Malware Analysis Mystic Stealer Bypassing Sandboxes

valvaris

Level 6
Verified
Well-known
Jul 26, 2015
263
One thing I can straight away notice from 2 screenshots you've posted is that Sophos generates AWFUL lot of noise.
It depends on which part of the security layer it hits. If it is detected on edge the other Security parts do not generate alerts.

The Sophos philosophy is to catch as many threats as possible on edge with the Sophos XGS and then Sophos Central Endpoint Protection.

The Sophos XGS uses Intellix as the part of Zero-Day Protection on the Firewall Appliance but for that to work you need to have SSL-Inspection Setup on your network.
 
  • Like
Reactions: roger_m and Trident

Sandbox Breaker

Level 11
Thread author
Verified
Top Poster
Well-known
Jan 6, 2022
519
We are the first guys to PUBLICALLY analyse and discuss the Mystic Stealer Malware :)

Still waiting.
 
  • +Reputation
Reactions: Trident

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,351
It depends on which part of the security layer it hits. If it is detected on edge the other Security parts do not generate alerts.

The Sophos philosophy is to catch as many threats as possible on edge with the Sophos XGS and then Sophos Central Endpoint Protection.

The Sophos XGS uses Intellix as the part of Zero-Day Protection on the Firewall Appliance but for that to work you need to have SSL-Inspection Setup on your network.
Well this is exactly why I don't like Sophos, Symantec and others. Sophos only needs 2-3 products but Symantec nowadays has become the Ryanair of EDRs. You need 10 add-ons and upgrades. Btw with Check Point we have emulation even without appliance. Sophos can't really be compared 🤷‍♂️
 

Sandbox Breaker

Level 11
Thread author
Verified
Top Poster
Well-known
Jan 6, 2022
519
Well this is exactly why I don't like Sophos, Symantec and others. Sophos only needs 2-3 products but Symantec nowadays has become the Ryanair of EDRs. You need 10 add-ons and upgrades. Btw with Check Point we have emulation even without appliance. Sophos can't really be compared 🤷‍♂️
Companies are using Zscaler sandbox still to integrate :p

Well this is exactly why I don't like Sophos, Symantec and others. Sophos only needs 2-3 products but Symantec nowadays has become the Ryanair of EDRs. You need 10 add-ons and upgrades. Btw with Check Point we have emulation even without appliance. Sophos can't really be compared 🤷‍♂️

Speaking of Norton. Yes I know Broadcom bought Symantec.
 
  • Like
Reactions: Trident

valvaris

Level 6
Verified
Well-known
Jul 26, 2015
263
Well this is exactly why I don't like Sophos, Symantec and others. Sophos only needs 2-3 products but Symantec nowadays has become the Ryanair of EDRs. You need 10 add-ons and upgrades. Btw with Check Point we have emulation even without appliance. Sophos can't really be compared 🤷‍♂️
Used to be Checkpoint Reseller - But the Harmony Agent or how they call it now a days ;) - Used to have Kaspersky Engine and we were not allowed to resell Checkpoint since...

The other part it is very dependent on Active Directory for Deployment and Policy Management for advanced setups. With Sophos I do not have that. ;)

Hey but it was me at a time where Checkpoint was in transition from SandStorm to the new Agent. ^^
 
  • Like
Reactions: Trident

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,351
Used to be Checkpoint Reseller - But the Harmony Agent or how they call it now a days ;) - Used to have Kaspersky Engine and we were not allowed to resell Checkpoint since...

The other part it is very dependent on Active Directory for Deployment and Policy Management for advanced setups. With Sophos I do not have that. ;)

Hey but it was me at a time where Checkpoint was in transition from SandStorm to the new Agent. ^^
Sandblast has been the agent name (it’s been blasting threats using Sandbox and this is where it has come from). They've released a DHS-compliant blade in 2017 where the engine initially has been Bitdefender. Bitdefender was later on changed for Sophos so now you can choose between both. There are a lot of options for deployment at least now.

SentinelOne, no... I've not tried it but I doubt it will become my favourite...
 
  • Thanks
Reactions: valvaris

Sandbox Breaker

Level 11
Thread author
Verified
Top Poster
Well-known
Jan 6, 2022
519
Used to be Checkpoint Reseller - But the Harmony Agent or how they call it now a days ;) - Used to have Kaspersky Engine and we were not allowed to resell Checkpoint since...

The other part it is very dependent on Active Directory for Deployment and Policy Management for advanced setups. With Sophos I do not have that. ;)

Hey but it was me at a time where Checkpoint was in transition from SandStorm to the new Agent. ^^
Sandstorm is Sophos. Sandblast is checkpoint. To much sand. :p
1687286600685.png
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,351
Because of sigs. Did they provide behaviour info? If not then it's sig block.
Unfortunately when there is sigs block it does not attempt to emulate behaviour anymore. But it has been emulated once, because it matches behavioural profile Generic.MALWARE.b69d. To emulate behaviour again, I have to edit the file on hex editor but for that I need to disable all protections... it's too much hassle.

Edit: I edited on online hex editor but this time it is picked up by static analysis and not even sent for emulation...
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top