The report discusses the Astral Stealer v1.8, a sophisticated malware tool capable of stealing sensitive information from various platforms, including gaming accounts and cryptocurrency wallets. It employs advanced evasion techniques to avoid detection and maintain persistence on compromised systems. Affected: Steam, Roblox, Minecraft, Ethereum, MetaMask
Keypoints :
- Astral Stealer is coded in Python, C#, and JavaScript.
- It targets gaming accounts and cryptocurrency wallets.
- Employs anti-debugging and VM bypass techniques to avoid detection.
- Available publicly on GitHub, indicating collaborative development.
- Offers advanced features for an additional cost, including auto-changing emails and backup code viewing.
- Utilizes various methods for credential dumping and data exfiltration.
- Integrates multiple techniques for persistence and data collection.
- Developer has a history of creating similar malicious software.
MITRE Techniques :
- Credential Access (T1003): Credential Dumping.
- Credential Access (T1550.004): Steal Application Access Tokens.
- Credential Access (T1555.003): Credentials from Web Browsers.
- Execution (T1203): Execution through API.
- Discovery (T1018): Remote System Discovery.
- Defense Evasion (T1070): Indicator Removal on Host.
- Persistence (T1547.001): Registry Run Keys / Startup Folder.
- Collection (T1113): Screen Capture.
- Exfiltration (T1041): Exfiltration Over Command-and-Control Channel.
Indicator of Compromise :
- [file hash] efc7d1c751f012fba719f8e5e952046d7e5314d1fcb60344a19844a114b87c08 (Sha256) – Builder
- [file hash] 07ff2b577637c00eefaed7a6eb54f81fa5514680474b556e3ee683969c92ee47 (Sha256) – Stealer-Python
- [file hash] 9d2a557369a79c350bd35bf6b44d14fd69b3d247f7120be6c28694c786a82d35 (Sha256) – Stealer-exe
- Check the article for all found IoCs.
Full Research: https://www.cyfirma.com/research/astral-stealer-analysis/