Malware Analysis Mystic Stealer Bypassing Sandboxes

[Sandbox Breaker - DFIR]

I have a call from them scheduled for Friday about becoming a reseller.

You need any good analysts? If anyone does please reach out. Not kidding here. Talent needs to be properly used.

 

[Scirious]

I have a call from them scheduled for Friday about becoming a reseller.

Maybe you could make a good price for me?

 

[Trident]

You need any good analysts?

Let's see how it will go, I will definitely remember your offer.

 

[Sandbox Breaker - DFIR]

Let's see how it will go, I will definitely remember your offer.

I've got a guy from Xcitium who just clicks "Yes or No".

I also have a guy who right clicks... Clicks Advanced Options... Then... Wait for it...

Max Settings... Then thinks he's secure.

 

[Trident]

I've got a guy from Xcitium who just clicks "Yes or No".

I also have a guy who right clicks... Clicks Advanced Options... Then... Wait for it...

Max Settings... Then thinks he's secure.

Definitely sounds like security there is well understood and top priority as well. Just like Xcitium understands malware. Let me link malware analysis from them here.
Error: the requested resource doesn't exist.

 

[Sandbox Breaker - DFIR]

I'm totally messing around lol

 

[valvaris]

I could help with Sophos products: Got a full lab setup here with Sophos XGS Firewall Appliance and Sophos Intercept X Advanced with XDR for Threat-Hunting.

The Sandbox with Zero-Day Protection is quite good

 

[Sandbox Breaker - DFIR]

I could help with Sophos products: Got a full lab setup here with Sophos XGS Firewall Appliance and Sophos Intercept X Advanced with XDR for Threat-Hunting.

The Sandbox with Zero-Day Protection is quite good

Let's see if the British can flag Mystic.

 

[Trident]

Let's see if the British can flag Mystic.

Never doubt us. But it's flagged by static and genome analysis, it has evaded the true sandbox.

Intelix Portal

intelix.sophos.com

 

[valvaris]

Does someone have a sample for me to test?

 

[Kongo]

Let's see if the British can flag Mystic.

On their new Analysis Platform Sophos Intelix it's flagged as malicious. Static and Dynamic.

 

[Kongo]

Does someone have a sample for me to test?

You can download from the AnyRun link above

 

[Trident]

On their new Analysis Platform Sophos Intelix it's flagged as malicious. Static and Dynamic.

I see only static features and file attributes. On the report nothing looks like the true behaviour of the file was reached. But nevertheless, it is detected.

 

[Sandbox Breaker - DFIR]

Never doubt us. But it's flagged by static and genome analysis, it has evaded the true sandbox.

Intelix Portal

intelix.sophos.com

Wow. What the hell is with sandboxes today. This is why I run ChromeOS enterprise. I don't believe a SOC or vSOC should ever use Windows. Seems like those who really "know" agree with that .

 

[Trident]

This is all static analysis.

 

[valvaris]

Detected on extraction of the sample.

 

[Trident]

Detected on extraction of the sample.
View attachment 276364
View attachment 276365

One thing I can straight away notice from 2 screenshots you've posted is that Sophos generates AWFUL lot of noise.

 

[Sandbox Breaker - DFIR]

One thing I can straight away notice from 2 screenshots you've posted is that Sophos generates AWFUL lot of noise.

Yes.

 

[Sandbox Breaker - DFIR]

Detected on extraction of the sample.
View attachment 276364
View attachment 276365

That RDP entry is insane.

 

[Trident]

That RDP entry is insane.

Considering this is a pre-execution detection of known malware described in Sophos IDE, yeah. Insane doesn't even touch it.