Malware Analysis Mystic Stealer Bypassing Sandboxes

valvaris

valvaris

Level 6
Verified
Well-known
Jul 26, 2015
263
Trident said:
One thing I can straight away notice from 2 screenshots you've posted is that Sophos generates AWFUL lot of noise.
Click to expand...
It depends on which part of the security layer it hits. If it is detected on edge the other Security parts do not generate alerts.

The Sophos philosophy is to catch as many threats as possible on edge with the Sophos XGS and then Sophos Central Endpoint Protection.

The Sophos XGS uses Intellix as the part of Zero-Day Protection on the Firewall Appliance but for that to work you need to have SSL-Inspection Setup on your network.
 
  • Like
Reactions: roger_m and Trident
Sandbox Breaker

Sandbox Breaker

Level 11
Thread author
Verified
Top Poster
Well-known
Jan 6, 2022
530
We are the first guys to PUBLICALLY analyse and discuss the Mystic Stealer Malware :)

verdict.xcitium.com

Xcitium Cloud Verdict

Scan Files Online using Comodo File Verdict Service that runs tens of different methods to analyze a file and display the detailed results in seconds
verdict.xcitium.com verdict.xcitium.com
Still waiting.
 
  • +Reputation
Reactions: Trident
Trident

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
valvaris said:
It depends on which part of the security layer it hits. If it is detected on edge the other Security parts do not generate alerts.

The Sophos philosophy is to catch as many threats as possible on edge with the Sophos XGS and then Sophos Central Endpoint Protection.

The Sophos XGS uses Intellix as the part of Zero-Day Protection on the Firewall Appliance but for that to work you need to have SSL-Inspection Setup on your network.
Click to expand...
Well this is exactly why I don't like Sophos, Symantec and others. Sophos only needs 2-3 products but Symantec nowadays has become the Ryanair of EDRs. You need 10 add-ons and upgrades. Btw with Check Point we have emulation even without appliance. Sophos can't really be compared 🤷‍♂️
 
  • Like
Reactions: Vitali Ortzi, valvaris and Sandbox Breaker
Sandbox Breaker

Sandbox Breaker

Level 11
Thread author
Verified
Top Poster
Well-known
Jan 6, 2022
530
Trident said:
Well this is exactly why I don't like Sophos, Symantec and others. Sophos only needs 2-3 products but Symantec nowadays has become the Ryanair of EDRs. You need 10 add-ons and upgrades. Btw with Check Point we have emulation even without appliance. Sophos can't really be compared 🤷‍♂️
Click to expand...
Companies are using Zscaler sandbox still to integrate :p

Trident said:
Well this is exactly why I don't like Sophos, Symantec and others. Sophos only needs 2-3 products but Symantec nowadays has become the Ryanair of EDRs. You need 10 add-ons and upgrades. Btw with Check Point we have emulation even without appliance. Sophos can't really be compared 🤷‍♂️
Click to expand...
www.securityweek.com

Norton Parent Says Employee Data Stolen in MOVEit Ransomware Attack

Gen Digital, which owns Avast, Avira, AVG, Norton, and LifeLock, said employee data was compromised in the MOVEit ransomware attack.
www.securityweek.com www.securityweek.com

Speaking of Norton. Yes I know Broadcom bought Symantec.
 
  • Like
Reactions: Trident
valvaris

valvaris

Level 6
Verified
Well-known
Jul 26, 2015
263
Trident said:
Well this is exactly why I don't like Sophos, Symantec and others. Sophos only needs 2-3 products but Symantec nowadays has become the Ryanair of EDRs. You need 10 add-ons and upgrades. Btw with Check Point we have emulation even without appliance. Sophos can't really be compared 🤷‍♂️
Click to expand...
Used to be Checkpoint Reseller - But the Harmony Agent or how they call it now a days ;) - Used to have Kaspersky Engine and we were not allowed to resell Checkpoint since...

The other part it is very dependent on Active Directory for Deployment and Policy Management for advanced setups. With Sophos I do not have that. ;)

Hey but it was me at a time where Checkpoint was in transition from SandStorm to the new Agent. ^^
 
  • Like
Reactions: Trident
Trident

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
valvaris said:
Used to be Checkpoint Reseller - But the Harmony Agent or how they call it now a days ;) - Used to have Kaspersky Engine and we were not allowed to resell Checkpoint since...

The other part it is very dependent on Active Directory for Deployment and Policy Management for advanced setups. With Sophos I do not have that. ;)

Hey but it was me at a time where Checkpoint was in transition from SandStorm to the new Agent. ^^
Click to expand...
Sandblast has been the agent name (it’s been blasting threats using Sandbox and this is where it has come from). They've released a DHS-compliant blade in 2017 where the engine initially has been Bitdefender. Bitdefender was later on changed for Sophos so now you can choose between both. There are a lot of options for deployment at least now.

SentinelOne, no... I've not tried it but I doubt it will become my favourite...
 
  • Thanks
Reactions: valvaris
Sandbox Breaker

Sandbox Breaker

Level 11
Thread author
Verified
Top Poster
Well-known
Jan 6, 2022
530
valvaris said:
Used to be Checkpoint Reseller - But the Harmony Agent or how they call it now a days ;) - Used to have Kaspersky Engine and we were not allowed to resell Checkpoint since...

The other part it is very dependent on Active Directory for Deployment and Policy Management for advanced setups. With Sophos I do not have that. ;)

Hey but it was me at a time where Checkpoint was in transition from SandStorm to the new Agent. ^^
Click to expand...
Sandstorm is Sophos. Sandblast is checkpoint. To much sand. :p
1687286600685.png
 
  • HaHa
  • Like
Reactions: csavv141, valvaris and Trident
Trident

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
fakewatchman said:
Because of sigs. Did they provide behaviour info? If not then it's sig block.
Click to expand...
Unfortunately when there is sigs block it does not attempt to emulate behaviour anymore. But it has been emulated once, because it matches behavioural profile Generic.MALWARE.b69d. To emulate behaviour again, I have to edit the file on hex editor but for that I need to disable all protections... it's too much hassle.

Edit: I edited on online hex editor but this time it is picked up by static analysis and not even sent for emulation...
 
Last edited:
You must log in or register to reply here.

Similar threads

Kongo
    • Like
    • +Reputation
    • Hundred Points
  • Locked
Malware Analysis Another Evasive Discord Token Stealer Disguised as PC game 🎮☠️
Replies
32
Views
2,305
Malware Analysis
struppigel
struppigel
Kongo
    • Like
    • +Reputation
Malware Analysis Upcoming Steam game abused by hackers to spread stealer malware
Replies
1
Views
458
Malware Analysis
Bot
Bot
struppigel
    • Like
    • +Reputation
    • Applause
  • Locked
Malware Analysis JPHP IceRat analysis
Replies
22
Views
10,074
Malware Analysis
struppigel
struppigel

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top