{"id":7288,"date":"2024-03-18T08:30:33","date_gmt":"2024-03-18T08:30:33","guid":{"rendered":"\/cybersecurity-blog\/?p=7288"},"modified":"2024-03-18T08:32:02","modified_gmt":"2024-03-18T08:32:02","slug":"asukastealer-malware-analysis","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/asukastealer-malware-analysis\/","title":{"rendered":"AsukaStealer: The Next Chapter in ObserverStealer&#8217;s Story"},"content":{"rendered":"\n<p>The following research was conducted by Anna Pham, also known as RussianPanda, a Senior Threat Intelligence researcher and a guest author for the ANY.RUN Blog. For more of her expert insights, <a href=\"https:\/\/twitter.com\/RussianPanda9xx\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">follow her on Twitter\/X<\/a>. Now, let&#8217;s get started with the analysis.<\/p>\n\n\n\n<p>On May 19, 2023, an individual known by the pseudonym &#8216;breakcore&#8217; announced that AsukaStealer was available for sale at $80 a month. Developed in C++, AsukaStealer includes capabilities to deploy additional payloads on infected computers, configure FileGrabber settings, and facilitate log delivery via Telegram, among other features.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"979\" height=\"691\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/1-4.png\" alt=\"\" class=\"wp-image-7291\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/1-4.png 979w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/1-4-300x212.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/1-4-768x542.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/1-4-370x261.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/1-4-270x191.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/1-4-740x522.png 740w\" sizes=\"(max-width: 979px) 100vw, 979px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>1<\/em>: AsukaStealer sell announcement&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>It\u2019s worth mentioning that breakcore used the pseudonym ObserverStealer before and was selling ObserverStealer on hacking forums until July 2023.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"780\" height=\"260\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/2-4.png\" alt=\"\" class=\"wp-image-7292\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/2-4.png 780w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/2-4-300x100.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/2-4-768x256.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/2-4-370x123.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/2-4-270x90.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/2-4-740x247.png 740w\" sizes=\"(max-width: 780px) 100vw, 780px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>2<\/em>: Username history on the hacking forum&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>ObserverStealer failed to gain popularity among cybercriminals and received predominantly negative reviews.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"240\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/3-2-1024x240.png\" alt=\"\" class=\"wp-image-7293\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/3-2-1024x240.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/3-2-300x70.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/3-2-768x180.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/3-2-1536x360.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/3-2-2048x479.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/3-2-370x87.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/3-2-270x63.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/3-2-740x173.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>3<\/em>: Technical discussion thread on ObserverStealer (source: XSS forum)&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"605\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/4-1-1024x605.png\" alt=\"\" class=\"wp-image-7294\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/4-1-1024x605.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/4-1-300x177.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/4-1-768x453.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/4-1-370x218.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/4-1-270x159.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/4-1-740x437.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/4-1.png 1306w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>4<\/em>: WhiteSnake\u2019s comment on ObserverStealer&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>In this write-up, we will dive into the analysis of AsukaStealer (MD5: 32583272b5b5bd95e770661438b41daf) to determine if it\u2019s the rebrand of ObserverStealer.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nFollow along with the analysis in <span class=\"highlight\">the ANY.RUN sandbox<\/span>&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/#register\/'';. ,\" rel=\"noopener\" target=\"_blank\">\nSign up for free\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">AsukaStealer Technical Analysis&nbsp;<\/h2>\n\n\n\n<p>As mentioned before, AsukaStealer is written in C++ with a file size of approximately 440KB for the payload that hasn\u2019t been encrypted.&nbsp;&nbsp;<\/p>\n\n\n\n<p>When submitting <a href=\"https:\/\/app.any.run\/tasks\/8b1ee45a-87de-4fc5-a755-84546a974a44\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=asuka_stealer_analysis&amp;utm_content=linktoservice&amp;utm_term=180324\" target=\"_blank\" rel=\"noreferrer noopener\">the sample<\/a> to <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=asuka_stealer_analysis&amp;utm_content=linktolanding&amp;utm_term=180324\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>, we immediately see the attribution to ObserverStealer, as shown in the image below. That hints that the code or traffic for ObserverStealer is potentially similar to AsukaStealer.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"586\" height=\"314\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/5-2.png\" alt=\"\" class=\"wp-image-7295\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/5-2.png 586w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/5-2-300x161.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/5-2-370x198.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/5-2-270x145.png 270w\" sizes=\"(max-width: 586px) 100vw, 586px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>5<\/em>: Attribution tag&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The noticeable things in the binary are the base64-encoded and hexadecimal values. AsukaStealer implements XOR encryption for C2 addresses. In our case, \u201c1d6f6623f5e8555c446dc496567bd86e\u201d is the key, and \u201cWRBCFgwZHQZIAVcWAwMbUQEOBVRTBA==\u201d is the encrypted C2 address. It\u2019s worth noting that AsukaStealer uses one C2 address to receive the logs unless the clients configure their custom proxy, which is also an option. For each stealer build generated, the base64-encoded and the hexadecimal values change.&nbsp;&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"229\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/6-2-1024x229.png\" alt=\"\" class=\"wp-image-7296\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/6-2-1024x229.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/6-2-300x67.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/6-2-768x172.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/6-2-370x83.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/6-2-270x60.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/6-2-740x165.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/6-2.png 1177w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>6<\/em>: Embedded Base64-encoded and hexadecimal values&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"422\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/7-1024x422.png\" alt=\"\" class=\"wp-image-7297\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/7-1024x422.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/7-300x124.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/7-768x317.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/7-370x153.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/7-270x111.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/7-740x305.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/7.png 1167w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>7<\/em>: Decrypted string (Source: CyberChef)&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>AsukaStealer uses GetCurrentHwProfileA function to obtain information about the hardware profile of the machine. The obtained HWID value is then appended to the logs file \u201cSystemInfo.txt\u201d and sent out to the C2 server as the first POST request.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"484\" height=\"163\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/8.png\" alt=\"\" class=\"wp-image-7298\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/8.png 484w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/8-300x101.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/8-370x125.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/8-270x91.png 270w\" sizes=\"(max-width: 484px) 100vw, 484px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>8<\/em>: Obtaining HWID\/GUID value&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"535\" height=\"438\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/9.png\" alt=\"\" class=\"wp-image-7299\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/9.png 535w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/9-300x246.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/9-370x303.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/9-270x221.png 270w\" sizes=\"(max-width: 535px) 100vw, 535px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>9<\/em>: Obtaining the HWID\/GUID value (Behavior activities from ANY.RUN analysis)&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"333\" height=\"277\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/10-1.png\" alt=\"\" class=\"wp-image-7300\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/10-1.png 333w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/10-1-300x250.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/10-1-270x225.png 270w\" sizes=\"(max-width: 333px) 100vw, 333px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>10<\/em>: Process details from ANY.RUN analysis&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>To gather extra system information, the stealer accesses the registry value at SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName to retrieve the operating system&#8217;s product name. Additionally, the UserDefaultLangID function determines the current user&#8217;s language preferences. The architecture of the system is identified using the GetNativeSystemInfo function, which yields the \u201cSYSTEM_INFO\u201d structure. This structure includes the critical member wProcessorArchitecture. When wProcessorArchitecture indicates a value of 9, it signifies that the system operates on a 64-bit architecture (either AMD or Intel). Any other value suggests the system is based on a 32-bit architecture. Furthermore, the language identifier is adeptly acquired through the GetUserDefaultLangID API, ensuring a precise understanding of the user&#8217;s language setting. Next, the username is obtained via the GetUserNameW function, and detailed display information is retrieved from EnumDisplayDevicesW.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"572\" height=\"394\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/11-1.png\" alt=\"\" class=\"wp-image-7301\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/11-1.png 572w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/11-1-300x207.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/11-1-370x255.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/11-1-270x186.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/11-1-435x300.png 435w\" sizes=\"(max-width: 572px) 100vw, 572px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>11<\/em>: Gathering system information&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The gathered system information is then parsed accordingly to the fields:&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>username&nbsp;<\/li>\n\n\n\n<li>timezone&nbsp;<\/li>\n\n\n\n<li>cpu&nbsp;<\/li>\n\n\n\n<li>os&nbsp;<\/li>\n\n\n\n<li>display_size&nbsp;<\/li>\n\n\n\n<li>ram&nbsp;<\/li>\n\n\n\n<li>arch&nbsp;<\/li>\n\n\n\n<li>locale&nbsp;<\/li>\n\n\n\n<li>apps&nbsp;<\/li>\n\n\n\n<li>devices&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"355\" height=\"182\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/12.png\" alt=\"\" class=\"wp-image-7302\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/12.png 355w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/12-300x154.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/12-270x138.png 270w\" sizes=\"(max-width: 355px) 100vw, 355px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>12<\/em>: Parsing system information&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The stealer probes the registry path<em> SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall<\/em>, zeroing in on the DisplayName registry value. It compiles a list of installed applications from this data and subsequently adds this information to the SystemInfo.txt file.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"835\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/13-1024x835.png\" alt=\"\" class=\"wp-image-7303\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/13-1024x835.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/13-300x245.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/13-768x627.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/13-370x302.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/13-270x220.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/13-740x604.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/13.png 1048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>13<\/em>: Accessing the registry key to get installed application products&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The system information and list of installed applications are then sent over to C2, which we will go through later in this article.&nbsp;<\/p>\n\n\n\n<p>AsukeStealer scans for active processes like Telegram.exe, Steam Desktop Authenticator.exe, and steam.exe. It initiates this process by invoking CreateToolhelp32Snapshot to capture a snapshot of all running processes, subsequently iterating through each process in the snapshot with Process32FirstW.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"455\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/14-1024x455.png\" alt=\"\" class=\"wp-image-7304\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/14-1024x455.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/14-300x133.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/14-768x341.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/14-370x164.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/14-270x120.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/14-740x329.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/14.png 1271w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>14<\/em>: Iterating through specific running processes&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>If it finds any of the running processes, it searches for the following (based on the configuration fetched from the C2 server):&nbsp;<\/p>\n\n\n\n<p>For Steam Desktop Authenticator, it searches for any files within the \/files<strong>\/<\/strong> directory, indicated by the <strong>.*<\/strong> regex, which matches any character (except for line terminators) zero or more times.&nbsp;<\/p>\n\n\n\n<p>Configuration:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Steam Desktop Authenticator.exe:&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Folder\/Pattern: \/maFiles\/&nbsp;<\/li>\n\n\n\n<li>Regex Pattern: .*&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>For Telegram.exe, within the \/tdata\/ directory, it looks for:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Files that are exactly 16 or 17 characters long at the end of the string (likely unique identifiers or encrypted file names).&nbsp;<\/li>\n\n\n\n<li>Specific filenames or patterns including usertag, prefix, key_datas, settingss (with an optional file extension), countries, devversion, configs, and maps.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Configuration:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Telegram.exe&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Folder\/Pattern: \/tdata\/&nbsp;<\/li>\n\n\n\n<li>Regex Pattern: (.{16,17}$)|usertag|prefix|key_datas|settingss(\\.(\\w+))?|countries|devversion|configs|maps&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>For steam.exe, it searches globally (indicated by \/) for:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Files starting with ssfn followed by any number of digits (associated with Steam user authentication files).&nbsp;<\/li>\n\n\n\n<li>Specific Steam configuration and data files: loginusers.vdf, libraryfolders.vdf, DialogConfig.vdf, and config.vdf.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Configuration:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>steam.exe&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Folder\/Pattern: \/&nbsp;<\/li>\n\n\n\n<li>Regex Pattern: ssfn([0-9]+)|loginusers\\.vdf|libraryfolders\\.vdf|DialogConfig\\.vdf|config\\.vdf&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>After that, it assigns the tag \u201cPG\u201d, presumably meaning \u201cProcess Grabber,\u201d to the X-Config header; the identified process and the corresponding path to the file from the configuration are appended to the X-Info header and split with a pipe that is sent to the C2.server, for example:&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>X-Info: Steam Desktop Authenticator.exe|&lt;path_to_ maFiles&gt;&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>The function below captures the infected machine&#8217;s screenshot using API functions such as GetDC, CreateCompatibleDC, GetDeviceCaps, CreateCompatibleBitmap, etc. The value \u201c{557CF406-1A04-11D3-9A73-0000F81EF32E}\u201d is the <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/gdiplus\/-gdiplus-retrieving-the-class-identifier-for-an-encoder-use\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">encoder<\/a> that is used to save the image; in our case, it\u2019s PNG.&nbsp;&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"829\" height=\"561\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/15.png\" alt=\"\" class=\"wp-image-7305\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/15.png 829w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/15-300x203.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/15-768x520.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/15-370x250.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/15-270x183.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/15-740x501.png 740w\" sizes=\"(max-width: 829px) 100vw, 829px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>15<\/em>: Function responsible for taking the screenshot&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The following files are gathered and sent over to C2:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>cookies.sqlite \u2013 stores the cookies.&nbsp;<\/li>\n\n\n\n<li>logins.json \u2013 stores the passwords.&nbsp;<\/li>\n\n\n\n<li>cert9.db \u2013 stores the security certificate settings.&nbsp;<\/li>\n\n\n\n<li>key4.db \u2013 stores the master password.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>The files gathered are essential for decrypting Firefox browser data. For each file collected, a new UUID is generated using the UuidCreate function. These UUIDs are then attached to the traffic data for each file sent to the C2 server for subsequent password decryption. It is also worth noting that the UuidCreate function is utilized for other data exfiltrated from the host, including crypto wallets, the Grabber module, Steam, Telegram, and more.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"545\" height=\"399\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/16.png\" alt=\"\" class=\"wp-image-7306\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/16.png 545w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/16-300x220.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/16-370x271.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/16-270x198.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/16-80x60.png 80w\" sizes=\"(max-width: 545px) 100vw, 545px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>16<\/em>: Gathering Firefox sensitive files for password decryption&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"435\" height=\"185\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/17.png\" alt=\"\" class=\"wp-image-7307\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/17.png 435w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/17-300x128.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/17-370x157.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/17-270x115.png 270w\" sizes=\"(max-width: 435px) 100vw, 435px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>17<\/em>: Using UUIDCreate to create a new UUID&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1020\" height=\"813\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/18.png\" alt=\"\" class=\"wp-image-7308\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/18.png 1020w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/18-300x239.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/18-768x612.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/18-370x295.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/18-270x215.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/18-740x590.png 740w\" sizes=\"(max-width: 1020px) 100vw, 1020px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>18<\/em>: Generated UUIDs used for communication with C2 server&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The regex pattern \u201c\\&#8221;encrypted_key\\&#8221;:\\&#8221;(.+?)\\&#8221;\u201d is used to retrieve either the encrypted key or the encrypted master password from the Google Chrome Local State file. This pattern specifically targets a JSON field named \u201cencrypted_key\u201d to extract its value. The \u201c(.+?)\u201d segment is a non-greedy capturing group designed to match and capture the shortest sequence of one or more characters that fulfill the pattern.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"372\" height=\"103\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/19.png\" alt=\"\" class=\"wp-image-7309\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/19.png 372w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/19-300x83.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/19-370x102.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/19-270x75.png 270w\" sizes=\"(max-width: 372px) 100vw, 372px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>19<\/em>: Regex pattern to look for the encrypted key&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"529\" height=\"429\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/20.png\" alt=\"\" class=\"wp-image-7310\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/20.png 529w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/20-300x243.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/20-370x300.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/20-270x219.png 270w\" sizes=\"(max-width: 529px) 100vw, 529px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>20<\/em>: The stealer reading Local State file (ANY.RUN)&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The extracted key is then Base64-decoded and decrypted via CryptUnprotectData function.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"571\" height=\"302\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/21.png\" alt=\"\" class=\"wp-image-7311\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/21.png 571w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/21-300x159.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/21-370x196.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/21-270x143.png 270w\" sizes=\"(max-width: 571px) 100vw, 571px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>21<\/em>: Base64-decoding function&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nGet a personalized demo of <span class=\"highlight\">ANY.RUN<\/span> for <span class=\"highlight\">your team<\/span><br>\nSee how it can help your organization&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/calendly.com\/d\/3nd-rzd-xvx\/any-run-demo-blog\/\" rel=\"noopener\" target=\"_blank\">\nSchedule a demo\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">C2 Communication&nbsp;<\/h2>\n\n\n\n<p>Upon initial infection, the machine retrieves the X-Session ID from the server using URLOpenBlockingStreamW API that is responsible for creating a blocking type stream object from a URL and retrieving the data from the Internet using the GET request format <em>\u201c&lt;C2_IP&gt;\/s?id=X-ID\u201d<\/em>, where X-ID stands for the log ID, assuming that\u2019s how the logs are correlated with the infected instance. The X-Session ID will be used for further communication with the C2 server. The stealer configuration is also retrieved from the C2 using the mentioned API following the GET request format \u201c<em>&lt;C2_IP &gt;\/?id=X-ID\u201d<\/em>.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"624\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/22-1024x624.png\" alt=\"\" class=\"wp-image-7312\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/22-1024x624.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/22-300x183.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/22-768x468.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/22-370x226.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/22-270x165.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/22-740x451.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/22.png 1043w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>22<\/em>: Retrieving stealer&#8217;s configuration from C2 server&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"624\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/23-1024x624.png\" alt=\"\" class=\"wp-image-7313\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/23-1024x624.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/23-300x183.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/23-768x468.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/23-370x226.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/23-270x165.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/23-740x451.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/23.png 1040w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>23<\/em>: Retrieving X-Session ID from the server C2&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Interestingly enough, the configuration file and the X-Session ID can be found under <em>C:\\Users\\&lt;username&gt;\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\<\/em>, where Windows stores cached internet files.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"468\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/24-1024x468.png\" alt=\"\" class=\"wp-image-7314\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/24-1024x468.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/24-300x137.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/24-768x351.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/24-1536x702.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/24-370x169.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/24-270x123.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/24-740x338.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/24.png 1885w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>24<\/em>: Configuration and X-Session ID found in cached internet files&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Next, the infected machine sends out the POST request with HWID information with \u201cHWID\u201d appended to the X-Config custom header. If the server responds with \u201cok\u201d, the infected machine will further send more exfiltrated logs.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"622\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/25-1024x622.png\" alt=\"\" class=\"wp-image-7315\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/25-1024x622.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/25-300x182.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/25-768x466.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/25-370x225.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/25-270x164.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/25-740x449.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/25.png 1039w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>25<\/em>: Sending HWID to C2 server&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>After receiving the \u201cok\u201d response from the server, the infected machine sends out gathered system information mentioned previously with \u201cSYS\u201d appended to the X-Config header.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"551\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/26-1024x551.png\" alt=\"\" class=\"wp-image-7316\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/26-1024x551.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/26-300x162.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/26-768x413.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/26-1536x827.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/26-370x199.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/26-270x145.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/26-740x398.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/26.png 1655w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>26<\/em>: The infected host sending out collected system information&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Further, the host proceeds with sending out the captured screenshot with \u201cSCR\u201d appended to X-Config header.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"626\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/27-1024x626.png\" alt=\"\" class=\"wp-image-7317\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/27-1024x626.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/27-300x184.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/27-768x470.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/27-370x226.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/27-270x165.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/27-740x453.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/27.png 1043w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>27<\/em>: Sending out the screenshot to the C2 server&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Starting with Chrome 80, Google Chrome encrypts cookies and passwords using AES-256 encryption in GCM mode, with the encryption key (state key) stored in the Local State file. This state key is further secured using the Data Protection API (DPAPI). To decrypt cookies or passwords, the encrypted state key is first decrypted with the master key managed by DPAPI. Once the state key is decrypted, it is used to decrypt cookies or passwords. While Chrome, similar to Firefox, decrypts cookies and passwords on the server, the decryption of the master key occurs on the infected machine. The master key is then transmitted to the server, labeled as \u201cGoogle_KEY\u201d in the X-Config header.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"621\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/28-1024x621.png\" alt=\"\" class=\"wp-image-7318\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/28-1024x621.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/28-300x182.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/28-768x466.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/28-370x225.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/28-270x164.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/28-740x449.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/28.png 1043w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>28<\/em>: Sending the decrypted Google Chrome master key to the C2 server&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>After the master key is transmitted and an \u201cok\u201d response is received, the Login Data from Google Chrome is sent using \u201cGoogle_LGP\u201d as the X-Config header.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1036\" height=\"636\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/29-1024x629.png\" alt=\"\" class=\"wp-image-7319\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/29-1024x629.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/29-300x184.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/29-768x471.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/29-370x227.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/29-270x166.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/29-740x454.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/29.png 1036w\" sizes=\"(max-width: 1036px) 100vw, 1036px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>29<\/em>: Sending out Login Data of Google Chrome to the C2 server&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The Cookies file is sent using \u201cGoogle_COK\u201d for the X-Config header.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"622\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/30-1024x622.png\" alt=\"\" class=\"wp-image-7320\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/30-1024x622.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/30-300x182.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/30-768x467.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/30-370x225.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/30-270x164.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/30-740x450.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/30.png 1040w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>30<\/em>: Sending out Google Chrome Cookies to the C2 server&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The Web Data file of Google Chrome is sent using \u201cGoogle_WBT\u201d for the X-Config header.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"626\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/31-1024x626.png\" alt=\"\" class=\"wp-image-7321\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/31-1024x626.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/31-300x183.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/31-768x469.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/31-370x226.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/31-270x165.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/31-740x452.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/31.png 1039w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>31<\/em>: Sending out Google Chrome Web Data to the C2 server&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>For Edge, similar strings will be applied: _KEY for the master key, _LGP for Login Data, _COK for Cookies, and _WBT for Web Data. For Firefox, the strings are _FLGP (for cert9.db and key4.db files) and _FCOK (for the cookies.sqlite file).&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">ObserverStealer vs AsukaStealer&nbsp;<\/h2>\n\n\n\n<p>The codes of ObserverStealer and AsukaStealer are quite similar. Both stealers retrieve their configurations in the same manner. However, unlike ObserverStealer, AsukaStealer does not parse cookie parameters on the infected host, such as expiry, isSecure, and isHttpOnly.&nbsp;<\/p>\n\n\n\n<p>ObserverStealer downloads DLL dependencies, such as nss3.dll, from a server to decrypt and parse cookies and login data, utilizing functions like PK11_Authenticate, PK11_GetInternalKeySlot, and PK11_FreeSlot. AsukaStealer, on the other hand, forgoes the downloading of these dependencies and directly decrypts the data on the server. This approach reduces its digital footprint and helps in evading detection.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"600\" height=\"105\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/32.png\" alt=\"\" class=\"wp-image-7322\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/32.png 600w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/32-300x53.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/32-370x65.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/32-270x47.png 270w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>32<\/em>: Using APIs from nss3.dll to decrypt browser data&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/33-1024x48.png\" alt=\"\" class=\"wp-image-7323\" width=\"650\" height=\"30\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/33-1024x48.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/33-300x14.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/33-768x36.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/33-1536x72.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/33-370x17.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/33-270x13.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/33-740x35.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/33.png 1880w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>33<\/em>: ObserverStealer retrieving the dependencies from the C2 server&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>ObserverStealer parses AutoFill data directly on the host, whereas AsukaStealer is likely to perform this parsing on the server.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"266\" height=\"61\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/34.png\" alt=\"\" class=\"wp-image-7324\"\/><figcaption class=\"wp-element-caption\"><em>Figure <em>34<\/em>: ObserverStealer parsing credit card AutoFill data&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Looking at the network traffic for ObserverStealer, we can confirm that the data is being decrypted on the infected host instead of the server.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"415\" height=\"570\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/35.png\" alt=\"\" class=\"wp-image-7325\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/35.png 415w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/35-218x300.png 218w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/35-370x508.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/35-270x371.png 270w\" sizes=\"(max-width: 415px) 100vw, 415px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>35<\/em>: Decrypted cookies sent to C2 server (ObserverStealer network traffic)&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"472\" height=\"192\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/36.png\" alt=\"\" class=\"wp-image-7326\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/36.png 472w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/36-300x122.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/36-370x151.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/36-270x110.png 270w\" sizes=\"(max-width: 472px) 100vw, 472px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>36<\/em>: Decrypted browser password sent to C2 server (ObserverStealer network traffic)&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>ObserverSteater employs XOR encryption for the C2 as well. But the key is not generated randomly and is rather hardcoded.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"520\" height=\"33\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/37.png\" alt=\"\" class=\"wp-image-7327\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/37.png 520w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/37-300x19.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/37-370x23.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/37-270x17.png 270w\" sizes=\"(max-width: 520px) 100vw, 520px\" \/><figcaption class=\"wp-element-caption\"><em>Figure <em>37<\/em>: Hardcoded XOR key&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Summary&nbsp;<\/h2>\n\n\n\n<p>AsukaStealer shares fundamental similarities with its predecessor, ObserverStealer, including C2 communication and XOR encryption. However, AsukaStealer sets itself apart by eliminating the requirement for external DLL dependencies for data parsing and decryption, preferring server-side operations to improve stealth and minimize its digital footprint. The motivation behind the rebranding of ObserverStealer is believed to be the negative feedback from users, as well as the malware developers&#8217; intent to enhance the stealer based on previous critiques, albeit under a new name.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=asuka_stealer_analysis&amp;utm_content=linktolanding&amp;utm_term=180324\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a> is a cloud-based malware analysis platform designed to support the work of security teams. It boasts a user base of 400,000 professionals who utilize the platform for threat analysis on Windows and Linux cloud virtual machines.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Benefits of ANY.RUN<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Instant detection: ANY.RUN can detect malware and identify various malware families using YARA and Suricata rules within approximately 40 seconds of file upload.<\/li>\n\n\n\n<li>Hands-on analysis: In contrast to many automated tools, ANY.RUN offers interactive capabilities, allowing users to engage directly with the virtual machine through their browser. This feature helps prevent zero-day exploits and advanced malware that can bypass signature-based detection.<\/li>\n\n\n\n<li>Affordable: ANY.RUN&#8217;s cloud-based nature makes it a budget-friendly solution for businesses, eliminating the need for setup or maintenance efforts from the DevOps team.<\/li>\n\n\n\n<li>Ideal for training: ANY.RUN&#8217;s user-friendly interface enables even junior SOC analysts to quickly learn how to analyze malware and extract indicators of compromise (IOCs).<\/li>\n<\/ul>\n\n\n\n<p>See how ANY.RUN can contribute to your organization&#8217;s security. Get a demo of the service for your team.<\/p>\n\n\n\n<p><a href=\"https:\/\/calendly.com\/d\/3nd-rzd-xvx\/any-run-demo-blog\/\" target=\"_blank\" rel=\"noreferrer noopener\">Schedule a demo <\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Appendix 1: IOCs&nbsp;<\/h2>\n\n\n\n<p>AsukaStealer sample: <a href=\"https:\/\/app.any.run\/tasks\/8b1ee45a-87de-4fc5-a755-84546a974a44\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=asuka_stealer_analysis&amp;utm_content=linktoservice&amp;utm_term=180324\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/8b1ee45a-87de-4fc5-a755-84546a974a44\/<\/a>&nbsp;<\/p>\n\n\n\n<p>SHA256: 0E5470A33FD87B813ECF72370F9E1F491515C12F41C8EA3C7BBC169AC56ACDA5&nbsp;<\/p>\n\n\n\n<p>ObserverStealer sample: <a href=\"https:\/\/app.any.run\/tasks\/e8a05e7f-9fd4-4b4c-9fdb-791ef29f382e\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=asuka_stealer_analysis&amp;utm_content=linktoservice&amp;utm_term=180324\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/e8a05e7f-9fd4-4b4c-9fdb-791ef29f382e\/<\/a>&nbsp;<\/p>\n\n\n\n<p>SHA256 (unpacked sample): 476171DD2EB7F118D3E0AFF32B7264D261BA4C2D9FA6C14CCFF6D8D99B383DB4&nbsp;<\/p>\n\n\n\n<p>Unpacked sample: <a href=\"https:\/\/www.unpac.me\/results\/20720ac8-1f14-4c62-926a-e9990d5677e3#\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">https:\/\/www.unpac.me\/results\/20720ac8-1f14-4c62-926a-e9990d5677e3#\/<\/a>&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Configuration&nbsp;<\/h2>\n\n\n\n<p>You can access the configuration for AsukaStealer on the <a href=\"https:\/\/gist.github.com\/RussianPanda95\/c39a2954db693d50a097709228d22ee2\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">GitHub page<\/a>.&nbsp;<\/p>\n\n\n\n<p>YARA&nbsp;<\/p>\n\n\n\n<p>I have created a YARA rule to detect AsukaStealer. You can access it on the <a href=\"https:\/\/github.com\/RussianPanda95\/Yara-Rules\/blob\/main\/AsukaStealer\/mal_asuka_stealer.yar\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">GitHub page<\/a>.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The following research was conducted by Anna Pham, also known as RussianPanda, a Senior Threat Intelligence researcher and a guest author for the ANY.RUN Blog. For more of her expert insights, follow her on Twitter\/X. Now, let&#8217;s get started with the analysis. On May 19, 2023, an individual known by the pseudonym &#8216;breakcore&#8217; announced that [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":7329,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,15,34,40],"class_list":["post-7288","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-malware","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>AsukaStealer: The Next Chapter in ObserverStealer&#039;s Story - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Discover a detailed technical analysis of the latest AsukaStaler malware and find out about the similarities it shares with ObserverStealer.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/asukastealer-malware-analysis\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Anna Pham\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"17 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/asukastealer-malware-analysis\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/asukastealer-malware-analysis\/\"},\"author\":{\"name\":\"Anna Pham\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"AsukaStealer: The Next Chapter in ObserverStealer&#8217;s Story\",\"datePublished\":\"2024-03-18T08:30:33+00:00\",\"dateModified\":\"2024-03-18T08:32:02+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/asukastealer-malware-analysis\/\"},\"wordCount\":2481,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"malware\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/asukastealer-malware-analysis\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/asukastealer-malware-analysis\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/asukastealer-malware-analysis\/\",\"name\":\"AsukaStealer: The Next Chapter in ObserverStealer's Story - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-03-18T08:30:33+00:00\",\"dateModified\":\"2024-03-18T08:32:02+00:00\",\"description\":\"Discover a detailed technical analysis of the latest AsukaStaler malware and find out about the similarities it shares with ObserverStealer.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/asukastealer-malware-analysis\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/asukastealer-malware-analysis\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/asukastealer-malware-analysis\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"AsukaStealer: The Next Chapter in ObserverStealer&#8217;s Story\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Anna Pham\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/wyIBFRtO.jpg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/wyIBFRtO.jpg\",\"caption\":\"Anna Pham\"},\"description\":\"Senior Threat Intelligence researcher by day and malware enthusiast by night. Follow Anna on: LinkedIn. X. Read her blog at russianpanda.com.\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"AsukaStealer: The Next Chapter in ObserverStealer's Story - ANY.RUN&#039;s Cybersecurity Blog","description":"Discover a detailed technical analysis of the latest AsukaStaler malware and find out about the similarities it shares with ObserverStealer.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/asukastealer-malware-analysis\/","twitter_misc":{"Written by":"Anna Pham","Est. reading time":"17 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/asukastealer-malware-analysis\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/asukastealer-malware-analysis\/"},"author":{"name":"Anna Pham","@id":"https:\/\/any.run\/"},"headline":"AsukaStealer: The Next Chapter in ObserverStealer&#8217;s Story","datePublished":"2024-03-18T08:30:33+00:00","dateModified":"2024-03-18T08:32:02+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/asukastealer-malware-analysis\/"},"wordCount":2481,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","malware","malware analysis","malware behavior"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/asukastealer-malware-analysis\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/asukastealer-malware-analysis\/","url":"https:\/\/any.run\/cybersecurity-blog\/asukastealer-malware-analysis\/","name":"AsukaStealer: The Next Chapter in ObserverStealer's Story - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-03-18T08:30:33+00:00","dateModified":"2024-03-18T08:32:02+00:00","description":"Discover a detailed technical analysis of the latest AsukaStaler malware and find out about the similarities it shares with ObserverStealer.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/asukastealer-malware-analysis\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/asukastealer-malware-analysis\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/asukastealer-malware-analysis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"AsukaStealer: The Next Chapter in ObserverStealer&#8217;s Story"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Anna Pham","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/wyIBFRtO.jpg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/03\/wyIBFRtO.jpg","caption":"Anna Pham"},"description":"Senior Threat Intelligence researcher by day and malware enthusiast by night. Follow Anna on: LinkedIn. X. Read her blog at russianpanda.com.","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7288"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=7288"}],"version-history":[{"count":7,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7288\/revisions"}],"predecessor-version":[{"id":7336,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7288\/revisions\/7336"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/7329"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=7288"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=7288"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=7288"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}