Malware Analysis Mystic Stealer Bypassing Sandboxes

Sandbox Breaker

Level 11
Thread author
Verified
Top Poster
Well-known
Jan 6, 2022
519
Mystic Stealer: Mystic Stealer - Evolving "stealth" Malware - CYFIRMA

Intezer Sandbox Bypassed: https://analyze.intezer.com/analyses/fede3abb-ce72-4b86-9ff5-fc25260fd90d/behavior
1687274580895.png

Only Blacklisted :p

Any.Run: Analysis 7c185697d3d3a544ca0cef987c27e46b20997c7ef69959c720a8d2e8a03cd5dc.exe (MD5: 2438343A7BA217B87B3BFBDDAF8A99F9) No threats detected - Interactive analysis ANY.RUN
1687274636837.png


Triage: Triage | Behavioral Report
1687274672357.png


VT Sandboxes:VirusTotal
1687274733428.png


Mystic Stealer is a new as a service stealer.
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,351
The problem with any.run is the free version only allows Windows 7 to be ran and in addition, if one wants emulation to be successful, you better move the mouse around and open few browser windows. Triage is also not the best in emulation. CrowdStrike Hybrid Analysis and Joe Sandbox are more resistant to evasion. Let’s test these and I will test Check Point as well a bit later.

Yeah, good luck to these Mystic guys evading the leaders.
 

Sandbox Breaker

Level 11
Thread author
Verified
Top Poster
Well-known
Jan 6, 2022
519
  • Like
Reactions: Kongo

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,351
Now your my favorite user.
I didn't know anything about them until @Shadowra published his previous ZoneAlarm test. I thought I will download it for the laughs. I downloaded it and quite liked it. Previously I avoided it as I thought it's just another AV based on someone (my opinion is if I will use AV based on someone's sdk then I may as well use the original). But after a lot of browsing on their website, I discovered the third-party engine is just a fraction of the whole ecosystem and there is a lot more going on. And since Check Point has configuration, ZA doesn't, they are now my new favourite. I don't think from now on I will use anything else at home or at work. And I am getting everyone around me to use them too.
 

Sandbox Breaker

Level 11
Thread author
Verified
Top Poster
Well-known
Jan 6, 2022
519
I didn't know anything about them until @Shadowra published his previous ZoneAlarm test. I thought I will download it for the laughs. I downloaded it and quite liked it. Previously I avoided it as I thought it's just another AV based on someone (my opinion is if I will use AV based on someone's sdk then I may as well use the original). But after a lot of browsing on their website, I discovered the third-party engine is just a fraction of the whole ecosystem and there is a lot more going on. And since Check Point has configuration, ZA doesn't, they are now my new favourite. I don't think from now on I will use anything else at home or at work. And I am getting everyone around me to use them too.
On any windows systems I'm running Harmony with KAV engine + Xcitium (CF similar setting)
 
  • Like
Reactions: Kongo and Trident

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,351
On any windows systems I'm running Harmony with KAV engine + Xcitium (CF similar setting)
Xcitium is a piece of trash that will never make it to any of the systems I own or manage but let's just say from now on my life will be very Harmonised.
In the next few months I will be switching quite a lot of machines over.
 

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,584
Xcitium is a piece of trash that will never make it to any of the systems I own or manage but let's just say from now on my life will be very Harmonised.
In the next few months I will be switching quite a lot of machines over.
Now you are not his favorite user anymore. Well done! 😌
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,351
Now you are not his favorite user anymore. Well done! 😌
It's amazing how quick things change... One minute you are running brand of unsuccessful home software, next minute you endeavour to conquer the business field.
One minute you're someone's favourite and next minute it's gone... poof... and they never wanna hear from you again.
 
  • HaHa
Reactions: Kongo

Sandbox Breaker

Level 11
Thread author
Verified
Top Poster
Well-known
Jan 6, 2022
519
Now you are not his favorite user anymore. Well done! 😌
Looool. I only like it for it's containment tech. Their malware analysts are sub-par. I still love you Trident

Xcitium is a piece of trash that will never make it to any of the systems I own or manage but let's just say from now on my life will be very Harmonised.
In the next few months I will be switching quite a lot of machines over.
By why do you hate it? What happened man
 
  • Love
Reactions: Kongo and Trident

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,351
Looool. I only like it for it's containment tech. Their malware analysts are sub-par. I still love you Trident
I already discussed on another thread but I actually don't believe Comodo employs any quality malware analysts. Comodo is the only company that has never published even 1 malware write-up. Read the K7 (third-grade product)'s analysis... I think the analysts at Comodo are just random guys on minimum wage, reviewing static/dynamic analysis pointers and operating 2 buttons: "safe"; "malicious".
And this is the reason I do not like them, they can't convince me that they are professional in their job. Ask Melih one malware name and see if he can tell you anything about it. And these guys wanna protect my systems. Yeah, I will pass on that.
 

Sandbox Breaker

Level 11
Thread author
Verified
Top Poster
Well-known
Jan 6, 2022
519
I already discussed on another thread but I actually don't believe Comodo employs any quality malware analysts. Comodo is the only company that has never published even 1 malware write-up. Read the K7 (third-grade product)'s analysis... I think the analysts at Comodo are just random guys on minimum wage, reviewing static/dynamic analysis pointers and operating 2 buttons: "safe"; "malicious".
And this is the reason I do not like them, they can't convince me that they are professional in their job. Ask Melih one malware name and see if he can tell you anything about it. And these guys wanna protect my systems. Yeah, I will pass on that.
Checkpoint needs to enhance the app control. I don't know how to block untrusted programs and scripts with it. Enlighten me

Id drop Xcitium like a fly if I could use CP for intelligent app control.
 
  • Like
Reactions: Trident

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,351
Checkpoint needs to enhance the app control. I don't know how to block untrusted programs and scripts with it. Enlighten me

Id drop Xcitium like a fly if I could use CP for intelligent app control.
With Check Point app control you can disable the launch of script interpreters (similar to DeepInstinct, my previous favourite), you can terminate them upon attempt to go online or you can block them from connecting. You can also block the download/saving from emails of scripts and even executables. On a managed system, users are not supposed to be installing software anyway or using scripts. Documents are cleaned from malware automatically by removing executable content and exploits are handled by Behavioural Guard (codenamed Sentree). I've suggested to them to implement a block of all non-emulated files from user space, not sure if they will implement it.
 

Sandbox Breaker

Level 11
Thread author
Verified
Top Poster
Well-known
Jan 6, 2022
519
With Check Point app control you can disable the launch of script interpreters (similar to DeepInstinct, my previous favourite), you can terminate them upon attempt to go online or you can block them from connecting. You can also block the download/saving from emails of scripts and even executables. On a managed system, users are not supposed to be installing software anyway or using scripts. Documents are cleaned from malware automatically by removing executable content and exploits are handled by Behavioural Guard (codenamed Sentree). I've suggested to them to implement a block of all non-emulated files from user space, not sure if they will implement it.
Check point needs guys like us to keep them in "check".
 
  • Like
Reactions: Trident

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top