Keypoints
- GlorySprout is a C++ stealer marketed on XSS in March 2024 and sold for $300 with crypting and loader options.
- Technical analysis shows dynamic API resolution via API hashing and string obfuscation using XOR and arithmetic.
- Persistence is created with a scheduled task named “WindowsDefenderUpdater” that can run a dropped payload from %TEMP%.
- C2 is stored in the binary resource; communications occur over HTTP (port 80) using POSTs and RC4+Base64 encryption for payloads and logs.
- A flawed randomization routine with initial seed 0xC40DF552 results in a predictable RC4 key for initial check‑in (IDaJhCHdIlfHcldJ).
- The stealer collects browser credentials, crypto wallets, sessions (Steam, Telegram, Discord), and other application data; browser passwords are decrypted on the server.
- The control panel is written in Golang (uses sqlx) and contains references to “taurus”, supporting the assessment it is a Taurus Stealer clone.
MITRE Techniques
- [T1071.001] Application Layer Protocol: Web Protocols (HTTP) – C2 communications occur over port 80 with POST requests; (‘Communication with the C2 server is performed via port 80. … sends out the POST request “/cfg/data=<botid>”‘).
- [T1041] Exfiltration Over Command and Control Channel – Collected data is zipped, encrypted, base64-encoded and sent to C2 via POST to /log/; (‘the infected machine sends out the POST request with /log/ parameter containing the ZIP archive with collected data to C2 server’).
- [T1053.005] Scheduled Task/Job: Scheduled Task – Persistence is created using schtasks with a task named WindowsDefenderUpdater that can execute a dropped %TEMP% payload; (‘persistence is created via scheduled task named WindowsDefenderUpdater with ComSpec (cmd.exe) spawning the command /c schtasks /create …’).
- [T1027] Obfuscated Files or Information – The binary obfuscates strings via XOR and arithmetic and uses API hashing to hide API names; (‘The stealer obfuscates the strings via XOR and arithmetic operations such as substitution.’ and ‘GlorySprout dynamically resolves APIs through API hashing’).
- [T1005] Data from Local System – The stealer recursively grabs cryptowallets and multiple application data files from local folders like %AppData%; (‘Grab cryptowallets recursively from %AppData% folder …’).
- [T1555.003] Credentials from Web Browsers – Browser passwords are exfiltrated and decrypted on the server as part of collected logs; (‘General/forms.txt – contains the decrypted browser passwords. The browser passwords are decrypted on the server.’).
- [T1497] Virtualization/Sandbox Evasion – The binary checks language identifiers and has Anti-VM/Anti-CIS logic to avoid execution in certain environments; (‘The stealer exists if any of the language identifiers is found.’ and configuration lists Anti-VM enabled).
Indicators of Compromise
- [File Hash] sample malware hashes – 3952a294b831e8738f70c2caea5e0559, d295c4f639d581851aea8fbcc1ea0989 (and other sample hashes reported such as 8996c252fc41b7ec0ec73ce814e84136be6efef8).
- [IP Address] C2 servers – 147.78.103.197, 45.138.16.167.
- [Scheduled Task] persistence identifier – WindowsDefenderUpdater (task used to execute dropped payload from %TEMP%).
- [File/Path] dropped payload and logs – dropped payloads run from %TEMP% (random 8-character filename), and collected data archived into ZIP (sent via /log/).
- [YARA/Rule] detection artifact – Yara rule hash and rule provided (example: rule win_mal_GlorySprout_Stealer with rule hash 8996c252fc41b7ec0ec73ce814e84136be6efef8).
GlorySprout is implemented in C++ and uses dynamic API resolution by hashing function names (multiplication, addition, XOR and shifts) to avoid static API strings. Strings in the binary are obfuscated with XOR and arithmetic substitutions, and critical routines rely on a random-string generator (from a fixed alphabet) that also produces filenames and RC4 keys for ZIP archives. The API-hashing algorithm and the reproduced Python compute_hash function reveal how API names are deterministically converted to hashed values and accessed via offsets at runtime.
Persistence and execution rely on scheduled tasks: the installer/loader creates a schtasks entry named “WindowsDefenderUpdater” that runs cmd.exe to spawn the payload (which, if the loader is used, executes a randomly-named 8-character file dropped in %TEMP%). C2 configuration is embedded in the resource section; the victim performs HTTP check-in POSTs (e.g., /cfg/data=) using a Chrome-like user agent. The BotID and subsequent messages use RC4 encryption with a key derived from the randomization function (the first 10 bytes) and Base64 encoding; however, due to an initial seed (0xC40DF552) the initial RC4 key is predictable (IDaJhCHdIlfHcldJ), making the first check-in deterministic.
After check-in, the server returns an encrypted configuration whose first 10 bytes are used as the RC4 key; the configuration toggles many data-stealing features (browser credentials, screenshots, crypto wallets from %AppData%, Steam/Telegram/Discord sessions, etc.). Collected data is packaged into a ZIP, encrypted with RC4, Base64-encoded, and POSTed to /log/; upon success the client issues /loader/complete/?data=1 to finish. The Golang panel (using sqlx) contains references to “taurus”, and combined feature overlap and artifacts support the conclusion GlorySprout is a modified clone of Taurus Stealer, with differences including no remote DLL dependency download and a reportedly inconsistent Anti-VM implementation.