SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mystic_stealer (Back to overview)

Mystic Stealer

VTCollection    

According to ZScaler, a new information stealer that was first advertised in April 2023, capable of stealing credentials from nearly 40 web browsers and more than 70 browser extensions, also targeting cryptocurrency wallets, Steam, and Telegram. The code is heavily obfuscated making use of polymorphic string obfuscation, hash-based import resolution, and runtime calculation of constants.
Mystic implements a custom binary protocol that is encrypted with RC4.

References
2023-06-15ZscalerBrett Stone-Gross
Mystic Stealer: The New Kid on the Block
Mystic Stealer
Yara Rules
[TLP:WHITE] win_mystic_stealer_auto (20260504 | Detects win.mystic_stealer.)
rule win_mystic_stealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.mystic_stealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mystic_stealer"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c7460445000000 8b4e04 8d6e1c 83f945 }
            // n = 4, score = 300
            //   c7460445000000       | mov                 dword ptr [esi + 4], 0x45
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   8d6e1c               | lea                 ebp, [esi + 0x1c]
            //   83f945               | cmp                 ecx, 0x45

        $sequence_1 = { 234754 83bfb416000000 894748 7452 8b4738 8b4f58 }
            // n = 6, score = 300
            //   234754               | and                 eax, dword ptr [edi + 0x54]
            //   83bfb416000000       | cmp                 dword ptr [edi + 0x16b4], 0
            //   894748               | mov                 dword ptr [edi + 0x48], eax
            //   7452                 | je                  0x54
            //   8b4738               | mov                 eax, dword ptr [edi + 0x38]
            //   8b4f58               | mov                 ecx, dword ptr [edi + 0x58]

        $sequence_2 = { 668bc7 66d3e0 660bc5 0fb7c8 }
            // n = 4, score = 300
            //   668bc7               | mov                 ax, di
            //   66d3e0               | shl                 ax, cl
            //   660bc5               | or                  ax, bp
            //   0fb7c8               | movzx               ecx, ax

        $sequence_3 = { 8b4c241c 83c40c 8b4500 034e14 894e14 }
            // n = 5, score = 300
            //   8b4c241c             | mov                 ecx, dword ptr [esp + 0x1c]
            //   83c40c               | add                 esp, 0xc
            //   8b4500               | mov                 eax, dword ptr [ebp]
            //   034e14               | add                 ecx, dword ptr [esi + 0x14]
            //   894e14               | mov                 dword ptr [esi + 0x14], ecx

        $sequence_4 = { 8d040a 0fb78fb8160000 660bf1 0fb7ce }
            // n = 4, score = 300
            //   8d040a               | lea                 eax, [edx + ecx]
            //   0fb78fb8160000       | movzx               ecx, word ptr [edi + 0x16b8]
            //   660bf1               | or                  si, cx
            //   0fb7ce               | movzx               ecx, si

        $sequence_5 = { 8386bc160000f3 b110 2ac8 66d3ef 0fb7c7 }
            // n = 5, score = 300
            //   8386bc160000f3       | add                 dword ptr [esi + 0x16bc], -0xd
            //   b110                 | mov                 cl, 0x10
            //   2ac8                 | sub                 cl, al
            //   66d3ef               | shr                 di, cl
            //   0fb7c7               | movzx               eax, di

        $sequence_6 = { 80ea03 c6040101 8b8ea0160000 8b8698160000 41 898ea0160000 c6040100 }
            // n = 7, score = 300
            //   80ea03               | sub                 dl, 3
            //   c6040101             | mov                 byte ptr [ecx + eax], 1
            //   8b8ea0160000         | mov                 ecx, dword ptr [esi + 0x16a0]
            //   8b8698160000         | mov                 eax, dword ptr [esi + 0x1698]
            //   41                   | inc                 ecx
            //   898ea0160000         | mov                 dword ptr [esi + 0x16a0], ecx
            //   c6040100             | mov                 byte ptr [ecx + eax], 0

        $sequence_7 = { 59 59 ffd0 8be8 }
            // n = 4, score = 300
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   ffd0                 | call                eax
            //   8be8                 | mov                 ebp, eax

        $sequence_8 = { 898550140000 898c855c0b0000 33c0 40 6689048b c684295814000000 ff8da8160000 }
            // n = 7, score = 300
            //   898550140000         | mov                 dword ptr [ebp + 0x1450], eax
            //   898c855c0b0000       | mov                 dword ptr [ebp + eax*4 + 0xb5c], ecx
            //   33c0                 | xor                 eax, eax
            //   40                   | inc                 eax
            //   6689048b             | mov                 word ptr [ebx + ecx*4], ax
            //   c684295814000000     | mov                 byte ptr [ecx + ebp + 0x1458], 0
            //   ff8da8160000         | dec                 dword ptr [ebp + 0x16a8]

        $sequence_9 = { 33db 668987b8160000 85ed 0f8ea0000000 }
            // n = 4, score = 300
            //   33db                 | xor                 ebx, ebx
            //   668987b8160000       | mov                 word ptr [edi + 0x16b8], ax
            //   85ed                 | test                ebp, ebp
            //   0f8ea0000000         | jle                 0xa6

    condition:
        7 of them and filesize < 512000
}
Download all Yara Rules