MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe265258046223bb8f78e71ac0ed7a498650229971ec3c59089b930893c21c19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MysticStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe265258046223bb8f78e71ac0ed7a498650229971ec3c59089b930893c21c19
SHA3-384 hash: 677d4f07ad36e183afc5be715a91949e5dc151b672aeb749cdab2dea82afc29f047a98e4103a4d1daab7048ef664da96
SHA1 hash: 8b6af92602004ad799346e671afacaa935fd622e
MD5 hash: a775c3fc757901fe6595eb250b3a81bd
humanhash: connecticut-berlin-muppet-helium
File name:file
Download: download sample
Signature MysticStealer
Create hunting rule
File size:717'176 bytes
First seen:2023-09-21 21:24:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f15d7c61281219835473a0dcb1929653 (35 x MysticStealer, 5 x RedLineStealer, 3 x Smoke Loader)
ssdeep 6144:RSvGAafgBMniUwluzlcy/XVucQ5+AEum9Tb9d49HiRyy47mTQBs492kQuPfz:0Gfg2i8VucQ5Tm9Tb9m0RyyA9K49JQiz
Threatray 259 similar samples on MalwareBazaar
TLSH T1BFE4AE2074A0B3B2EDE271B643ECBA35C1EDE8F1070655CB03D85FF9D6612C1AA36599
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter andretavare5
Tags:exe MysticStealer


Avatar
andretavare5
Sample downloaded from http://77.91.68.238/love/no230.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
292
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-09-22 09:17:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/50664f9d-f6ba-495f-a5a2-9bb7e58d1595

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/450503/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.61280.134.28024.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/650cb4b033582f234efee554/reports/bd645af4-b95e-4a9d-99e4-750c420a9a3c/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/fe265258046223bb8f78e71ac0ed7a498650229971ec3c59089b930893c21c19
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/5d6e150d-125c-4091-98d1-387e0eed895d
Result
Threat name:
Mystic Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1312648
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected Mystic Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fe265258046223bb8f78e71ac0ed7a498650229971ec3c59089b930893c21c19/
Threat name:
Win32.Trojan.MysticStealer
Create hunting rule
Status:
Malicious
First seen:
2023-09-21 21:25:08 UTC
File Type:
PE (Exe)
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ytfewaemir3xd3y44nmb3l2jgdfaiuzohwdywiitojqre6cdqmq._file
Verdict:
unknown
Similar samples:
38bf240eaa89c43f4aebcfbcef9b12669417c9b9a9aa60fb5cf4a916e2889bff
MysticStealer
710e50bedb77792743e3e5389f609110ea064c3fe50cd1e35242b9db53101a0c
MysticStealer
79ef567563963d9b5c05825ad9c4d4a5a18ec8f0325f9d133bac910ddb2b1aab
MysticStealer
969858a1d4ca4c9fcc44f5d3a688bd460c9fe118f2b854e03640c5c2a4f78fa5
MysticStealer
c4e0cb607d432343219b41d78c2ec5dd75cd61337e01004ddbd2a25678afd2f2
MysticStealer
d65457967ab5ef2ac43c210821d99a3ccdfe8fdc07c7eedb79c577ac06aaac84
MysticStealer
d8c3fa92ed236454106a3392ce00dd820c8b69f284f293603240ffb1a5a593a3
MysticStealer
e3cabefa48d70d737194e71275e2ecba91380dc6af1e4b0615d7e05e3499c8c9
MysticStealer
e3cb5911ee3e585999a4e90ab561746e1704b590d0b5422a6fac0dbfe10b0f1a
MysticStealer
fb536e35b2dffa546ddc963fe30734746b7aee6abb7c6ce1553c38db97c37377
MysticStealer
+ 249 additional samples on MalwareBazaar
Result
Malware family:
mystic
Create hunting rule
Score:
  10/10
Tags:
family:mystic stealer
Link:
https://tria.ge/reports/230921-z9lvssaf3t/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Mystic
Unpacked files
SH256 hash:
181b3a2ecf70826f833d5ab235ca8c18411fb1eae9bd8f6aafe08157f8877389
MD5 hash:
dfb3beca6f4af7a5ee9089538fc44209
SHA1 hash:
a2c30367c4a8479ce05f5d887a4ac6000b236b57
Link:
https://www.unpac.me/results/b2d6999f-b833-46f5-bfe4-1c70babbc6fd/
SH256 hash:
fe265258046223bb8f78e71ac0ed7a498650229971ec3c59089b930893c21c19
MD5 hash:
a775c3fc757901fe6595eb250b3a81bd
SHA1 hash:
8b6af92602004ad799346e671afacaa935fd622e
Link:
https://www.unpac.me/results/b2d6999f-b833-46f5-bfe4-1c70babbc6fd/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fe2652580462/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fe265258046223bb8f78e71ac0ed7a498650229971ec3c59089b930893c21c19

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/450503/

Comments