MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f69b4ee16d0afd1c5ca0c6424712b60bef724c6521949017f4c12abd2eaa39d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MysticStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f69b4ee16d0afd1c5ca0c6424712b60bef724c6521949017f4c12abd2eaa39d4
SHA3-384 hash: 9d15b1c5e222322efb58217ab4b1a75dc70161e0813f0f0076e645cc3a4e5e47015d1c6abe5eb8ce20e16e3dcbd95a00
SHA1 hash: 873a971443c97cd5a2785862fc468797711cea87
MD5 hash: 044d6dbff4288a1b45e1286581d237e8
humanhash: fillet-mockingbird-massachusetts-snake
File name:file
Download: download sample
Signature MysticStealer
Create hunting rule
File size:395'264 bytes
First seen:2023-09-12 03:11:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1f21c4dae1d8bdc5f5b4dc1d200a0bc1 (7 x RedLineStealer, 4 x Amadey, 2 x MysticStealer)
ssdeep 6144:3Rba2/KMiCQy4bwSjQzL9ois436xMhAO1b7Cb9ju4fgOBJYsLmHkAP:3c2SMiu4Ms436xMhfbs9S4lYfH
Threatray 74 similar samples on MalwareBazaar
TLSH T14A84BE0171908479D116193288E5E7BE57BDBE310F397ACB77981BAEEB253C2873025E
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter jstrosch
Tags:exe MysticStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
290
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-09-12 03:14:16 UTC
Tags:
stealc stealer
Link:
https://app.any.run/tasks/7b195e52-a487-485f-bc96-abf8d5db413f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/448037/
Detection(s):
Win.Malware.Exploitx-9967939-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Forced shutdown of a system process
Unauthorized injection to a system process
Gathering data
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
control greyware lolbin
Link:
https://www.filescan.io/uploads/64ffd70225e2ece4df6aa963/reports/d0f22d00-b4cc-45ba-b476-410e85abad75/overview
Verdict:
Malicious
Labled as:
GenKryptik.GNSJ trojan
Link:
https://www.hybrid-analysis.com/sample/f69b4ee16d0afd1c5ca0c6424712b60bef724c6521949017f4c12abd2eaa39d4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/da68d52e-327f-4531-8761-8283907f800c
Result
Threat name:
Mystic Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1307636
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contain functionality to detect virtual machines
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Searches for specific processes (likely to inject)
Sets debug register (to hijack the execution of another thread)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected BumbleBee
Yara detected Mystic Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f69b4ee16d0afd1c5ca0c6424712b60bef724c6521949017f4c12abd2eaa39d4/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-09-12 03:12:05 UTC
File Type:
PE (Exe)
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=62nu5ylnbl6ryxfayzbeoevwbpxxetdfegkjaf7uyevl2lvkhhka._file
Verdict:
malicious
Similar samples:
2b532d20d2e0b9ea8768ac53964aa9761a534a625720a816fc5e44f62a29f265
MysticStealer
3fb9ffe6f9613f18c1e9984787d37a5d9ed4cdc37c628be7cba33d5c37e782aa
MysticStealer
52461ae449d3e9ec9524b957282d52c1f8427219ede7e58432c7b28587ddf213
MysticStealer
854ec17d2916a8fdde780ec93f0f025c38eee71121c5c49fdde436fc9276080c
MysticStealer
a4f8591f4d334bd38cefd3d69a596a495725aed03f7c434f5ed5b8bae51b4094
MysticStealer
b195fcd8ae87ad764ca22c51b3d10978cedeb61796144c6c0f4711a7e211a7ff
MysticStealer
c133fb803942c1d67a8406c51836b98f26d22c227439ee2fa6b10893e5b3d7c5
MysticStealer
e40823d7f765baf063442d1953ed4a134d481d74486ac39ec746bb868e3c8195
MysticStealer
eede7db2d8a8809d1c41b0268b49c2a1ae3e098b7872aaf8618170e492207e80
MysticStealer
f58a41be919def193aef522bbc727be2a218a2e7b435695c2427e7dc576be977
MysticStealer
+ 64 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230912-dp6tksde37/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
ff5bb0b2d444da2f2b4dc82a2f49e46b6ceac0ee3785a492e48ecbcf1aa07541
MD5 hash:
90af8bdd5d34fd126e143b41691d16cf
SHA1 hash:
a08e5ce49113713669114175e26cdb34e5ba93f2
Link:
https://www.unpac.me/results/2909b34a-3135-4879-bcd2-36baec5841e7/
SH256 hash:
f69b4ee16d0afd1c5ca0c6424712b60bef724c6521949017f4c12abd2eaa39d4
MD5 hash:
044d6dbff4288a1b45e1286581d237e8
SHA1 hash:
873a971443c97cd5a2785862fc468797711cea87
Link:
https://www.unpac.me/results/2909b34a-3135-4879-bcd2-36baec5841e7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f69b4ee16d0a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f69b4ee16d0afd1c5ca0c6424712b60bef724c6521949017f4c12abd2eaa39d4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MysticStealer

Executable exe f69b4ee16d0afd1c5ca0c6424712b60bef724c6521949017f4c12abd2eaa39d4

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2710216/
Cape
Cape
https://www.capesandbox.com/analysis/448037/

Comments