SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mystic_stealer (Back to overview)

Mystic Stealer

VTCollection    

According to ZScaler, a new information stealer that was first advertised in April 2023, capable of stealing credentials from nearly 40 web browsers and more than 70 browser extensions, also targeting cryptocurrency wallets, Steam, and Telegram. The code is heavily obfuscated making use of polymorphic string obfuscation, hash-based import resolution, and runtime calculation of constants.
Mystic implements a custom binary protocol that is encrypted with RC4.

References
2023-06-15ZscalerBrett Stone-Gross
Mystic Stealer: The New Kid on the Block
Mystic Stealer
Yara Rules
[TLP:WHITE] win_mystic_stealer_auto (20230808 | Detects win.mystic_stealer.)
rule win_mystic_stealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.mystic_stealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mystic_stealer"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b461c 42 8b4e08 895614 8a4007 88040a 8b5614 }
            // n = 7, score = 300
            //   8b461c               | mov                 eax, dword ptr [esi + 0x1c]
            //   42                   | inc                 edx
            //   8b4e08               | mov                 ecx, dword ptr [esi + 8]
            //   895614               | mov                 dword ptr [esi + 0x14], edx
            //   8a4007               | mov                 al, byte ptr [eax + 7]
            //   88040a               | mov                 byte ptr [edx + ecx], al
            //   8b5614               | mov                 edx, dword ptr [esi + 0x14]

        $sequence_1 = { 0fb7c7 eb0b 8d4203 8986bc160000 }
            // n = 4, score = 300
            //   0fb7c7               | movzx               eax, di
            //   eb0b                 | jmp                 0xd
            //   8d4203               | lea                 eax, [edx + 3]
            //   8986bc160000         | mov                 dword ptr [esi + 0x16bc], eax

        $sequence_2 = { 6a02 5d 8b4774 3d06010000 }
            // n = 4, score = 300
            //   6a02                 | push                2
            //   5d                   | pop                 ebp
            //   8b4774               | mov                 eax, dword ptr [edi + 0x74]
            //   3d06010000           | cmp                 eax, 0x106

        $sequence_3 = { 0fb7d8 668bc3 66d3e0 660bc6 0fb7c0 }
            // n = 5, score = 300
            //   0fb7d8               | movzx               ebx, ax
            //   668bc3               | mov                 ax, bx
            //   66d3e0               | shl                 ax, cl
            //   660bc6               | or                  ax, si
            //   0fb7c0               | movzx               eax, ax

        $sequence_4 = { eb15 8d4503 8987bc160000 8d4304 }
            // n = 4, score = 300
            //   eb15                 | jmp                 0x17
            //   8d4503               | lea                 eax, [ebp + 3]
            //   8987bc160000         | mov                 dword ptr [edi + 0x16bc], eax
            //   8d4304               | lea                 eax, [ebx + 4]

        $sequence_5 = { 668b476c 66890451 85f6 741a 8b4f6c }
            // n = 5, score = 300
            //   668b476c             | mov                 ax, word ptr [edi + 0x6c]
            //   66890451             | mov                 word ptr [ecx + edx*2], ax
            //   85f6                 | test                esi, esi
            //   741a                 | je                  0x1c
            //   8b4f6c               | mov                 ecx, dword ptr [edi + 0x6c]

        $sequence_6 = { 668bc2 8d5f14 66d3e0 8b0b 660bc6 }
            // n = 5, score = 300
            //   668bc2               | mov                 ax, dx
            //   8d5f14               | lea                 ebx, [edi + 0x14]
            //   66d3e0               | shl                 ax, cl
            //   8b0b                 | mov                 ecx, dword ptr [ebx]
            //   660bc6               | or                  ax, si

        $sequence_7 = { eb0c 8d5103 0fb7c0 8996bc160000 0fb7c8 }
            // n = 5, score = 300
            //   eb0c                 | jmp                 0xe
            //   8d5103               | lea                 edx, [ecx + 3]
            //   0fb7c0               | movzx               eax, ax
            //   8996bc160000         | mov                 dword ptr [esi + 0x16bc], edx
            //   0fb7c8               | movzx               ecx, ax

        $sequence_8 = { 8a86b9160000 88040a b110 2a8ebc160000 8b86bc160000 ff4614 }
            // n = 6, score = 300
            //   8a86b9160000         | mov                 al, byte ptr [esi + 0x16b9]
            //   88040a               | mov                 byte ptr [edx + ecx], al
            //   b110                 | mov                 cl, 0x10
            //   2a8ebc160000         | sub                 cl, byte ptr [esi + 0x16bc]
            //   8b86bc160000         | mov                 eax, dword ptr [esi + 0x16bc]
            //   ff4614               | inc                 dword ptr [esi + 0x14]

        $sequence_9 = { 02c2 03cb 0fb6c0 8a843800010000 }
            // n = 4, score = 300
            //   02c2                 | add                 al, dl
            //   03cb                 | add                 ecx, ebx
            //   0fb6c0               | movzx               eax, al
            //   8a843800010000       | mov                 al, byte ptr [eax + edi + 0x100]

    condition:
        7 of them and filesize < 512000
}
Download all Yara Rules