Technical Analysis of Braodo Stealer

August 27, 2024

Contents

• Background.
• Technical Analysis.
  • Metadata
  • First stager analysis.
  • Second stager analysis.
• Features
• Conclusion.

Background

Hello readers, I am a fresh grad and a newbie and recently I am trying to learn malware analysis, so I picked up a stealer which is very simple known as Braodo Stealer, then I tried to analyze it. It consists of two stages, in the first stage we analyze a batch script and in the second stage we understand how the python stealer steals the data and sends it to the telegram channel. It steals various sensitive information like Passwords,Cookies from Chrome browser, Opera Browser, Microsoft Edge. I found out the sample from Twitter and the publisher was Yogesh Londhe.

Technical Analysis

In this phase, we will cover the technical analysis of the Braodo Stealer.

Metadata

SHA-256 : d90093eee7254776177bfd5833aee65cdf8980344d20f8366ab4ab5879b69549

File-Name : Number of people and time for this vacation.bat

SHA-256 : 641f2db9e9fb8255337672fb8da9226225fa8e393b651c7c7ebbb5b555d4b755

File-Name : sim.py

First stager analysis.

Once we started to analyze the sample post downloading we found out that first-stager is a malicious batch script, let us now look into the malicious script and analyze it.

We can see that the batch script is filled or obfuscated with garbage code and upon removing the garbage code, I found that the actual script is basically spawning PowerShell along with some arguments.

So, upon cleaning we can see that the first PowerShell command is downloading the file update1.bat, which was then saved into Startup folder, I found out and was confused on why it is storing the batch script to Startup folder, it turns out that the script was running a python file everytime, when the computer boots.

The second command is downloading a ZIP file which can be seen as 145.zip, this zip file is saved at the Public folder with a filename of Document.zip.

The third Powershell command is extracting the zip archive and saving it in the Document folder.

The last PowerShell command is running the sim.py file, using the python executable. Now, we know that a file known as sim.py is being run, we will extract the file from the ZIP and then, look into the malicious second-stager.

Second stager analysis

As we can see the Python Stealer is targeting various browsers for credential stealing, and the stealer is using Telegram bot for exfiltration of stolen credentials. So, let us check out the key functions of this stealer.

Chrome Credentials Stealing

As we can see on the script that this stealer is targeting Chrome browser by initially creating a folder known as Chrome and then it goes ahead and copies important and sensitive files such as Local State , Cookies and Login data and passes the data to a function known as encrypt. Now let us check the working of the encrypt function.

Initially the encrypt function goes ahead and loads the local state file which is basically a JSON file so it uses json.load function to parse the file and then decodes the key from the encrypt_key element using base64 decoding, further it decrypt the encrypted data or the data blob using CryptUnprotectData API. Then it goes ahead and saves the decrypted key into a file known as master_key.txt . Then it connects to SQLite database and then collect the cookies for Facebook and then stores the cookies to a file for further exfiltration.

Firefox Credentials Stealing

The stealer enumerates all the Firefox profiles, then it goes ahead and copies sensitive files such as cookies.sqlite , key4.db and logins.json and then it further copies all the data for encryption and decryption using the same function as above.

Edge Credentials Stealing

The stealer enumerates all the profiles for Microsoft Edge browser and then it further goes and copies the Cookies , Login data , Web data , Local State into the directory known as Edge and then it goes ahead and further passes the data for encryption and decryption.

Other Browsers

Similar to previous browsers the stealer also targets Opera Browser , Brave Browser and Chromium Browser where it creates a specific folder , copies sensitive data and further encrypts and decrypts it and saves it for exfiltration.

Miscellaneous

Once it has completed stealing all the sensitive information and then it goes ahead and saves all the information in a ZIP file and exfiltrates the data over Telegram bot with unique identification of the victim such as name of the country , city , state along with user name and windows version attached for better identification of the victim.

Features

• Browser Cookie stealing .
• Browser Password Stealing .
• Task Enumeration.
• Telegram based exfiltration.

Conclusion

Thank you reader, for reading my blog, I have just started my journey with malware analysis, if you find something wrong please feel free to reach me out, thank you once again for reading.