-
Notifications
You must be signed in to change notification settings - Fork 49
YARA Rule
shaddy43 edited this page Jul 16, 2026
·
2 revisions
A single YARA rule for identifying BrowserSnatch binaries on disk or in memory. It weights the hard-coded author/project/drop-file strings highly so that recompiled builds are still caught, while requiring combinations of the generic flag strings to keep false positives low.
rule BrowserSnatch_Stealer {
meta:
description = "Detects the BrowserSnatch browser data extraction tool"
author = "shaddy43"
date = "2026-07-15"
reference = "https://github.com/shaddy43/BrowserSnatch"
mitre_attack = "T1555.003"
severity = "Critical"
strings:
// High-fidelity author / project / drop-file markers
$h1 = "shaddy43" ascii wide
$h2 = "BrowserSnatch" ascii wide
$h3 = "NTUSER.dat" ascii wide
// Command-line flags
$s1 = "-greed" ascii wide
$s2 = "-app-bound-decryption" ascii wide
$s3 = "-recalibrate" ascii wide
$s4 = "-service" ascii wide
$s5 = "-cookies" ascii wide
$s6 = "-bookmarks" ascii wide
$s7 = "-history" ascii wide
$s8 = "-pass" ascii wide
// Snatch / stealer + browser store references
$g1 = "snatch" ascii wide nocase
$g2 = "stealer" ascii wide nocase
$b1 = "Login Data" ascii wide
$b2 = "Local State" ascii wide
$b3 = "logins.json" ascii wide
$b4 = "key4.db" ascii wide
condition:
uint16(0) == 0x5A4D and // PE file
filesize < 5MB and
(
$h2 or // "BrowserSnatch" alone is definitive
($h1 and $h3) or // author + Public NTUSER.dat drop marker
(3 of ($s*)) or // three or more tool flags
((1 of ($g*)) and (3 of ($s*))) or
((1 of ($g*)) and (2 of ($b*)) and (1 of ($h*)))
)
}-
PE gate + size:
uint16(0) == 0x5A4Dlimits matching to Windows PE files;< 5MBreflects the tool's small standalone footprint. Adjust the size ceiling if you expect packed/bundled variants. -
Memory scanning: the rule works with
yara -pprocess scanning or memory-forensics workflows (e.g., Volatilityyarascan); theascii widemodifiers cover both narrow and wide string storage. -
Tuning down false positives: if
snatch/stealercause noise in your corpus, drop$g*-only branches and rely on$h2,$h1 + $h3, or3 of ($s*). - Hash IOCs: deliberately omitted; open-source builds produce unstable hashes. Prefer these strings.
# Scan a directory of samples (lab only)
yara -r BrowserSnatch_Stealer.yar /path/to/samples/
# Scan a running process by PID (lab only)
yara -p 1234 BrowserSnatch_Stealer.yarContinue to → Hunting Queries
BrowserSnatch Detection Wiki · Community-maintained defensive resource · Source: shaddy43/BrowserSnatch · For authorized detection-engineering and threat-hunting use only.
Intelligence
Detection Rules
Operations