-
Notifications
You must be signed in to change notification settings - Fork 49
Indicators of Compromise
IOCs are grouped by fidelity. Tier 1 indicators are near-zero-false-positive and hard-coded into observed variants, prioritize these. Tier 2 are behavioral/contextual and best used in combination.
| Indicator | Type | Notes |
|---|---|---|
String shaddy43
|
Binary string / Task author | Author handle embedded in the binary and used as the Scheduled Task <Author>. Pivots across binary, memory, and persistence artifacts. |
String BrowserSnatch
|
Binary string | Project name; definitive on its own. |
String NTUSER.dat (as a write target) |
Binary string | A binary that writes NTUSER.dat (rather than only reading the user hive) is anomalous. |
File: C:\Users\Public\NTUSER.dat
|
Dropped file | A file named NTUSER.dat should never exist in C:\Users\Public\. Any create/write here is a strong single IOC (staging/marker — T1074.001). |
chrome.exe / msedge.exe / brave.exe that is unsigned or wrong-signed |
Masquerade copy | Self-copy into browser install paths using a legitimate browser filename (T1036.005). Detect via signature/hash mismatch and path anomalies. BrowserSnatch copies itself to the parent directory of these default browser paths |
Scheduled task with <Author>shaddy43</Author>
|
Persistence | Task created (sometimes later deleted). Author string is tool-specific (T1053.005). |
Signed-binary check. Legitimate
chrome.exe,msedge.exe, andbrave.exeare Authenticode-signed by Google LLC, Microsoft Corporation, and Brave Software, Inc. respectively. A process image with one of these names that is unsigned, self-signed, or signed by the wrong vendor, especially from a non-default path is high-confidence masquerading.
| Indicator | Value / pattern |
|---|---|
| Primary binary names |
BrowserSnatch.exe (x86), BrowserSnatch64.exe (x64) |
| Architecture | Windows PE x86 and x64 |
| Build markers | Visual Studio; ISO C++17; nlohmann/json linked |
| File size | Small standalone binary (typically < ~1 MB) |
| High-fidelity strings |
shaddy43, BrowserSnatch, NTUSER.dat
|
| Flag strings |
-pass, -cookies, -app-bound-decryption, -bookmarks, -history, -greed, -recalibrate, -service
|
| Other strings |
snatch, greed, stealer, browser names |
Access to these by a non-browser process is a strong signal (see Sigma 9.2):
| File | Family | Contains |
|---|---|---|
Login Data, Login Data For Account
|
Chromium | Encrypted saved passwords |
Cookies, Network\Cookies
|
Chromium | Encrypted cookies (incl. v20 app-bound) |
Local State |
Chromium | DPAPI-wrapped master encryption key |
History, Bookmarks
|
Chromium | History and bookmarks |
logins.json, key4.db
|
Gecko | Encrypted logins and NSS key database |
cookies.sqlite, places.sqlite
|
Gecko | Cookies, history, bookmarks |
| Artifact / path | Type | Notes |
|---|---|---|
C:\Users\Public\NTUSER.dat |
Dropped file | No legitimate use in this location: strong single IOC |
...\Program Files\...\chrome.exe...\Program Files\...\msedge.exe...\Program Files (x86)\...\brave.exe
|
Masquerade copy | Self-copy as a legit browser name; detect via signature/hash mismatch and path anomaly (copied in parent directory of real binary path) |
| Scheduled-task registration | Persistence | Task XML <Author>shaddy43</Author>; may be created then deleted |
| Consolidated stealer database | Output | Aggregated exfil-ready output (greed mode) |
| SQLite copies of browser stores in non-browser paths | Output | Duplicate of Login Data/Cookies outside the profile dir |
Base BrowserSnatch focuses on local extraction and does not ship a built-in C2 channel; exfiltration is typically operator-staged. If a weaponized variant exfiltrates, hunt for:
| Indicator | What to hunt |
|---|---|
| Outbound transfer post-snatch | HTTP/S or raw TCP from host shortly after stealer DB creation |
| Data volume matching stealer DB | Outbound size matching the consolidated DB / archive |
| New or DGA-like DNS queries | Queries to recently registered domains after execution |
| Webhook / paste-site callbacks | Common exfil endpoints used by info-stealer variants |
A structured list is provided for import into TIPs / detection pipelines:
# BrowserSnatch IOCs — defensive use only
strings:
high_fidelity: ["shaddy43", "BrowserSnatch", "NTUSER.dat"]
flags: ["-pass", "-cookies", "-app-bound-decryption", "-bookmarks",
"-history", "-greed", "-recalibrate", "-service"]
filenames:
binaries: ["BrowserSnatch.exe", "BrowserSnatch64.exe"]
masquerade: ["chrome.exe", "msedge.exe", "brave.exe"] # when unsigned / wrong signer
dropped_files:
- "C:\\Users\\Public\\NTUSER.dat"
accessed_stores:
- "Login Data"
- "Local State"
- "Cookies"
- "key4.db"
- "logins.json"
- "cookies.sqlite"
persistence:
scheduled_task_author: "shaddy43"
attack:
- T1555.003
- T1539
- T1552.001
- T1074.001
- T1036.005
- T1053.005
- T1041Note on hashes: because BrowserSnatch is open-source, compiled-binary hashes vary per build and are not reliable IOCs. Prioritize the string, path, persistence, and masquerade indicators above. If you have confirmed sample hashes from your own environment, add them via Contributing.
Continue to → Behavioral Detections
BrowserSnatch Detection Wiki · Community-maintained defensive resource · Source: shaddy43/BrowserSnatch · For authorized detection-engineering and threat-hunting use only.
Intelligence
Detection Rules
Operations