MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce15ea12f4f64cc602840302cf2a82169bb65746787cd9d0eadd58b45a5ab8d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MysticStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	ce15ea12f4f64cc602840302cf2a82169bb65746787cd9d0eadd58b45a5ab8d1
SHA3-384 hash:	5c3d8331cfd35b0d4aad96acb29b80c578f74f438d10bf0d4ac5fc963f769202066fb13bd9e42f5289304d29a8436917
SHA1 hash:	03b354572268cce8394ceef6287a006426b6419d
MD5 hash:	bbd2ff1f19d1b7ae88cf0be6350fbe07
humanhash:	papa-winner-delaware-potato
File name:	SecuriteInfo.com.Trojan.Inject4.61247.12433.20760
Download:	download sample
Signature	MysticStealer Create hunting rule
File size:	1'075'200 bytes
First seen:	2023-09-21 11:41:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	275c1ac8a0a90e452d90c6b023f705b9 (6 x MysticStealer, 4 x RedLineStealer, 1 x AgentTesla)
ssdeep	12288:RoW5dPenEp953bXeWJOTfo8o+NFJiJRTTw7KuLpJR59i6gANyeVy+dP5:9rPenEp953bQfo8LnAT87D6gyGR
Threatray	249 similar samples on MalwareBazaar
TLSH	T16D35AF2178F492B3EDE2217743ECBA3572ADE4B8071115DB46D817EED7502C26B3268E
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	SecuriteInfoCom
Tags:	exe MysticStealer

Intelligence

File Origin

# of uploads :

# of downloads :

280

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Trojan.Inject4.61247.12433.20760

Verdict:

Malicious activity

Analysis date:

2023-09-21 11:43:46 UTC

Tags:

stealc stealer

Link:

https://app.any.run/tasks/9998ce06-f9f7-4790-a79a-85a9e218ea32

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/450341/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.61247.12433.20760.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file

Delayed writing of the file

Launching a process

Сreating synchronization primitives

Creating a file in the %temp% directory

Launching the default Windows debugger (dwwin.exe)

Unauthorized injection to a system process

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control greyware lolbin

Link:

https://www.filescan.io/uploads/650c2c0b83a0c6425dfb6e0e/reports/10ebb3c8-3f3e-431e-af58-7f1db2137995/overview

Verdict:

Malicious

Labled as:

GenKryptik.GOBL trojan

Link:

https://www.hybrid-analysis.com/sample/ce15ea12f4f64cc602840302cf2a82169bb65746787cd9d0eadd58b45a5ab8d1

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Sysinternals

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/084ddeae-0a4a-4c38-851a-8fd7e48a3582

Result

Threat name:

Mystic Stealer

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1312226

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected Mystic Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ce15ea12f4f64cc602840302cf2a82169bb65746787cd9d0eadd58b45a5ab8d1/

Threat name:

Win32.Trojan.MysticStealer

Status:

Malicious

First seen:

2023-09-21 11:42:05 UTC

File Type:

PE (Exe)

AV detection:

17 of 23 (73.91%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zyk6uexu6zgmmaueambm6kucc2n3mv2gpb6ntuhk3vmliws2xdiq._file

Verdict:

unknown

MysticStealer

54bfeb4570208f9a43ff093ee83180dcdf7badfb75977b3c16068d0c9a51e358

MysticStealer

5f7a493b62d573b0559fca032defa29287c77280217ba21a5d5c20c9a4d798fb

MysticStealer

7aa5185feb66c3dbd8783d588a0ba32380f044050f1d1b1c1d8b13620bfd0b49

MysticStealer

7b03b5c56612db66d1acc86259c8e07828412b36324e2a22968e7447095d40ad

MysticStealer

8552100483bd75252d34c2a7b6fb1dc859252c3189a1c4834cabb71ce243ac2b

MysticStealer

9ba1244d26d06f499561a367939bd73ffc2fb9597f584cf74b41fefe72aaf0ac

MysticStealer

9d8124b131a76d0299f638ed3d9a6967e84bfbfd9d4f5ce73661bfe6b84ec705

MysticStealer

ced9c05b372b3e69b698086cd26f570329d887682fdf6bdb0d963e29b50635df

MysticStealer

fa583b821101e18da1b8bc386ea46a31505501fada69f1a6b18087178c99bb31

MysticStealer

+ 239 additional samples on MalwareBazaar

Result

Malware family:

mystic

Score:

10/10

Tags:

family:mystic stealer

Link:

https://tria.ge/reports/230921-ntz7pshg25/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Mystic

Unpacked files

SH256 hash:

bb30309eb812ec97ec2a42016a9a027c488e684cda876f92e9ff64a687550679

MD5 hash:

4d48f9fec6414a537c4bcec69a185d69

SHA1 hash:

49993349e3d9b8de4cb4add65dc5131d1e7d1cd3

Link:

https://www.unpac.me/results/412def55-13d5-4fc9-8da6-f95f282a2836/

SH256 hash:

ce15ea12f4f64cc602840302cf2a82169bb65746787cd9d0eadd58b45a5ab8d1

MD5 hash:

bbd2ff1f19d1b7ae88cf0be6350fbe07

SHA1 hash:

03b354572268cce8394ceef6287a006426b6419d

Link:

https://www.unpac.me/results/412def55-13d5-4fc9-8da6-f95f282a2836/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ce15ea12f4f6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ce15ea12f4f64cc602840302cf2a82169bb65746787cd9d0eadd58b45a5ab8d1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NET Create hunting rule
Author:	malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/450341/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample