Threat Research

AsukaStealer: The Next Chapter in ObserverStealer’s Story – ANY.RUN’s Cybersecurity Blog

AnyRun

AsukaStealer is a C++ information stealer that collects system details, browser credentials, screenshots, and targeted files before exfiltrating them to a C2 server using HTTP GET/POST calls with custom headers. The malware uses XOR/base64 obfuscation for C2 addresses, leverages Windows APIs (e.g., GetCurrentHwProfileA, URLOpenBlockingStreamW, CryptUnprotectData), and shifts decryption/processing to the server compared to its predecessor. #AsukaStealer #ObserverStealer

Keypoints

  • AsukaStealer is a ~440KB C++ stealer advertised for sale and linked to the prior ObserverStealer actor.
  • The binary embeds base64/hex values and protects C2 addresses with XOR; keys change per build.
  • It gathers HWID and extensive system info via Windows APIs and stores them in SystemInfo.txt before exfiltration.
  • The stealer enumerates processes (CreateToolhelp32Snapshot/Process32FirstW) and searches configured folders (e.g., /tdata/, /maFiles/) for target files like Steam, Telegram, and Steam Desktop Authenticator data.
  • Browser secrets are harvested (cookies, Login Data, Local State) — Chrome master key is Base64-decoded and decrypted via CryptUnprotectData and then sent to the C2 for server-side decryption.
  • Screenshots are captured (GetDC/CreateCompatibleBitmap/GDI+) and saved as PNG using a specific encoder CLSID, then uploaded to C2 with custom X-Config headers.
  • Unlike ObserverStealer, AsukaStealer avoids downloading DLL dependencies (e.g., nss3.dll) and performs parsing/decryption on the server to reduce footprint.

MITRE Techniques

  • [T1082] System Information Discovery – Collects hardware/profile and OS details using GetCurrentHwProfileA, GetNativeSystemInfo, GetUserNameW, EnumDisplayDevicesW. [‘AsukaStealer uses GetCurrentHwProfileA function to obtain information about the hardware profile of the machine.’]
  • [T1012] Query Registry – Reads registry keys to get OS product name and installed applications from SOFTWAREMicrosoftWindows NTCurrentVersionProductName and SOFTWAREMicrosoftWindowsCurrentVersionUninstall. [‘the stealer accesses the registry value at SOFTWAREMicrosoftWindows NTCurrentVersionProductName’ and ‘probes the registry path SOFTWAREMicrosoftWindowsCurrentVersionUninstall’]
  • [T1057] Process Discovery – Enumerates running processes with CreateToolhelp32Snapshot and Process32FirstW to detect targets like Telegram.exe and steam.exe. [‘invoking CreateToolhelp32Snapshot to capture a snapshot of all running processes, subsequently iterating… with Process32FirstW.’]
  • [T1083] File and Directory Discovery – Searches target folders (e.g., /tdata/, /maFiles/, global /) using configured regex patterns to locate files to exfiltrate. [‘For Telegram.exe, within the /tdata/ directory, it looks for…’; ‘For Steam Desktop Authenticator, it searches for any files within the /files/ directory’]
  • [T1113] Screen Capture – Captures screenshots via GDI APIs (GetDC, CreateCompatibleDC, CreateCompatibleBitmap) and saves images as PNG using encoder CLSID. [‘captures the infected machine’s screenshot using API functions such as GetDC, CreateCompatibleDC, GetDeviceCaps, CreateCompatibleBitmap…’]
  • [T1071.001] Application Layer Protocol: Web Protocols – Communicates with C2 using URLOpenBlockingStreamW and HTTP GET/POST requests to retrieve X-Session ID, configuration, and to upload logs/files. [‘the machine retrieves the X-Session ID from the server using URLOpenBlockingStreamW API… GET request format “/s?id=X-ID”‘]
  • [T1041] Exfiltration Over C2 Channel – Sends HWID, system information, screenshots, browser master keys, login data, cookies and other collected files to the C2 via HTTP POST with custom headers (X-Config/X-Info). [‘The system information and list of installed applications are then sent over to C2’ and ‘the infected machine sends out the POST request with HWID information with “HWID” appended to the X-Config custom header.’]
  • [T1027] Obfuscated Files or Information – Stores C2 addresses and configuration as base64/hex and uses XOR encryption for C2 addresses to hinder analysis. [‘AsukaStealer implements XOR encryption for C2 addresses… “WRBCFgwZHQZIAVcWAwMbUQEOBVRTBA==” is the encrypted C2 address.’]
  • [T1555.003] Credentials from Password Stores: Browser – Extracts browser files (Local State, Login Data, Cookies) and decodes/decrypts Chrome’s encrypted_key via Base64 and CryptUnprotectData to retrieve the master key for password/cookie decryption. [‘The extracted key is then Base64-decoded and decrypted via CryptUnprotectData function.’]

Indicators of Compromise

  • [SHA256] Samples – 0E5470A33FD87B813ECF72370F9E1F491515C12F41C8EA3C7BBC169AC56ACDA5, 476171DD2EB7F118D3E0AFF32B7264D261BA4C2D9FA6C14CCFF6D8D99B383DB4
  • [MD5] Sample – 32583272b5b5bd95e770661438b41daf (MD5 referenced for analyzed AsukaStealer build)
  • [URLs / Task links] Analysis & sample hosts – https://app.any.run/tasks/8b1ee45a-87de-4fc5-a755-84546a974a44/, https://app.any.run/tasks/e8a05e7f-9fd4-4b4c-9fdb-791ef29f382e/ (sample analysis pages)
  • [File names] Targeted browser and app artifacts – cookies.sqlite, logins.json, cert9.db, key4.db, Login Data, SystemInfo.txt
  • [Registry paths] Data sources – SOFTWAREMicrosoftWindows NTCurrentVersionProductName (OS name), SOFTWAREMicrosoftWindowsCurrentVersionUninstall (installed applications)
  • [Configuration / GitHub] Public config and detection rules – https://gist.github.com/RussianPanda95/c39a2954db693d50a097709228d22ee2 (config), https://github.com/RussianPanda95/Yara-Rules/blob/main/AsukaStealer/mal_asuka_stealer.yar (YARA)

AsukaStealer is a compact C++ stealer that collects hardware identifiers, OS/user/display/locale info, installed applications (by reading the Uninstall registry key), and active process listings via CreateToolhelp32Snapshot/Process32FirstW. It locates target application data using configurable regex patterns (examples: /tdata/ for Telegram, /maFiles/ for Steam Desktop Authenticator, global searches for ssfn* and Steam .vdf files), compiles these artifacts into a SystemInfo.txt and related payloads, and takes screenshots via GDI APIs saved as PNG using the encoder CLSID.

Network interaction is HTTP-based: the sample retrieves an X-Session ID and configuration via URLOpenBlockingStreamW GET calls (e.g., “/s?id=X-ID” and “/?id=X-ID”), then uploads HWID, system info, screenshots, browser master keys, Login Data, Cookies and other files using POST requests with custom X-Config/X-Info headers. C2 addresses are stored obfuscated (base64/hex) and protected with XOR keys that vary per build; collected browser keys are Base64-decoded and decrypted locally with CryptUnprotectData before sending the master key (labeled like “Google_KEY”) to the server for remote decryption of credentials.

Compared to ObserverStealer, AsukaStealer reduces on-host dependencies by avoiding runtime download of DLLs (e.g., nss3.dll) and shifting parsing/decryption tasks to the server to minimize its footprint; otherwise, it preserves similar configuration retrieval, file discovery, and exfiltration flows. The sample hashes, task URLs, config gist, and YARA detection rule are provided in the article appendix for detection and analysis.

Read more: https://any.run/cybersecurity-blog/asukastealer-malware-analysis/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint