Cyble-Temp-Stealer

Infostealer Distributed Using Bundled Installer

New Temp Stealer Spreading Via Free & Cracked Software

While monitoring the Dark web for emerging threats, our researcher at Cyble Research and Intelligence Labs (CRIL) found a post where Threat Actors (TAs) advertising a project named “Temp” and selling a loader and stealer. The TA named them Temp Loader and Temp Stealer, respectively.

The Temp Loader is developed for deploying additional malicious files into the victim system. The Temp Stealer is information stealer malware that can exfiltrate crypto wallets, system information, browser data, and other important system & software information and then send it to the attacker’s remote server.

After searching for the impact of the loader and information stealer on the surface web, we identified multiple active instances of the Temp Stealer in the wild.

The stealer is disguised as cracks, keygens and can also be bundled with other software. The malware developer posted about the capabilities of the stealer and loader in the Dark Web. The figure below shows the post for Temp Loader.

Figure 1 – Temp Loader post on the Dark Web Forum

English translation of the Temp Loader post is as follows:

Description:

Native stub without dependencies written in C++
Runs even on a clean computer!
Built-in Anti-VM
Ability to add Fake Error (and its customization)
Ability to use RunPE
You can add any number of links

Price

15$ (900 rub) – 1 Month

49$ (3000 rub) – Lifetime

Malware developers also posted about Temp Stealer and its capabilities. The figure below shows the post for Temp Stealer.

Figure 2 – Temp Stealer post on the Dark Web Forum

The English translation of the post by malware authors is mentioned below:

Description:

Collection of more than 40 types of crypto wallets.

Recursive search for browsers (even finds custom browsers or browsers with a changed folder name). Collecting information about the PC (IP, Country, City, Zipcode, Timezone, Ram, Processor, GPU, Screenshot).

The stub is written in C++ (native).

Log collection in memory.

Quick build through the bot.

Collection of Telegram, Steam, and FTP sessions.

Collection of Cookies, Autofills, and Passes.

Multifunctional Telegram bot.

Price:

7 days – 5$

30 days – 15$

(lolz +7%, qiwi, crypto)

According to the malware, developers post that the stealer can collect more than forty crypto wallets, search for custom browsers to steal data, steal system information, and track the victim’s geolocation. Additionally, the stealer collects information related to Telegram, Steam, FTP Session, Cookies, Autofill, Passwords, and works as a Telegram bot.

Initial Infection and Persistence:

As per our analysis, the stealer is masquerading using the following names, indicating that this stealer targets users who are interested in downloading free and cracked software.

  • azclean3_setup.exe
  • CheatLoader.exe
  • Shadow Fiend Game.exe
  • RainbowCrackV4.8.exe
  • spoofer.exe

It’s also observed that the stealer is bundled with other software installers. One example shows that Temp Stealer targets Adobe Photoshop users by bundling the malicious stealer into the Topaz Clean stylization tool installer, which installs a plugin for Adobe Photoshop Software.

The TAs usually upload this Malicious bundled software to a site that provides services to users for downloading various free and Cracked software. The user interested in this software will be redirected to these websites using Google SEO and download the file.

The initial infection initiates when user clicks on the installer that has Temp Stealer bundled to it. The below Figure shows the Topaz Clean installer installation wizard.

Figure 3 – Installation Wizard of Topaz Clean

The installer drops Temp Stealer in the %temp% location, as shown in the below figure.

Figure 4 – Installer Drops Temp Stealer in the Users Machine

After dropping the stealer, the installer then creates an autorun registry entry for Temp Stealer; the figure below shows the registry entry created by the installer for stealer persistence.

Figure 5 – Autorun Registry Entry for Temp Stealer

Technical Details of Temp Stealer

The Malicious Topaz Clean installer file dropped Temp Stealer with file hash: “SHA256:d5889aac10527ddc7d4b03407a8933a84a1ea0550f61d442493d4f3237203e3c”. The file is a 64-bit GUI executable compiled using Microsoft Visual C/C++. The figure below shows the static file details. The TimeDateStamp indicates that the malware was compiled recently.

Figure 6 – Temp Stealer File Details

After execution, the malware tries to connect to an embedded IP 79[.]137[.]199[.]73. After connecting to the mentioned IP, the stealer then checks for the wallets in the system to steal the file related to the corresponding wallets. The Stealer targets the following crypto wallets in the Victims machine.

Exodus Web WalletBitAppWalletBinanceChain
BraveWalletEqualWalletiWallet
MathWalletNiftyWalletWombat
Coin98WalletPhantomXDCPay
BitAppGuildWalletICONex
OxygenYoroiWalletGuardaWallet
JaxxLibertyAtomicWalletSaturnWallet
RoninWalletTerraStationHarmonyWallet
TonCrystalKardiaChainPaliWallet
LiqualityWalletXdefiWalletNamiWallet
MaiarDeFiWalletAuthenticatorTempleWallet

Also, the stealer steals data from the following crypto wallets, which are hard coded in the stealer binary.

ExodusAholpfdialjgjfhomihkjbmgjidlcdno
BitApp WalletFihkakfobkmkjojpchpfgcmhfjnmnfpi
BinanceChainFhbohimaelbohpjbbldcngcnapndodjp
Brave walletOdbfpeeihdkbihmopkbjmoonfanlbfcl
Coinbase WalletHnfanknocfeofbddgcijnmhnfnkdnaad
EQUAL Walletblnieiiffboillknjnepogjhkgnoapac
iWalletkncchdigobghenbbaddojjnnaogfppfj
Math Walletafbcbjpbpfadlkmhmclhkeeodmamcflc
MetaMaskNkbihfbeogaeaoehlefnkodbefgpgknn
Nifty WalletJbdaocneiiinmjbjlgalhcelgbejmnid
TronLinkIbnejdfjmmkpcnlpebklmnkoeoihofec
Wombatamkmjjmmflddogmhpjloimipbofnfjih
Coin98aeachknmefphepccionboohckonoeemg
Phantombfnaelmomeimhlpmgjnjophhpkkoljpa
MOBOX Walletfcckkdbjnoikooededlapcalpionmalo
XDCPaybocpokimicclpaiekenaeelehdjllofo
GuildWalletnanjmdknhkinifnkgdcggcfnhdaammmj
ICONexflpiciilemghbmfalicajoolhkkenfel
Copaycnidaodnidkbaplmghlelgikaiejfhja
Oxygenfhilaheimglignddkjgofkcbgekhenbh
Yoriffnbelfdoeiohenkjibnmadjiehjhajb
Guardahpglfhgfnhbgpjdenjgmdgoeiappafln
Jaxx Libertycjelfplplebdjjenllpjcblmjkfcffne
MEW CXnlbmnnijcnlegkjjpcfjclmcfggfefdm
Saturn Walletnkddgncdjgjfcddamfgcmfnlhccnimig
Ronin Walletfnjhmkhhmkbjkkabndcnnogagogbneec
Terra Stationaiifbnbfobpmeekipheeijimdpnlpgpp
Harmony ONEfnnegphlobjdpkhecapkijjdkgcjhkib
EVER Walletcgeeodpfagjceefieflmdfphplkenlfk
KardiaChain Walletpdadjkfkgcafgbceimcpbkalnfnepbnk
Pali Walletmgffkfbidihjpoaomajlbgchddlicgpn
BOLT Xaodkkagnadcbobfpggfnjeongemjbjca
Liquality Walletkpfopkelmapcoipemfendmdcghnegimn
XDEFI Wallethmeobnfnfcmdkdcmlblgagmfpfboieaf
Namilpfcbjknijpeeillifnkikgncikgfhdo
Maiar DeFi Walletdngmlblcodfobpdpecaadgfbcggfjfnm
Authenticatorbhghoamapcdpbohphigoooaddinpkbai

The stealer also steals cookies, usernames, passwords, autofills, history from the Chromium and Firefox-based browsers. The Temp Stealer recursively searches for all installed browsers and steals sensitive information from them. The below image shows the code that steals browser data.

Figure 7 – Stealer Routine to get Browser Data

The stealer then checks for steam application in the system by checking registry entry HKLM\\Software\\Classes\\steam\\Shell\\Open\\Command. If the registry entry exists, then the stealer looks for Steam Sentry File (SNF) and Config file to steal data which includes player profiles, passwords, etc. The figure below shows the pseudocode of the stealer checking for steam registry key.

Figure 8 – Stealer Checking for Steam Application

After collecting steam data, the stealer checks for the Telegram application and steals Telegram’s data from the victim’s system. First, the stealer checks If Telegram is installed in the machine by checking the registry- HKU\\Software\\Classes\\tdesktop.tg\\shell\\open\\command. If the registry entry is present, then the stealer identifies the installation folder of Telegram and then checks for tdata and working folder, which contains Telegram session data, messages, images, etc. The figure below shows that Stealer is looking for Telegram artifacts.

Figure 9 – Stealer Checking Telegram Application in the Victims machine

The stealer takes a screenshot of the current Windows and saves it for exfiltration. The Code snippet in the figure below shows the routine to capture the screenshot.

Figure 10 – Routine to Capture the Screenshot

After taking a screenshot, the stealer gets the geolocation details by calling the URL hxxp://ip-api.com/xml/, which response with details in XML format. The stealer then parses the XML and gets the geolocation details of the victim. The figure below shows the routine to get the geolocation details.

Figure 11 – Stealer Checking for the Geolocation of Victim

The stealer then extracts the IP address, Country, City, Zip code, and Timezone details, as shown in the figure below.

Figure 12 – Stealer extracting the Geolocation Details

The Stealer also collects details of RAM, Processor, and GPU from the victim’s system, as shown in the figure below.

Figure 13 – Stealer Getting System Information from Victim System

The stealer steals the \\FileZilla\\recentservers.xml file from the victim system, which contains session information of the FileZilla FTP client. The figure below shows the routine to get the FileZilla session file.

Figure 14 – Stealer Stealing FileZilla Session File

Stealer then looks for discord token files and steals them; the figure below shows the location of the discord token files.

Figure 15 – Stealer Checking for Discord Token File

After getting all the above information, the stealer then sends the data to the attacker’s remote server. The figure below shows the routine to send stolen information to a remote server.

Figure 16 – Stealer Sending Stolen Data to Remote Server

The Temp stealer identified to be sending the stolen information to IPs 79[.]137[.]199[.]73, 157[.]90[.]126[.]84, which are hosted in Europe. The below figure shows the information of the IPs.

Figure 17 – Information of the IPs (Source -ipinfo.io)

Conclusion

Bundling malware in the software tools is quite common among attackers. Now we are observing the rise of the stealers bundled into the software and utility tools to target potential victims globally. The temp stealer not only targets Crypto wallets but also steals data from Discord, Steam, and Telegram applications. The malware authors are continuously creating new stealers as there is a rise in digital transactions and cryptocurrency usage. The increasing use of digital currency incentivizes cyber criminals to steal funds from cryptocurrency users. This stolen data could then be used to commit financial fraud and other attacks.

Our Recommendations

  • Avoid downloading pirated software from Warez/Torrent websites. The “Hack Tool” present on sites such as YouTube, Torrent sites, etc., contains such malware.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices.
  • Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
  • Refrain from opening untrusted links and Email attachments without first verifying their authenticity.
  • Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.
  • Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
​Credential AccessT1555
T1528
T1539
​Credentials from Password Stores Steal Application Access Token Steal Web Session Cookie
DiscoveryT1087
T1083
Account Discovery File and Directory Discovery
CollectionT1213
T1005
T1113
Data from Information Repositories Data from Local System Screen Capture
Command and ControlT1071Application Layer Protocol
ExfiltrationT1041Exfiltration Over C2 Channel

Indicators of Compromise

IndicatorsIndicator
Type
Description
49aefb24f729dbd71cef9cb382692ca6 f025735b2dfffe4ae43c5154881a3f7fcd9f32ea d5889aac10527ddc7d4b03407a8933a84a1ea0550f61d442493d4f3237203e3cMD5
SHA1
Sha256
Temp Stealer Executable
bc6bb3430654d410bd9e40292bf32d77 8b54d67c889e9f13f232cd9b4d72253f9e5af99a 38b387b09dee7eefddcf164239be0bda1fb15285aea27e3f5b1008c7c727929aMD5
SHA1
Sha256
Temp Stealer Executable
47dbbc7793152a8cb36cde2da0529684 16dc7205c3931c0f873c8b2e236742720d1e3a55 8619435c6dc202f45919fafdc7538d46220f42cadefccdba2cf094eccb09e436MD5
SHA1
Sha256
Temp Stealer Executable
9335349810042820689b6d558dff50c1 e98cd5d2e3351d20f348fc983f9e679450c33181 54d6c6372fd8bfb52431986be148d41b021376770ef13a3baf70912488dd3863MD5
SHA1
Sha256
Temp Stealer Executable
ad14fb5c857053d9bdebc4c63ba0a57d 2322090e024942fad77e0250e8cbc7e691663993 3c0856becfc32d59dc0503adb58d111ae56a1625ee99bdef4bcc5907f91dc69fMD5
SHA1
Sha256
Temp Stealer Executable
3c9df1d7f4835810fad268435699f1a7 05e0fc8c5cd5da82e94316afe82e8408fab03974 7b9830bfdd87e47b4e6995b3e88640eb690bdef7642c74775e1f3ab89e71d5ceMD5
SHA1
Sha256
Temp Stealer Executable
c84a51c0e598563ff4c5b2e494da0152 9f345c4e7f192380f7b2d098436a392ecf97ff73 f7cd47dc867e19dfdc37a0e6c59f6993155d4ad03f9b06292f6cd21515a8c234MD5
SHA1
Sha256
Temp Stealer Executable
dfbb9e4a30a266ea453637ddfe370e14 ddb20679f08d94e84c5e64d5f2fa00f105ad8204 f642d7450c597b067ad47ee5220c8c028f0c28b4473093028e3371b450fad9e0MD5
SHA1
Sha256
Temp Stealer Executable
4da571eb595d83a4f3ffe3e0047efd8a 063d687a6a88804000162deeb00244d22cfe3228 6330b32586d7b1f4c09193cff1118aa6e33fbe2fcbf174264fe5793e45f20748MD5
SHA1
Sha256
Temp Stealer Executable
51a4b9154b05dde9c7e14831fc54c6b3 8db134b83a65293dd675c52de2996e1c618b07ef 55d86d705daefee9c692cd742d83ec670b976261d0c2e28ccb4933d4f6483182MD5
SHA1
Sha256
Temp Stealer Executable
42febc30a814484455ee8f31ee2f2d88 b71332d1aacc1907cdaeaad0cc987621c893f8e7 30a62745d4c135ee3bec73a1d4903cb42add1b2d846c16e65e73ffca41386cf2MD5
SHA1
Sha256
Temp Stealer Executable
72f5de4a2f52c098ba5520ebaa022290 196b144cd138ab958ea0c2b5eb1a641d9936abce 3dcaa05c859118dc53752f74df59f74c05e7919bd0df635584c74dc8077d11c1MD5
SHA1
Sha256
Temp Stealer Executable
18a5458b38dc20ecc4f9c9e50d369563 7187a067b664692344a61eadaf1cd47f580add61 bd95a70300f8cc5bcc0f8d7bdcd269234eff52fa79ecd97c150e58b923b4c51aMD5
SHA1
Sha256
Temp Stealer Executable
2996f780af9b3fdb28971e887ff8436a 294dd0574cc6b953c0bebc1c15b725321073aa82 54f4df7424b205b9931b87bf4b5e5635374165e1ed298642034f2fcc44a7ff70MD5
SHA1
Sha256
Temp Stealer Executable
1f7a139d3c23ded0904a845b7a2db053 39431e960dae6140e4603bddb890de58370b920e b8ad6a975cec6279208fd7b5073107eefbbfd7ebdb2f674e7bd0578b18484eeeMD5
SHA1 Sha256
Temp Stealer Executable
79[.]137[.]199[.]73IPCommunicating IP
157[.]90[.]126[.]84IPCommunicating IP
Scroll to Top