Malware Analysis Mystic Stealer Bypassing Sandboxes

[Sandbox Breaker]

Mystic Stealer: Mystic Stealer - Evolving "stealth" Malware - CYFIRMA

Intezer Sandbox Bypassed: https://analyze.intezer.com/analyses/fede3abb-ce72-4b86-9ff5-fc25260fd90d/behavior

Only Blacklisted

Any.Run: Analysis 7c185697d3d3a544ca0cef987c27e46b20997c7ef69959c720a8d2e8a03cd5dc.exe (MD5: 2438343A7BA217B87B3BFBDDAF8A99F9) No threats detected - Interactive analysis ANY.RUN

Triage: Triage | Behavioral Report

VT Sandboxes:VirusTotal

Mystic Stealer is a new as a service stealer.

 

[Trident]

@fakewatchman did you test Check Point already? Or shall I

 

[Sandbox Breaker]

@fakewatchman did you test Check Point already? Or shall I

Honour is yours.

 

[Trident]

The problem with any.run is the free version only allows Windows 7 to be ran and in addition, if one wants emulation to be successful, you better move the mouse around and open few browser windows. Triage is also not the best in emulation. CrowdStrike Hybrid Analysis and Joe Sandbox are more resistant to evasion. Let’s test these and I will test Check Point as well a bit later.

Yeah, good luck to these Mystic guys evading the leaders.

Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for '7c185697d3d3a544ca0cef987c27e46b20997c7ef69959c720a8d2e8a03cd5dc.bin.exe'

Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.

www.hybrid-analysis.com

 

[Sandbox Breaker]

Yeah, good luck to these Mystic guys evading the leaders.

Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for '7c185697d3d3a544ca0cef987c27e46b20997c7ef69959c720a8d2e8a03cd5dc.bin.exe'

Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.

www.hybrid-analysis.com

Which sandbox is your favorite

 

[Trident]

Which sandbox is your favorite

Just to upload file, Hybrid Analysis. Integrated in Product, Falcon (Same like CrowdStrike), Check Point and Palo Alto.

 

[Sandbox Breaker]

Just to upload file, Hybrid Analysis. Integrated in Product, Falcon (Same like CrowdStrike), Check Point and Palo Alto.

You have to pick one

 

[Trident]

You have to pick one

Check Point.

 

[Sandbox Breaker]

Check Point.

Now your my favorite user.

 

[Trident]

Now your my favorite user.

I didn't know anything about them until @Shadowra published his previous ZoneAlarm test. I thought I will download it for the laughs. I downloaded it and quite liked it. Previously I avoided it as I thought it's just another AV based on someone (my opinion is if I will use AV based on someone's sdk then I may as well use the original). But after a lot of browsing on their website, I discovered the third-party engine is just a fraction of the whole ecosystem and there is a lot more going on. And since Check Point has configuration, ZA doesn't, they are now my new favourite. I don't think from now on I will use anything else at home or at work. And I am getting everyone around me to use them too.

 

[Sandbox Breaker]

I didn't know anything about them until @Shadowra published his previous ZoneAlarm test. I thought I will download it for the laughs. I downloaded it and quite liked it. Previously I avoided it as I thought it's just another AV based on someone (my opinion is if I will use AV based on someone's sdk then I may as well use the original). But after a lot of browsing on their website, I discovered the third-party engine is just a fraction of the whole ecosystem and there is a lot more going on. And since Check Point has configuration, ZA doesn't, they are now my new favourite. I don't think from now on I will use anything else at home or at work. And I am getting everyone around me to use them too.

On any windows systems I'm running Harmony with KAV engine + Xcitium (CF similar setting)

 

[Trident]

On any windows systems I'm running Harmony with KAV engine + Xcitium (CF similar setting)

Xcitium is a piece of trash that will never make it to any of the systems I own or manage but let's just say from now on my life will be very Harmonised.
In the next few months I will be switching quite a lot of machines over.

 

[Kongo]

Xcitium is a piece of trash that will never make it to any of the systems I own or manage but let's just say from now on my life will be very Harmonised.
In the next few months I will be switching quite a lot of machines over.

Now you are not his favorite user anymore. Well done!

 

[Trident]

Now you are not his favorite user anymore. Well done!

It's amazing how quick things change... One minute you are running brand of unsuccessful home software, next minute you endeavour to conquer the business field.
One minute you're someone's favourite and next minute it's gone... poof... and they never wanna hear from you again.

 

[Sandbox Breaker]

Now you are not his favorite user anymore. Well done!

Looool. I only like it for it's containment tech. Their malware analysts are sub-par. I still love you Trident

Xcitium is a piece of trash that will never make it to any of the systems I own or manage but let's just say from now on my life will be very Harmonised.
In the next few months I will be switching quite a lot of machines over.

By why do you hate it? What happened man

 

[Trident]

Looool. I only like it for it's containment tech. Their malware analysts are sub-par. I still love you Trident

I already discussed on another thread but I actually don't believe Comodo employs any quality malware analysts. Comodo is the only company that has never published even 1 malware write-up. Read the K7 (third-grade product)'s analysis... I think the analysts at Comodo are just random guys on minimum wage, reviewing static/dynamic analysis pointers and operating 2 buttons: "safe"; "malicious".
And this is the reason I do not like them, they can't convince me that they are professional in their job. Ask Melih one malware name and see if he can tell you anything about it. And these guys wanna protect my systems. Yeah, I will pass on that.

 

[Sandbox Breaker]

I already discussed on another thread but I actually don't believe Comodo employs any quality malware analysts. Comodo is the only company that has never published even 1 malware write-up. Read the K7 (third-grade product)'s analysis... I think the analysts at Comodo are just random guys on minimum wage, reviewing static/dynamic analysis pointers and operating 2 buttons: "safe"; "malicious".
And this is the reason I do not like them, they can't convince me that they are professional in their job. Ask Melih one malware name and see if he can tell you anything about it. And these guys wanna protect my systems. Yeah, I will pass on that.

Checkpoint needs to enhance the app control. I don't know how to block untrusted programs and scripts with it. Enlighten me

Id drop Xcitium like a fly if I could use CP for intelligent app control.

 

[Trident]

Checkpoint needs to enhance the app control. I don't know how to block untrusted programs and scripts with it. Enlighten me

Id drop Xcitium like a fly if I could use CP for intelligent app control.

With Check Point app control you can disable the launch of script interpreters (similar to DeepInstinct, my previous favourite), you can terminate them upon attempt to go online or you can block them from connecting. You can also block the download/saving from emails of scripts and even executables. On a managed system, users are not supposed to be installing software anyway or using scripts. Documents are cleaned from malware automatically by removing executable content and exploits are handled by Behavioural Guard (codenamed Sentree). I've suggested to them to implement a block of all non-emulated files from user space, not sure if they will implement it.

 

[Sandbox Breaker]

With Check Point app control you can disable the launch of script interpreters (similar to DeepInstinct, my previous favourite), you can terminate them upon attempt to go online or you can block them from connecting. You can also block the download/saving from emails of scripts and even executables. On a managed system, users are not supposed to be installing software anyway or using scripts. Documents are cleaned from malware automatically by removing executable content and exploits are handled by Behavioural Guard (codenamed Sentree). I've suggested to them to implement a block of all non-emulated files from user space, not sure if they will implement it.

Check point needs guys like us to keep them in "check".

 

[Trident]

Check point needs guys like us to keep them in "check".

I have a call from them scheduled for Friday about becoming a reseller.