Mystic Stealer Technical Analysis

This blog post comes from the “Mystic Stealer Technical Analysis Report” by the Brandefense Research Team. For more details about the analysis, download the report.

Executive Summary

The evolving landscape of cyber threats continues to present significant challenges for individuals and organizations worldwide. In recent years, a new strain of malware, known as Mystic Stealer, has emerged as a prominent threat in the digital realm. This report aims to provide an in-depth analysis of Mystic Stealer, a stealer malware that first surfaced in April 2023. Its builder and panel are being actively traded in underground forums, following a Malware-as-a-Service (MaaS) model.

Mystic Stealer represents a basic yet potent stealer malware that specifically targets browser information, system specifics, screenshots, and various browser extension wallets, including cold crypto wallets. Mystic Stealer’s stealing capabilities are given below.

  • Browser Hijacking
    • Passwords
    • History
    • Credit Cards
    • Sessions
    • Cookies
    • Autofill
    • Extensions
      • Crypto wallets
      • Password managers
      • Multi-factor authenticators
  • Cold wallets
  • System information
  • Screenshot

Overview

File Name: stealer.exe
MD5: bdc486117f48fef2b268ad2de305ef3d
SHA-1: 52f907d6325e3c5ccb72baf7589d1dbe81f5df80
SHA256: b37ab91f8163344b775edc9a4378d44fdfddbac3b0cd3fceaf670f79b06bc362

Conclusion

As the demand for stolen information grows within the cybercriminal ecosystem, the availability and accessibility of malicious tools like Mystic Stealer have reached unprecedented levels. The sale of the builder and panel in underground forums enables even non-technical individuals to deploy this malware for malicious purposes. Consequently, understanding the inner workings, capabilities, and potential impact of Mystic Stealer is paramount in developing effective defensive strategies and mitigating its risks.

By comprehensively examining the Mystic Stealer malware, this report aims to contribute to the ongoing efforts in combating cyber threats and fortifying cybersecurity measures. It is our hope that the findings presented here will empower individuals, businesses, and cybersecurity professionals to understand better and respond to the challenges posed by Mystic Stealer and similar malware in the future.

MITRE ATT&CK Threat Matrix

  1. TA002 Execution
    • T1204 User Execution
      • T1204.002 Malicious File
  2. TA005 Defense Evasion
    • T1140 Deobfuscate/Decode Files or Information
  3. TA006 Credential Access
    • T1555 Credentials from Password Stores
      • T1555.003 Credentials from Web Browsers
      • T1555.005 Password Managers
    • T1539 Steal Web Session Cookie
  4. TA007 Discovery
    • T1082 System Information Discovery
    • T1033 System Owner/User Discovery
  5. TA009 Collection
    • T1005 Data From Local System
  6. TA0011 Command and Control
    • T1573 Encrypted Channel
      • T1573.001 Symmetric Cryptography
  7. TA0010 Exfiltration
    • T1041 Exfiltration Over C2 Channel

Download YARA Rules and IoCs from GitHub.

This blog post comes from the “Mystic Stealer Technical Analysis Report” by the Brandefense Research Team. For more details about the analysis, download the report.