Analytics Story: Braodo Stealer

Date: 2024-10-24 ID: ec5c8721-3c13-45ac-90e8-64c63a8fdc24 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that may be related to the Braodo Stealer malware, a malicious software designed to steal sensitive information from infected systems. This malware typically targets login credentials, browser history, cookies, and stored passwords. Braodo Stealer often infiltrates through phishing campaigns or malicious downloads, enabling attackers to gain unauthorized access to personal and financial data. By monitoring unusual system behaviors, such as unauthorized network connections or data exfiltration, you can help prevent data breaches and mitigate the impact of this threat.

Why it matters

Braodo Stealer is a stealthy and dangerous piece of malware specifically engineered to siphon sensitive information from compromised systems. Often spread through phishing emails or disguised as legitimate downloads, it silently infiltrates a victim’s device. Once inside, it scours through browser histories, steals login credentials, captures cookies, and even extracts saved passwords from various applications. With this stolen data, cybercriminals can gain access to banking accounts, social media profiles, or business platforms. What makes Braodo Stealer particularly threatening is its ability to remain undetected, allowing attackers to exploit compromised systems for extended periods before the user becomes aware.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Any Powershell DownloadFile Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer TTP
PowerShell 4104 Hunting Command and Scripting Interpreter, PowerShell Hunting
Powershell Processing Stream Of Data Command and Scripting Interpreter, PowerShell TTP
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Windows Archived Collected Data In TEMP Folder Archive Collected Data TTP
Windows Credential Access From Browser Password Store Query Registry Anomaly
Windows Credentials from Password Stores Chrome Copied in TEMP Dir Credentials from Web Browsers, Credentials from Password Stores TTP
Windows Credentials from Password Stores Chrome Extension Access Query Registry Anomaly
Windows Credentials from Password Stores Chrome LocalState Access Query Registry Anomaly
Windows Credentials from Password Stores Chrome Login Data Access Query Registry Anomaly
Windows Credentials from Web Browsers Saved in TEMP Folder Credentials from Web Browsers, Credentials from Password Stores TTP
Windows Disable or Stop Browser Process Disable or Modify Tools, Impair Defenses TTP
Windows Screen Capture in TEMP folder Screen Capture TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4663 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1