Skip to content

YARA Rule

shaddy43 edited this page Jul 16, 2026 · 2 revisions

YARA Rule

A single YARA rule for identifying BrowserSnatch binaries on disk or in memory. It weights the hard-coded author/project/drop-file strings highly so that recompiled builds are still caught, while requiring combinations of the generic flag strings to keep false positives low.

rule BrowserSnatch_Stealer {
    meta:
        description = "Detects the BrowserSnatch browser data extraction tool"
        author      = "shaddy43"
        date        = "2026-07-15"
        reference   = "https://github.com/shaddy43/BrowserSnatch"
        mitre_attack = "T1555.003"
        severity    = "Critical"
    strings:
        // High-fidelity author / project / drop-file markers
        $h1 = "shaddy43" ascii wide
        $h2 = "BrowserSnatch" ascii wide
        $h3 = "NTUSER.dat" ascii wide
        // Command-line flags
        $s1 = "-greed" ascii wide
        $s2 = "-app-bound-decryption" ascii wide
        $s3 = "-recalibrate" ascii wide
        $s4 = "-service" ascii wide
        $s5 = "-cookies" ascii wide
        $s6 = "-bookmarks" ascii wide
        $s7 = "-history" ascii wide
        $s8 = "-pass" ascii wide
        // Snatch / stealer + browser store references
        $g1 = "snatch" ascii wide nocase
        $g2 = "stealer" ascii wide nocase
        $b1 = "Login Data" ascii wide
        $b2 = "Local State" ascii wide
        $b3 = "logins.json" ascii wide
        $b4 = "key4.db" ascii wide
    condition:
        uint16(0) == 0x5A4D and      // PE file
        filesize < 5MB and
        (
            $h2 or                    // "BrowserSnatch" alone is definitive
            ($h1 and $h3) or          // author + Public NTUSER.dat drop marker
            (3 of ($s*)) or           // three or more tool flags
            ((1 of ($g*)) and (3 of ($s*))) or
            ((1 of ($g*)) and (2 of ($b*)) and (1 of ($h*)))
        )
}

Notes

  • PE gate + size: uint16(0) == 0x5A4D limits matching to Windows PE files; < 5MB reflects the tool's small standalone footprint. Adjust the size ceiling if you expect packed/bundled variants.
  • Memory scanning: the rule works with yara -p process scanning or memory-forensics workflows (e.g., Volatility yarascan); the ascii wide modifiers cover both narrow and wide string storage.
  • Tuning down false positives: if snatch/stealer cause noise in your corpus, drop $g*-only branches and rely on $h2, $h1 + $h3, or 3 of ($s*).
  • Hash IOCs: deliberately omitted; open-source builds produce unstable hashes. Prefer these strings.

Testing the rule

# Scan a directory of samples (lab only)
yara -r BrowserSnatch_Stealer.yar /path/to/samples/

# Scan a running process by PID (lab only)
yara -p 1234 BrowserSnatch_Stealer.yar

Continue to → Hunting Queries

Clone this wiki locally