cstealer | 5aa6a9d9e25d7a09a3b40f50140b631b15e9e45777f3999deafce0de1ffc6c1b | Triage

Sharing

General

Target

2025-03-30_9dd7f527bdb45bd93bd9b4ff83549a88_black-basta_cobalt-strike_satacom
Size

20.9MB
Sample

250330-xfsp5st1cs
MD5

9dd7f527bdb45bd93bd9b4ff83549a88
SHA1

3edc5fdb890b320022103eb3c9100a083bba0f46
SHA256

5aa6a9d9e25d7a09a3b40f50140b631b15e9e45777f3999deafce0de1ffc6c1b
SHA512

cc197450ce28f634c19bb86263dfc2f23ce0596afa7e631c5a631cfc122b5fb968f3aa1548c0202b8153c3d21cfa66618b8c89bb0efffdb68e1f34ae5362d90f
SSDEEP

393216:t9YiVVlj87dt8WdqmNY0LfHqO1UTdQJl3wF3MnG3CblCOL/AJ0bderWM4uYyk5aH:t9YiVVl8ZO8FGLTdQC3MGVOb1b6UA

Score

10^/10

cstealer credential_access discovery pyinstaller spyware stealer

Malware Config

Targets

- Target
  
  2025-03-30_9dd7f527bdb45bd93bd9b4ff83549a88_black-basta_cobalt-strike_satacom
- Size
  
  20.9MB
- MD5
  
  9dd7f527bdb45bd93bd9b4ff83549a88
- SHA1
  
  3edc5fdb890b320022103eb3c9100a083bba0f46
- SHA256
  
  5aa6a9d9e25d7a09a3b40f50140b631b15e9e45777f3999deafce0de1ffc6c1b
- SHA512
  
  cc197450ce28f634c19bb86263dfc2f23ce0596afa7e631c5a631cfc122b5fb968f3aa1548c0202b8153c3d21cfa66618b8c89bb0efffdb68e1f34ae5362d90f
- SSDEEP
  
  393216:t9YiVVlj87dt8WdqmNY0LfHqO1UTdQJl3wF3MnG3CblCOL/AJ0bderWM4uYyk5aH:t9YiVVl8ZO8FGLTdQC3MGVOb1b6UA
Score

10^/10

cstealer credential_access discovery spyware stealer
- CStealer
  CStealer is an open-source infostealer written in Python and packaged with PyInstaller.
  stealer cstealer
- Cstealer family
  cstealer
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

pyinstallercstealer

behavioral1

behavioral2

cstealercredential_accessdiscoveryspywarestealer