MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cfeb98ac590bbca55621dd6d499ac146da9053b046bfaa7b98b9d66752ddda7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MysticStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cfeb98ac590bbca55621dd6d499ac146da9053b046bfaa7b98b9d66752ddda7d
SHA3-384 hash: 3cbd04c7f272bc9af330bc141343c670e5e39d5bc4fc862a4b18b7bba25bb0b84623034bb84d2955f4ea212e1f8daab6
SHA1 hash: e586e5919856239703f3687f606dccf6378d682f
MD5 hash: da0b84222b6c0476f755f744039ac0bc
humanhash: hawaii-moon-maine-red
File name:SecuriteInfo.com.Win32.InjectorX-gen.18983.23817
Download: download sample
Signature MysticStealer
Create hunting rule
File size:380'928 bytes
First seen:2023-09-15 17:42:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0ceef81d27ed1195e9da5aae2e1a00ce (7 x MysticStealer, 1 x RedLineStealer)
ssdeep 6144:74P/FCF1NaNyNgAl8gfC93K4BAO0XbjBXwOEL8z/vWY94jnaFSEnp61knRTOBT:7WFCF1NnMK4BKLjaIrkjneSSk+TOBT
Threatray 7 similar samples on MalwareBazaar
TLSH T143849E3A70C1CC33D4B200378FE0A6769A6DF86507555ADFABCC0E6F8B616D09AF1256
TrID 39.5% (.EXE) InstallShield setup (43053/19/16)
28.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.6% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter SecuriteInfoCom
Tags:exe MysticStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
264
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.InjectorX-gen.18983.23817
Verdict:
Malicious activity
Analysis date:
2023-09-15 17:45:19 UTC
Tags:
stealc stealer redline
Link:
https://app.any.run/tasks/7f1588d7-9daa-43f7-8ade-0f1a077189b0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/448897/
Detection(s):
SecuriteInfo.com.Win32.InjectorX-gen.18983.23817.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Suspicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin
Link:
https://www.filescan.io/uploads/650497a932ffdb7a7a06f2a3/reports/396694e9-ad53-44a1-90ac-da783d8c8a6c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/cfeb98ac590bbca55621dd6d499ac146da9053b046bfaa7b98b9d66752ddda7d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/21a6874f-f1a1-4ec6-b3ff-f468f1b105f1
Result
Threat name:
Mystic Stealer, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1309139
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
DLL side loading technique detected
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Mystic Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1309139 Sample: SecuriteInfo.com.Win32.Inje... Startdate: 15/09/2023 Architecture: WINDOWS Score: 100 40 Snort IDS alert for network traffic 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 8 other signatures 2->46 8 SecuriteInfo.com.Win32.InjectorX-gen.18983.23817.exe 1 2->8         started        11 fOqGQTxdbqwsHNQ.exe 2 2->11         started        process3 signatures4 58 Contains functionality to inject code into remote processes 8->58 60 Writes to foreign memory regions 8->60 62 Allocates memory in foreign processes 8->62 64 Injects a PE file into a foreign processes 8->64 13 AppLaunch.exe 18 8->13         started        18 conhost.exe 8->18         started        66 Tries to harvest and steal browser information (history, passwords, etc) 11->66 process5 dnsIp6 38 5.42.92.211, 49726, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 13->38 30 C:\Users\user\AppData\...\fOqGQTxdbqwsHNQ.exe, PE32 13->30 dropped 32 C:\Users\user\AppData\...\5fxmgTWlLoFkvc3R, SQLite 13->32 dropped 34 C:\Users\user\...\5fxmgTWlLoFkvc3R.dll, PE32 13->34 dropped 68 Found many strings related to Crypto-Wallets (likely being stolen) 13->68 70 Tries to harvest and steal browser information (history, passwords, etc) 13->70 72 DLL side loading technique detected 13->72 74 Tries to steal Crypto Currency Wallets 13->74 20 fOqGQTxdbqwsHNQ.exe 4 13->20         started        24 cmd.exe 1 13->24         started        file7 signatures8 process9 dnsIp10 36 77.91.124.82, 19071, 49727, 49728 ECOTEL-ASRU Russian Federation 20->36 48 Antivirus detection for dropped file 20->48 50 Multi AV Scanner detection for dropped file 20->50 52 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->52 56 3 other signatures 20->56 54 Uses schtasks.exe or at.exe to add and modify task schedules 24->54 26 conhost.exe 24->26         started        28 schtasks.exe 1 24->28         started        signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cfeb98ac590bbca55621dd6d499ac146da9053b046bfaa7b98b9d66752ddda7d/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2023-09-15 17:43:07 UTC
File Type:
PE (Exe)
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=z7vzrlczbo6kkvrb3vwutgwbi3njau5qi272u64yxhlgouw53j6q._file
Verdict:
malicious
Similar samples:
0af6821bfe730759d049249d66b09f8b0ba6cae5c5d774ac229b4811b14f7e89
MysticStealer
271ae3d2910af96b5e89f2195e92be02c9e46b79820a31f69c59f35d3330d3dc
MysticStealer
43ebad7b690eed2164234bd2dcba6646388b446cfa1d33f96eb2df0856be493c
MysticStealer
5c2833101e79e8c712a57d535d0cb91c125cbad3f1ac80a8cd099c28e760f70d
MysticStealer
6e290ef176583f474273aef569f08534a3991270af0d8eee984fa6ffee054550
MysticStealer
83a9ea78c40585a5d9ca27ee574c375153a25e4f5b926f9d830605888783b793
MysticStealer
c5d94ebbb93873b30d30b837844a4749ebe9a901f55b833d0c7dc041f140e8a1
MysticStealer
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230915-waklxaea7s/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
928b248eebd2a4396e3566cb4fccadb528e98466c70099995c24c20a2af23e12
MD5 hash:
c20ba7d0ce8cd38ce1a4d4cbad00092a
SHA1 hash:
17f45f0474a956d1be5f2e795b894f31967d97d6
Link:
https://www.unpac.me/results/43da94b9-25d6-4455-b79d-ffac52defd44/
SH256 hash:
cfeb98ac590bbca55621dd6d499ac146da9053b046bfaa7b98b9d66752ddda7d
MD5 hash:
da0b84222b6c0476f755f744039ac0bc
SHA1 hash:
e586e5919856239703f3687f606dccf6378d682f
Link:
https://www.unpac.me/results/43da94b9-25d6-4455-b79d-ffac52defd44/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cfeb98ac590b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cfeb98ac590bbca55621dd6d499ac146da9053b046bfaa7b98b9d66752ddda7d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MysticStealer

Executable exe cfeb98ac590bbca55621dd6d499ac146da9053b046bfaa7b98b9d66752ddda7d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2711759/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/448897/

Comments