MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8c8adcc3b28d2fbf045214df0549ee9f0980954f4406f941c9e450a5f4e9111. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MysticStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	e8c8adcc3b28d2fbf045214df0549ee9f0980954f4406f941c9e450a5f4e9111
SHA3-384 hash:	4416b2d528f058cdce2a62d52fb36ad9b54b90e01768c94795b33493e1f8cd956308425be40ba86c051017becc06cbab
SHA1 hash:	55da85aaaf0f14dd3289cad416520756b2010565
MD5 hash:	7a1dde0a1448a299b566b0987a893375
humanhash:	lithium-artist-lion-helium
File name:	SecuriteInfo.com.Trojan.Inject4.62396.26028.31908
Download:	download sample
Signature	MysticStealer Create hunting rule
File size:	1'104'896 bytes
First seen:	2023-10-12 20:33:59 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4c2ede2d1d1824f0fded580996722f5f (19 x MysticStealer, 15 x RedLineStealer, 13 x Smoke Loader)
ssdeep	24576:TN4/qx4e1wW/E9L75i5u+y+AViaqnj8/m8ybhtQ:TT4e1wW/ALUkSTnj8/6hK
Threatray	499 similar samples on MalwareBazaar
TLSH	T15135AE2579809071EDF320F787ECB92982AED4B0071456CB42E87BEEE7546C17B366C6
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	SecuriteInfoCom
Tags:	exe MysticStealer

Intelligence

File Origin

# of uploads :

# of downloads :

307

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Trojan.Inject4.62396.26028.31908

Verdict:

Malicious activity

Analysis date:

2023-10-12 20:36:08 UTC

Tags:

stealc stealer

Link:

https://app.any.run/tasks/ead8bd8f-be8d-4a24-8f12-807c380daea1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/453952/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.62396.26028.31908.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Сreating synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Unauthorized injection to a system process

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control greyware lolbin mokes

Link:

https://www.filescan.io/uploads/6528583bd9aa1327018117c3/reports/0dc7c836-15f2-491f-8bb4-31fa82ef24ad/overview

Verdict:

Malicious

Labled as:

Injector.ETFD trojan

Link:

https://www.hybrid-analysis.com/sample/e8c8adcc3b28d2fbf045214df0549ee9f0980954f4406f941c9e450a5f4e9111

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Conti

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a99e8657-8573-4d22-acdf-d9ecf9c02a7f

Result

Threat name:

Mystic Stealer

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1324958

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Writes to foreign memory regions

Yara detected Mystic Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/e8c8adcc3b28d2fbf045214df0549ee9f0980954f4406f941c9e450a5f4e9111

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e8c8adcc3b28d2fbf045214df0549ee9f0980954f4406f941c9e450a5f4e9111/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2023-10-12 20:34:07 UTC

File Type:

PE (Exe)

AV detection:

13 of 23 (56.52%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5dek3tb3fdjpx4cfefg7ave65hyjqcku6rag7fa4tzcqux2oseiq._file

Verdict:

unknown

MysticStealer

4152cd3aeeebb927e6c14da59f6868d801dc8a30f04f20b25e3e76ed8a7191ae

MysticStealer

5fda4fcd9e16368fcc449f7188dc9121dd9523ba44b8172972041f0ad68fb5e7

MysticStealer

77d0e697edfe2dfa3fbff5f5245f57bb56469c46761a9b9dff34b6599e11f68a

MysticStealer

94858366f885da7ca7f94d9b101c218e25fb6dead470a9e218e7fc6545a2d0d2

MysticStealer

989ccf512b311f95aed4355dd5f3705988be381f88b24a443fff44e797ea60fb

MysticStealer

98d0806281d676bae1d65ca55e0a604f552b53fb6003a622326c54dbc0115996

MysticStealer

dd5930cf4e77bd553e1f6046a3e3ee3511ac212b7c12627743d53bc0463ee6f6

MysticStealer

e4aa33b217985fd838d0ec580faadbdd617b0fca51a0d0ecd1f8060f4ef351ac

MysticStealer

f1a8814c14895928072473c75ed6d1ce167a85b17689725bada2d164706088b1

MysticStealer

+ 489 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/231012-zceefsdc44/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

1293d50b7f652dac9c871a22edbb00592b327e8b55fc98c6bebb5c681436c469

MD5 hash:

c9b6749b108027eccfd99a5c32462428

SHA1 hash:

55be6c256e50160137962a721917ff71716d791a

Link:

https://www.unpac.me/results/5cb5ee95-b09f-4329-a3fc-ab44b79bc920/

SH256 hash:

e8c8adcc3b28d2fbf045214df0549ee9f0980954f4406f941c9e450a5f4e9111

MD5 hash:

7a1dde0a1448a299b566b0987a893375

SHA1 hash:

55da85aaaf0f14dd3289cad416520756b2010565

Link:

https://www.unpac.me/results/5cb5ee95-b09f-4329-a3fc-ab44b79bc920/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e8c8adcc3b28/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e8c8adcc3b28d2fbf045214df0549ee9f0980954f4406f941c9e450a5f4e9111

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NET Create hunting rule
Author:	malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/453952/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample