hxxps://github[.]com/can-kat/cstealer

Analysis

max time kernel
1800s
max time network
1687s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
22-05-2024 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/can-kat/cstealer

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
22	camo.githubusercontent.com
25	camo.githubusercontent.com
27	camo.githubusercontent.com
29	raw.githubusercontent.com
31	raw.githubusercontent.com
30	raw.githubusercontent.com
18	camo.githubusercontent.com
19	raw.githubusercontent.com
23	camo.githubusercontent.com
24	camo.githubusercontent.com
26	camo.githubusercontent.com
28	raw.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133608899728253177"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1020	chrome.exe
1020	chrome.exe
4704	chrome.exe
4704	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1020	chrome.exe
1020	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe
Token: SeShutdownPrivilege	1020	chrome.exe
Token: SeCreatePagefilePrivilege	1020	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe
1020	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 1928	1020	chrome.exe	73
PID 1020 wrote to memory of 1928	1020	chrome.exe	73
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 4368	1020	chrome.exe	75
PID 1020 wrote to memory of 5036	1020	chrome.exe	76
PID 1020 wrote to memory of 5036	1020	chrome.exe	76
PID 1020 wrote to memory of 168	1020	chrome.exe	77
PID 1020 wrote to memory of 168	1020	chrome.exe	77
PID 1020 wrote to memory of 168	1020	chrome.exe	77
PID 1020 wrote to memory of 168	1020	chrome.exe	77
PID 1020 wrote to memory of 168	1020	chrome.exe	77
PID 1020 wrote to memory of 168	1020	chrome.exe	77
PID 1020 wrote to memory of 168	1020	chrome.exe	77
PID 1020 wrote to memory of 168	1020	chrome.exe	77
PID 1020 wrote to memory of 168	1020	chrome.exe	77
PID 1020 wrote to memory of 168	1020	chrome.exe	77
PID 1020 wrote to memory of 168	1020	chrome.exe	77
PID 1020 wrote to memory of 168	1020	chrome.exe	77
PID 1020 wrote to memory of 168	1020	chrome.exe	77
PID 1020 wrote to memory of 168	1020	chrome.exe	77
PID 1020 wrote to memory of 168	1020	chrome.exe	77
PID 1020 wrote to memory of 168	1020	chrome.exe	77
PID 1020 wrote to memory of 168	1020	chrome.exe	77
PID 1020 wrote to memory of 168	1020	chrome.exe	77
PID 1020 wrote to memory of 168	1020	chrome.exe	77
PID 1020 wrote to memory of 168	1020	chrome.exe	77
PID 1020 wrote to memory of 168	1020	chrome.exe	77
PID 1020 wrote to memory of 168	1020	chrome.exe	77

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/can-kat/cstealer
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd09289758,0x7ffd09289768,0x7ffd09289778
  2⤵
  PID:1928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=1756,i,14441664458124167912,2025369008067806560,131072 /prefetch:2
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2012 --field-trial-handle=1756,i,14441664458124167912,2025369008067806560,131072 /prefetch:8
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2056 --field-trial-handle=1756,i,14441664458124167912,2025369008067806560,131072 /prefetch:8
  2⤵
  PID:168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2900 --field-trial-handle=1756,i,14441664458124167912,2025369008067806560,131072 /prefetch:1
  2⤵
  PID:1428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2948 --field-trial-handle=1756,i,14441664458124167912,2025369008067806560,131072 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 --field-trial-handle=1756,i,14441664458124167912,2025369008067806560,131072 /prefetch:8
  2⤵
  PID:2660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 --field-trial-handle=1756,i,14441664458124167912,2025369008067806560,131072 /prefetch:8
  2⤵
  PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=860 --field-trial-handle=1756,i,14441664458124167912,2025369008067806560,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4704

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
36fe082079180ef9381ac47b238a9038

SHA1
aec0cbda140320c70b0ea011e396a110cdbfd7a8

SHA256
2bfb93797e86152806a6d8e73d59999a75914e4c920c016b7b973b2910bfe272

SHA512
9b793979735140f927a861e8da107892fdd16910e13f14114dc93412b73188569458f45068c7fce74f09a0f4d9bd495b96b5b4ebc66c49afa3a591cf66ceb401

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
68063b6d70c1e4cff42ea3a1c42b1655

SHA1
64cd74d0e8ee21f370338c3044a485608bffae6a

SHA256
342387180bc57866e113f7488018ed6b756c9ebd6f4a400f88df9bccaa55ec41

SHA512
969ccfb78997db07c63058f32b796110e5d7b280826b7d4fe777805cb04ef2e4bf2e559c60c7624d9fa21ae82623af33e0fb464225825e7739f0fe9e297ebc1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
74460892982e0fed5fab4fec0cfee73f

SHA1
c262dd30ac9cb604afc66c8ee6aaefc494c68529

SHA256
0b5b0dd488bdb13babc7c9538883600b43443546077700ad391bd742d66c5c57

SHA512
d55e9d5b841580a58b58eceeb111a3c40878daa81150296e45cdd3f50a688e15f42da9fc5d1b10fbf5fefdc8ace1ed3d5acc734fbc96dcac9d58eab56db88673

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
532f23fe7082183374624a5f76343b67

SHA1
e75664995d4502e9b4477f07f682035ca33d849e

SHA256
fbfabf9a3ffce960f4076ed62c7d770402bbfa55fc98dda07dafa574f675ab7b

SHA512
2d0dbc852ca6120d4ba44d6ab2738212f4dfa80175f9ca7f61b2fb17344490a0bd702337f2b11d59e4864249d496670ac011de80c1d870318b464ea525f3ce06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
47ed289f5c126d3951904e0dea039028

SHA1
439a7e1660c562381c7567b74c5d5494a91f7476

SHA256
307a97b0c507a0bf5c77b1361ec6de122f7119f7f926429c8162aa0e87217003

SHA512
1fca1836f8d18e4d34a799e9f5c60e43ecdcc3d8c4bbfb986bab98977498243b7795a5c06d2637164925674beb32ea29ab1018bcff992e783755795e98c49104

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b8b01005afbacecc2324341d490290c9

SHA1
df15b89ff28d940c599053d1aefe4ddb199e2638

SHA256
926c3ba3c52c2990a991a91efb75864d27e985aad494c6df0e265738c68168b2

SHA512
ed923ada5a05b94c167486c77405a6117d75a0a62aa7f7902a4e9957290bfc048d13599bcfe08aff92f7cbfa6c9c7a131527287f127c5e5feb12e2da028613bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
39fcb5913e9535c11182e43dbcaa30f4

SHA1
4e849950298435d81eccb8b9b7f9655731a90c25

SHA256
611eef1ac599eb93a3dfd78161149e2880cb4ce9fb9cdd4c0f1d172b190583af

SHA512
abd30635318f9401c3f774213a06e24ec82cb5365e688c0c250be026f7abfddd3e90961a52b53f0f080d2f6f6a2e4341013c791470c001e6deee13611f292b34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit