c051f35467eeeeff02101ed254e77bf7c52d06ae56f076e4c85

MD5 hash:

b3bf121408333b33a341d719b507d33d

SHA1 hash:

4f46d893542e0057ab3974dbb78aaf3740e9289c

Link:

https://www.unpac.me/results/9b9e8980-df19-466d-bd0e-f4699110fd71/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/cba3ff53c4db/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cba3ff53c4db0c051f35467eeeeff02101ed254e77bf7c52d06ae56f076e4c85

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2710216/

Cape

https://www.capesandbox.com/analysis/450397/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample