MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc648ac0dd68b0a9e533a327a8be163abfbaaeada88f20cb0611ad3975e7ea71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MysticStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 6 File information Comments

SHA256 hash:	fc648ac0dd68b0a9e533a327a8be163abfbaaeada88f20cb0611ad3975e7ea71
SHA3-384 hash:	28cd7fc5bc6d61c352ff9130ce4fc04f24e93267f1671d3b8943dc94c39ec1aaa1a701ae4b90a907c35b9f1a7d138248
SHA1 hash:	d2d84a356e2c92f46f081651ca7100a186efbe88
MD5 hash:	124e474e4bc8c1316620eabfc4049725
humanhash:	low-item-skylark-mike
File name:	SecuriteInfo.com.Win32.InjectorX-gen.14629.31081
Download:	download sample
Signature	MysticStealer Create hunting rule
File size:	1'118'472 bytes
First seen:	2023-10-12 08:34:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4c2ede2d1d1824f0fded580996722f5f (19 x MysticStealer, 15 x RedLineStealer, 13 x Smoke Loader)
ssdeep	12288:+WGOqYfKZIakIMi6v5Z3PyWe/fZvsebWSeOUiuno0/Ag/RMP7UUaGfi80uu+bgv1:OYfKZIakIMiYczZseb78R/AgKL68O+bq
Threatray	427 similar samples on MalwareBazaar
TLSH	T1DF359E21B9D1D276EDE330768FECF675829D94B0071515DF82E81EEED610AC1BB32682
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	SecuriteInfoCom
Tags:	exe MysticStealer

Intelligence

File Origin

# of uploads :

# of downloads :

321

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Win32.InjectorX-gen.14629.31081

Verdict:

Malicious activity

Analysis date:

2023-10-12 08:36:30 UTC

Tags:

stealc stealer

Link:

https://app.any.run/tasks/3f272100-935e-4a53-ac3f-73f59f6760ef

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/453720/

Detection(s):

SecuriteInfo.com.Win32.InjectorX-gen.14629.31081.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Сreating synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Forced shutdown of a system process

Unauthorized injection to a system process

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control greyware lolbin overlay packed

Link:

https://www.filescan.io/uploads/6527afb9a29a700213a03dad/reports/5ca9805c-d11a-4f26-809c-40c58ca6ed90/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/fc648ac0dd68b0a9e533a327a8be163abfbaaeada88f20cb0611ad3975e7ea71

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Conti

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e0ece78c-fb97-4d82-95a1-59150ac82073

Result

Threat name:

Mystic Stealer

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1324508

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected Mystic Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/fc648ac0dd68b0a9e533a327a8be163abfbaaeada88f20cb0611ad3975e7ea71

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fc648ac0dd68b0a9e533a327a8be163abfbaaeada88f20cb0611ad3975e7ea71/

Threat name:

Win32.Trojan.InjectorX

Status:

Malicious

First seen:

2023-10-12 08:35:07 UTC

File Type:

PE (Exe)

AV detection:

10 of 23 (43.48%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7rsivqg5ncyktzjtumt2rpqwhk73vlvnvchsbsygcgwts5ph5jyq._file

Verdict:

unknown

MysticStealer

2549c12588af5ff6821cdb89459079222bfdb5a9d25a79baad275004bf93a136

MysticStealer

6334078f4530ab93c7aa525f618408700560d49988925bd785d5a0ac22709271

MysticStealer

758af3c720b838dc4dcb41447e50a1d3afa6924c6ecb7ae464f071cba3c3bc33

MysticStealer

79a1830e75e10f831736b54b97e0921db9b68f8a156e58c3c8abac43821dee56

MysticStealer

7d2749f21e8352e19d19aeff2820cbd4fbe3cbb3de50d5f8044423e05a7e56cb

MysticStealer

8b7a26cad8175c334cf9528ac15feb6c89f45219373be09f16360696ec9a6027

MysticStealer

d8b138021cd975560dc0eca5a1acb2fc3d3b82d90e7f1376f3f424e758ffadf8

MysticStealer

e38cfe132158fb26de95b367811bca48d0c9ba22318bda33084363fa6e4637bc

MysticStealer

fb715bb5adc36d63ee7864c10a6e07b2b85e9f925b59f4e8335fa7cd6d5bdb69

MysticStealer

+ 417 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/231012-kg1e6abc82/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

1293d50b7f652dac9c871a22edbb00592b327e8b55fc98c6bebb5c681436c469

MD5 hash:

c9b6749b108027eccfd99a5c32462428

SHA1 hash:

55be6c256e50160137962a721917ff71716d791a

Link:

https://www.unpac.me/results/30e8acf3-0f05-413f-9907-f56236367943/

SH256 hash:

fc648ac0dd68b0a9e533a327a8be163abfbaaeada88f20cb0611ad3975e7ea71

MD5 hash:

124e474e4bc8c1316620eabfc4049725

SHA1 hash:

d2d84a356e2c92f46f081651ca7100a186efbe88

Link:

https://www.unpac.me/results/30e8acf3-0f05-413f-9907-f56236367943/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fc648ac0dd68/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/453720/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample