Skip to content

Indicators of Compromise

shaddy43 edited this page Jul 16, 2026 · 2 revisions

Indicators of Compromise (IOCs)

IOCs are grouped by fidelity. Tier 1 indicators are near-zero-false-positive and hard-coded into observed variants, prioritize these. Tier 2 are behavioral/contextual and best used in combination.


Tier 1 — High-fidelity IOCs (prioritize)

Indicator Type Notes
String shaddy43 Binary string / Task author Author handle embedded in the binary and used as the Scheduled Task <Author>. Pivots across binary, memory, and persistence artifacts.
String BrowserSnatch Binary string Project name; definitive on its own.
String NTUSER.dat (as a write target) Binary string A binary that writes NTUSER.dat (rather than only reading the user hive) is anomalous.
File: C:\Users\Public\NTUSER.dat Dropped file A file named NTUSER.dat should never exist in C:\Users\Public\. Any create/write here is a strong single IOC (staging/marker — T1074.001).
chrome.exe / msedge.exe / brave.exe that is unsigned or wrong-signed Masquerade copy Self-copy into browser install paths using a legitimate browser filename (T1036.005). Detect via signature/hash mismatch and path anomalies. BrowserSnatch copies itself to the parent directory of these default browser paths
Scheduled task with <Author>shaddy43</Author> Persistence Task created (sometimes later deleted). Author string is tool-specific (T1053.005).

Signed-binary check. Legitimate chrome.exe, msedge.exe, and brave.exe are Authenticode-signed by Google LLC, Microsoft Corporation, and Brave Software, Inc. respectively. A process image with one of these names that is unsigned, self-signed, or signed by the wrong vendor, especially from a non-default path is high-confidence masquerading.


Executable artifacts

Indicator Value / pattern
Primary binary names BrowserSnatch.exe (x86), BrowserSnatch64.exe (x64)
Architecture Windows PE x86 and x64
Build markers Visual Studio; ISO C++17; nlohmann/json linked
File size Small standalone binary (typically < ~1 MB)
High-fidelity strings shaddy43, BrowserSnatch, NTUSER.dat
Flag strings -pass, -cookies, -app-bound-decryption, -bookmarks, -history, -greed, -recalibrate, -service
Other strings snatch, greed, stealer, browser names

Accessed / copied browser store files

Access to these by a non-browser process is a strong signal (see Sigma 9.2):

File Family Contains
Login Data, Login Data For Account Chromium Encrypted saved passwords
Cookies, Network\Cookies Chromium Encrypted cookies (incl. v20 app-bound)
Local State Chromium DPAPI-wrapped master encryption key
History, Bookmarks Chromium History and bookmarks
logins.json, key4.db Gecko Encrypted logins and NSS key database
cookies.sqlite, places.sqlite Gecko Cookies, history, bookmarks

Dropped & masquerade artifacts

Artifact / path Type Notes
C:\Users\Public\NTUSER.dat Dropped file No legitimate use in this location: strong single IOC
...\Program Files\...\chrome.exe
...\Program Files\...\msedge.exe
...\Program Files (x86)\...\brave.exe
Masquerade copy Self-copy as a legit browser name; detect via signature/hash mismatch and path anomaly (copied in parent directory of real binary path)
Scheduled-task registration Persistence Task XML <Author>shaddy43</Author>; may be created then deleted
Consolidated stealer database Output Aggregated exfil-ready output (greed mode)
SQLite copies of browser stores in non-browser paths Output Duplicate of Login Data/Cookies outside the profile dir

Network IOCs

Base BrowserSnatch focuses on local extraction and does not ship a built-in C2 channel; exfiltration is typically operator-staged. If a weaponized variant exfiltrates, hunt for:

Indicator What to hunt
Outbound transfer post-snatch HTTP/S or raw TCP from host shortly after stealer DB creation
Data volume matching stealer DB Outbound size matching the consolidated DB / archive
New or DGA-like DNS queries Queries to recently registered domains after execution
Webhook / paste-site callbacks Common exfil endpoints used by info-stealer variants

Machine-readable IOCs

A structured list is provided for import into TIPs / detection pipelines:

# BrowserSnatch IOCs — defensive use only
strings:
  high_fidelity: ["shaddy43", "BrowserSnatch", "NTUSER.dat"]
  flags: ["-pass", "-cookies", "-app-bound-decryption", "-bookmarks",
          "-history", "-greed", "-recalibrate", "-service"]
filenames:
  binaries: ["BrowserSnatch.exe", "BrowserSnatch64.exe"]
  masquerade: ["chrome.exe", "msedge.exe", "brave.exe"]   # when unsigned / wrong signer
dropped_files:
  - "C:\\Users\\Public\\NTUSER.dat"
accessed_stores:
  - "Login Data"
  - "Local State"
  - "Cookies"
  - "key4.db"
  - "logins.json"
  - "cookies.sqlite"
persistence:
  scheduled_task_author: "shaddy43"
attack:
  - T1555.003
  - T1539
  - T1552.001
  - T1074.001
  - T1036.005
  - T1053.005
  - T1041

Note on hashes: because BrowserSnatch is open-source, compiled-binary hashes vary per build and are not reliable IOCs. Prioritize the string, path, persistence, and masquerade indicators above. If you have confirmed sample hashes from your own environment, add them via Contributing.

Continue to → Behavioral Detections

Clone this wiki locally