A new stealer malware is on the rise, designed to obtain user credentials to help attackers penetrate specific environments and obtain other information of financial value.
This spyware also targets Steam, Telegram, and cryptocurrency wallets. Additionally, the RC4-encrypted proprietary binary protocol is implemented by Mystic.
New Mystic Stealer Malware
Mystic Stealer specializes in data theft and can steal a variety of different types of data.
It is intended to gather computer data such as the system hostname, user name, and GUID.
Additionally, it determines the geolocation of a likely system user using the locale and keyboard layout. Key Data may be extracted from cryptocurrency wallets and web browsers using Mystic Stealer’s functionalities. It gathers information on cryptocurrency wallets, browser history, arbitrary files, cookies, and auto-fill data.
List Of System Data Gathered By The Malware
- Keyboard layout
- Locale
- CPU information
- Number of CPU processors
- Screen dimensions
- Computer name
- Username
- Running processes
- System architecture
- Operating system version
Additionally, researchers mention that some servers are found in the hosting areas of Latvia, Bulgaria, and Russia.
IOCS
IOCS shared by Zscaler :
C2 server endpoints observed in recent bot configurations
- 194.169.175[.]123:13219
- 185.252.179[.]18:13219
- 142.132.201[.]228:13219
- 135.181.47[.]95:13219
- 94.130.164[.]47:13219
- 94.23.26[.]20:13219
- 91.121.118[.]80:13219
Sample hashes
47439044a81b96be0bb34e544da881a393a30f0272616f52f54405b4bf288c7c
Imphash: 8f2649698c183ba2b52e5e425852109d
5c0987d0ee43f2d149a38fc7320d9ffd02542b2b71ac6b5ea5975f907f9b9bf8
Imphash: d6d4965d7fe2d90a52736f0db331f81a
7c185697d3d3a544ca0cef987c27e46b20997c7ef69959c720a8d2e8a03cd5dc
Imphash: d6d4965d7fe2d90a52736f0db331f81a
acba3311b319a60192be2e29aa8038c863a794be39603a21ee8ee4ccc3ebfca6
Imphash: d6d4965d7fe2d90a52736f0db331f81a
30fb52e4bd3c4866a7b6ccedcfa7a3ff25d73440ca022986a6781af669272639
Imphash: 9cd292d1fac1768b38a49bc6b288c67d
Leave A Comment