• XSS.stack #1 – первый литературный журнал от юзеров форума

About stealer's logs file structure

Отслеживать
arey5322

arey5322

RAID-массив
Пользователь
Регистрация
18.01.2022
Сообщения
99
Реакции
27
Гарант сделки
17
Депозит
0.5009
Hello everyone. I am looking for your advice. Yesterday I bought logs of one of the most popular stealer. There is a folder which is called GoogleAccounts in Logs's folder structure, this folder consists of two files Restore_Chrome_Profile8 and Restore_Chrome_Profile 33. Definitely they are not cookies, so my questions are:
1. What are these files?
2. How can I find them by myself?
3. How can I use them?

Thanks!
 
Сортировать по дате Сортировать по голосам
arey5322 сказал(а):
Any details how it works? How the stealer creates this folder? Maybe some articles exist which describes it? I am ready to thankful for details.
This is general information:

Browsers store their data in specific directories on the hard drive. Stealers locate these folders, extract their contents, and decrypt the data.

Examples of profile directories for popular browsers:

• Google Chrome/Chromium: C:\Users\<user>\AppData\Local\Google\Chrome\User Data\
• Mozilla Firefox: C:\Users\<user>\AppData\Roaming\Mozilla\Firefox\Profiles\
• Microsoft Edge: C:\Users\<user>\AppData\Local\Microsoft\Edge\User Data\
• Opera: C:\Users\<user>\AppData\Roaming\Opera Software\Opera Stable\

2. Theft of Saved Passwords

Browsers store saved passwords in an encrypted format:

• In Chrome and Edge, the Windows Data Protection API (DPAPI) is used to encrypt data tied to the Windows user account. Stealers bypass this by decrypting passwords on the same machine.
• The stealer executes a command to read data from the Login Data file (an SQLite database) and uses the system key to decrypt it.

Process:

1. The Login Data database is accessed, containing usernames and encrypted passwords.
2. DPAPI is used to decrypt the data.
3. The decrypted usernames and passwords are sent to the attacker’s server.
 
За 0 Против
google_ сказал(а):
This is general information:

Browsers store their data in specific directories on the hard drive. Stealers locate these folders, extract their contents, and decrypt the data.

Examples of profile directories for popular browsers:

• Google Chrome/Chromium: C:\Users\<user>\AppData\Local\Google\Chrome\User Data\
• Mozilla Firefox: C:\Users\<user>\AppData\Roaming\Mozilla\Firefox\Profiles\
• Microsoft Edge: C:\Users\<user>\AppData\Local\Microsoft\Edge\User Data\
• Opera: C:\Users\<user>\AppData\Roaming\Opera Software\Opera Stable\

2. Theft of Saved Passwords

Browsers store saved passwords in an encrypted format:

• In Chrome and Edge, the Windows Data Protection API (DPAPI) is used to encrypt data tied to the Windows user account. Stealers bypass this by decrypting passwords on the same machine.
• The stealer executes a command to read data from the Login Data file (an SQLite database) and uses the system key to decrypt it.

Process:

1. The Login Data database is accessed, containing usernames and encrypted passwords.
2. DPAPI is used to decrypt the data.
3. The decrypted usernames and passwords are sent to the attacker’s server.
What is a chrome profile?
Where is located file related to the Chrome profile?
How to decrypt them?
How to use them?
 
За 0 Против
arey5322 сказал(а):
What is a chrome profile?
Where is located file related to the Chrome profile?
How to decrypt them?
How to use them?
1-2. A Chrome profile is a collection of user data (bookmarks, history, extensions, etc.) stored separately for each user.
Location:
Код: 
Windows: C:\Users\<Username>\AppData\Local\Google\Chrome\User Data\Default (or Profile 1, Profile 2, etc.)
macOS: ~/Library/Application Support/Google/Chrome/Default (or Profile 1, Profile 2, etc.)

3-4.If there are no cookie files in JSON/Netscape format in the log folder and you don’t have access to the victim’s computer (or you only have a regular file with an encrypted database), you won’t be able to decrypt it. In the latest versions, cookies are encrypted using the App Bound Encryption (ABE) key, which requires direct access to the victim’s system to decrypt. If you figure out how to retrieve this key, you’ll be able to decrypt the cookie database.
Example code for decryption: https://github.com/xaitax/Chrome-App-Bound-Encryption-Decryption/blob/main/chrome_decrypt.cpp
 
За 0 Против
FLOKI сказал(а):
1-2. A Chrome profile is a collection of user data (bookmarks, history, extensions, etc.) stored separately for each user.
Location:
Код: 
Windows: C:\Users\<Username>\AppData\Local\Google\Chrome\User Data\Default (or Profile 1, Profile 2, etc.)
macOS: ~/Library/Application Support/Google/Chrome/Default (or Profile 1, Profile 2, etc.)

3-4.If there are no cookie files in JSON/Netscape format in the log folder and you don’t have access to the victim’s computer (or you only have a regular file with an encrypted database), you won’t be able to decrypt it. In the latest versions, cookies are encrypted using the App Bound Encryption (ABE) key, which requires direct access to the victim’s system to decrypt. If you figure out how to retrieve this key, you’ll be able to decrypt the cookie database.
Example code for decryption: https://github.com/xaitax/Chrome-App-Bound-Encryption-Decryption/blob/main/chrome_decrypt.cpp
Yeah, It is clear, but seems we don't understand each other. There are some questions still open...
What is GoogleAccounts folder in botnet logs?
How stealers get it?
How to use it?
 
За 0 Против
arey5322 сказал(а):
Hello everyone. I am looking for your advice. Yesterday I bought logs of one of the most popular stealer. There is a folder which is called GoogleAccounts in Logs's folder structure, this folder consists of two files Restore_Chrome_Profile8 and Restore_Chrome_Profile 33. Definitely they are not cookies, so my questions are:
1. What are these files?
2. How can I find them by myself?
3. How can I use them?

Thanks!
Can you paste me the link of where you bought it?
 
За 0 Против
deadguy1337x сказал(а):
Can you paste me the link of where you bought it?
Honestly, I would not like to advertise any service. I believe you can share it easy here just to search something like that "logs market"
 
За 0 Против
arey5322 сказал(а):
Honestly, I would not like to advertise any service. I believe you can share it easy here just to search something like that "logs market"
Firstly, thank you for your reply! I have been searching but to no avail. I tried the logs market from "lumma" but they aren't very proficient in my desired country. I am seeking your guidance once again
 
За 0 Против
arey5322 сказал(а):
Btw, there is a folder it is called AnyDesk in stealer's folder. I tried to upload service.conf/system.conf/user.conf but nothing happened. Is that right way?
Generally you need to locate the AnyDesk files into your own .config folder - and the same with wallets - although it's better to use software/scripts for this to prevent corruption
deadguy1337x сказал(а):
Firstly, thank you for your reply! I have been searching but to no avail. I tried the logs market from "lumma" but they aren't very proficient in my desired country. I am seeking your guidance once again
There really is no real market for logs. Lumma is filled with fake logs from scammers / worked out. Think about it as logs, a gold mine. A person mined the gold that was there, and then sold the mine to a third person, which took the gold dust on the ground from previous work, and then it's distributed into clouds and the public. You need to launch your own campaigns
 
За 0 Против
c2yp70 сказал(а):
Generally you need to locate the AnyDesk files into your own .config folder - and the same with wallets - although it's better to use software/scripts for this to prevent corruption

There really is no real market for logs. Lumma is filled with fake logs from scammers / worked out. Think about it as logs, a gold mine. A person mined the gold that was there, and then sold the mine to a third person, which took the gold dust on the ground from previous work, and then it's distributed into clouds and the public. You need to launch your own campaigns
Good day c2, Thanks for joining the convo! Your insight is accurate because those are the problems that I am facing as of now. I have seen some decent files that haven't been ransacked, but as you mentioned in your gold mine analogy it might've been stepped on or dust. Please shoot me a pm. I would love have continue our conversation.
 
За 0 Против
c2yp70 сказал(а):
Generally you need to locate the AnyDesk files into your own .config folder - and the same with wallets - although it's better to use software/scripts for this to prevent corruption

There really is no real market for logs. Lumma is filled with fake logs from scammers / worked out. Think about it as logs, a gold mine. A person mined the gold that was there, and then sold the mine to a third person, which took the gold dust on the ground from previous work, and then it's distributed into clouds and the public. You need to launch your own campaigns
On the one side you are right, when you speak about gold mines, etc..but on the other side people search not only creds from cryptowallets, exchangers in logs, sometimes you may find useful creds from other things....
 
За 0 Против
arey5322 сказал(а):
On the one side you are right, when you speak about gold mines, etc..but on the other side people search not only creds from cryptowallets, exchangers in logs, sometimes you may find useful creds from other things....
Yes, i agree)
 
За 0 Против
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх