{
	"id": "67263ec6-1cd3-4f6a-8d22-87a1d11f8a13",
	"created_at": "2026-04-06T00:18:33.770685Z",
	"updated_at": "2026-04-10T13:13:03.148156Z",
	"deleted_at": null,
	"sha1_hash": "60c4167fa0f41e5e48de2313588829f4a8759cc8",
	"title": "CopperStealer: Password \u0026 Cookie Stealer Malware | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 913590,
	"plain_text": "CopperStealer: Password \u0026 Cookie Stealer Malware | Proofpoint\r\nUS\r\nBy Brandon Murphy, Dennis Schwarz, Jack Mott, and the Proofpoint Threat Research Team\r\nPublished: 2021-03-17 · Archived: 2026-04-05 17:18:54 UTC\r\nOverview\r\nOn Jan 29th, 2021, a Twitter user, \"TheAnalyst\", shared a sample which caught our attention after being notified it\r\ntriggered an Emerging Threats Network Intrusion Detection System (NIDS) rule.  A quick triage of the sample\r\nfound overlap with malware tracked internally as CopperStealer.  This external interest caused Proofpoint\r\nresearchers to investigate further, eventually leading to coordinated disruptive actions by Facebook, Cloudflare,\r\nand other service providers.\r\nOur investigation uncovered an actively developed password and cookie stealer with a downloader function,\r\ncapable of delivering additional malware after performing stealer activity.  The earliest discovered samples date\r\nback to July of 2019.  While we analyzed a sample that targets Facebook and Instagram business and advertiser\r\naccounts, we also identified additional versions that target other major service providers, including Apple,\r\nAmazon, Bing, Google, PayPal, Tumblr and Twitter.\r\nCopperStealer exhibits many of the same targeting and delivery methods as SilentFade, a Chinese-sourced\r\nmalware family first reported by Facebook in 2019.  Proofpoint believes Copperstealer to be a previously\r\nundocumented family within the same class of malware as SilentFade, StressPaint, FacebookRobot and Scranos.\r\n Facebook attributed the creation of SilentFade to Hong Kong-based  ILikeAD Media International Company Ltd\r\nand during the 2020 Virus Bulletin conference disclosed it was responsible for over $4 million in damages by\r\n“compromising people’s Facebook accounts and then using people’s accounts to run deceptive ads”.\r\nDistribution Methods\r\nProofpoint researchers observed suspicious websites advertised as “KeyGen” or “Crack” sites, including\r\nkeygenninja[.]com, piratewares[.]com, startcrack[.]com, and crackheap[.]net, hosting samples that have delivered\r\nmultiple malware families including CopperStealer. These sites advertise themselves to offer “cracks”, “keygen”\r\nand “serials” to circumvent licensing restrictions of legitimate software.  However, we observed these sites\r\nultimately provide Potentially Unwanted Programs/Applications (PUP/PUA) or run other malicious executables\r\ncapable of installing and downloading additional payloads (Figure 1).\r\nhttps://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft\r\nPage 1 of 22\n\nFigure 1: A “cracked” application being hosted which dropped CopperStealer.\r\nSinkholing Activity\r\nDuring this investigation, Proofpoint researchers worked closely with researchers at Facebook, Cloudflare, and\r\nother service providers to coordinate disruptive action.  This included Cloudflare placing a warning interstitial\r\npage in front of the malicious domains and establishing a sinkhole for two of the malicious domains before they\r\ncould be registered by the threat actor. \r\nThis sinkhole, a method of concurrently limiting the actor’s ability to collect victim data while enabling\r\nresearchers to gain visibility into victim demographics, provided valuable insight into the malware’s behavior and\r\nscope.  In the first 24 hours of operation, the sinkhole logged 69,992 HTTP Requests from 5,046 unique IP\r\naddresses originating from 159 countries representing 4,655 unique infections. The top five countries based on\r\nunique infections were India, Indonesia, Brazil, Pakistan and The Philippines.\r\nAfter approximately 28 hours of operating the sinkhole, the amount of traffic declined sharply. At the same time, it\r\nwas observed that CopperStealer was no longer being distributed via the keygenninja[.]com website.\r\nMalware Analysis\r\nA sample with the SHA256 hash of 5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5\r\nwas used for this analysis. \r\nNaming\r\nSince November 2019, Proofpoint and Emerging Threats have identified this threat as ‘CopperStealer’ and have\r\ntracked it internally since then, as well as in ETPRO signatures.  This name originates from observed PDB and\r\nprocess memory strings referencing 'DavidCopperfield' (Figure 2). In January 2021, after other researchers had\r\nshown interest in this malware, ESET created specific anti-virus detection for this threat under the name\r\n‘Mingloa’; however, Proofpoint continues to refer to this as CopperStealer.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft\r\nPage 2 of 22\n\nFigure 2: Process Memory Strings\r\nAnti-Analysis\r\nThe malware does make use of several basic anti-analysis techniques to avoid running within researcher systems.  \r\nIsDebuggerPresent() check\r\nGetSystemDefaultLCID() == 0x804 (Chinese (Simplified, PRC)   zh-CN) check\r\nWindow/class enumeration looking for common analysis tools:\r\nTCPViewClass\r\nTStdHttpAnalyzerForm\r\nHTTP Debugger\r\nTelerik Fiddler\r\nASExplorer\r\nCharles\r\nBurp Suite\r\nDevice enumeration looking for indicators of virtualization:\r\nvmware\r\nvirtual\r\nvbox\r\nFacebook and Instagram Data Retrieval\r\nThe malware contains the ability to find and send saved browser passwords.  The following Internet browsers are\r\nsearched specifically for Facebook saved credentials:\r\nChrome\r\nEdge\r\nYandex\r\nOpera\r\nFirefox\r\nIn addition to the saved browser passwords, the malware uses stored cookies to retrieve a User Access Token from\r\nFacebook.  Once the User Access Token is gathered, the malware requests several API endpoints for Facebook and\r\nhttps://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft\r\nPage 3 of 22\n\nInstagram to gather additional context, including a list of friends, any advertisement accounts configured for the\r\nuser and a list of pages the user has been granted access (Figure 3).\r\nFigure 3: The Facebook and Instagram requests generated by the malware\r\nAll requests created from the analyzed sample contain a static Accept-Language header of \"ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7\".  The analyzed sample produces many lowercased request headers, though this behavior does\r\nnot appear in all versions (Figure 4).\r\nFigure 4: The malware sending a request using stolen cookies to gather additional information of the victim\r\nFacebook account.\r\nDownloader Function\r\nCopperStealer’s downloader function retrieves a download configuration from the c2 server.  The analyzed sample\r\nextracts a 7z archive named xldl.dat (18c413810b2ac24d83cd1cdcaf49e5e1) and then executes one of the\r\nextracted files (ThunderFW.exe - f0372ff8a6148498b19e04203dbb9e69) via:\r\nC:\\Users\\\u003credacted\u003e\\AppData\\Local\\Temp\\download\\ThunderFW.exe ThunderFW \"C:\\Users\\\r\n\u003credacted\u003e\\AppData\\Local\\Temp\\download\\MiniThunderPlatform.exe\"\r\nThe executed binary appears to be a legitimate download manager called Xunlei created by Xunlei Networking\r\nTechnologies, LTD, that while legitimate, was previously identified being bundled with malware in 2013 reported\r\nby ESET.  CopperStealer uses an API exposed from the Xunlei application in order to download the configuration\r\nfor the follow-up binary.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft\r\nPage 4 of 22\n\nThe analyzed sample downloads a configuration from the C2 server with a URI path of \"/info/dd\" (Figure 5).  The\r\ndownload configuration has also been retrieved from alternative URI paths (See Malware Evolution Section\r\nbelow). The configuration returned by the server is encrypted and encoded using the same method as other\r\nmessages detailed within this report.  The configuration contains details pertaining to the location and execution of\r\nthe payload (Figure 6).\r\nFigure 5:  Encrypted download configuration returned from the C2 server.\r\nFigure 6: Decrypted download configuration served by the C2 server.\r\nDropped Malware\r\nMost recently, Smokeloader has been observed as a downloaded payload\r\nfrom hxxp://dream[.]pics/setup_10.2_mix1.exe.  However, historical network traffic shows a variety of malware\r\nbeing delivered from a handful of urls.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft\r\nPage 5 of 22\n\nRecent SmokeLoader samples:\r\n9f9ec27591faea47ca6c72cf26911d932a2a7efe20fdd1a6df8ea82e226fbf38\r\nc9d92e36006663f53a01a14800389bd29f3266f00727cce1f39862cceccc50b0\r\nbb5d2c07ce902c78227325bf5f336c04335874445fc0635a6b67ae5ba9d2fefc\r\n381ab701bc1e092cb3ad5902e3b828e4822500418fbde8f8102081892e0a095a\r\n29c0dca8a7ce4f8be136e51bb4a042778277198e76ddd57dda995b7fb0ce5b35\r\n3c1f7af5e69a599268bcb3343b8609006a255090234d699c77922c95743e9e98\r\n679150089d1fa44cf099ff4cf677dc683a3fb1bab81b193a56414ac5a046aeeb\r\n9902a7fdaac2e764b8e50adbd9ebca4d8d510c2df9af6c5c6a19c721621dd873\r\nd74b612aa9f21f0d12bdb8a8e8af894bd718a1145c41ec64a646cf4fa78e9f75\r\nHost Artifacts\r\nWhile there are no observed persistence techniques in the analyzed sample, there are several opportunities for\r\nhost-based detection.\r\nMutex Creation\r\nThe analyzed sample created a mutex called \"Global\\exist_sign_install_r3\" while other samples have created\r\nrelated mutexes:\r\nGlobal\\exist_sign__install_r3\r\nGlobal\\exist_sign_task_Hello001\r\nGlobal\\exist_sign_task_Hello002\r\nCreated Registry Key\r\nThe analyzed sample first attempts to open a specific registry key (below) and is later created.  This registry key is\r\nused to determine the malware has been previously run on the victim machine and is used when determining the\r\nvalue of \"isfirst\" flag in the exfiltrated data.\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\vindiesel\r\nDropped Certificates\r\nA certificate,  SHA1 Fingerprint=6C:0C:E2:DD:05:84:C4:7C:AC:18:83:9F:14:05:5F:19:FA:27:0C:DD, related to\r\nCharles Proxy is loaded into the victim machine's \"My\" and \"Trusted Root\" certificates stores.  The existence of\r\nthis certificate in the \"My\" certificate store is used when determining the value of the \"isfirst\" flag in addition to\r\nthe vindiesel registry key. The Subject Common Name of this certificate contains:\r\nCharles Proxy CA (19 十月 2019, DESKTOP-BNAT11U)\r\nDropped Kernel Driver\r\nThe analyzed sample also can drop and load a kernel driver\r\n(d4d3127047979a1b9610bc18fd6a4d2f8ac0389b893bcb36506759ce2f20e7e4).  The purpose of this driver is\r\nhttps://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft\r\nPage 6 of 22\n\ncurrently unknown.\r\nCommand and Control\r\nThis malware uses HTTP in order to communicate with C2 servers which are generated using a Domain\r\nGeneration Algorithm (DGA). During investigation into various CopperStealer samples Proofpoint researchers\r\ndiscovered two distinct DGA methods in use, which are detailed below. While the use of TLS has been observed\r\nin more recent samples, most communication does not make use of TLS.  \r\nDomain Generation Algorithm\r\nInitially reported by \"Johann Aydinbas\" on Twitter the malware uses a Domain Generation Algorithm (DGA) in\r\norder to generate new command and control servers on a daily basis. A Python3 script is publicly available to\r\ngenerate all domains for the observed DGA methods.\r\nVersion 10 – Version 47\r\nThe DGA is based on the middle 16 characters of an MD5 hash of a concatenated string of a \"seed\" and the\r\ncurrent UTC date in YYYYMMDD format.  As observed within process memory strings, the analyzed sample\r\nutilizes the \"seed\" of \"exchangework\" (Figure 7).\r\nAs an example, the process of generating the DGA domain for Feb 10, 2021 using the seed of \"exchangework\" is\r\ndetailed below:\r\n1. Create the string: \"exchangework20210210\"\r\n2. Calculate the md5 of string: \"2fe5b3641cd81defbab5fc17db5c36c9\"\r\n3. Extract the middle 16 characters of md5: \"1cd81defbab5fc17\"\r\n4. Apply the Top-Level Domain (TLD): \"1cd81defbab5fc17[.]xyz\"\r\nWe identified several different seeds using this domain pattern among other artifacts.   A timeline of seed use can\r\nbe found in the Malware Evolution section below.\r\nDavidCopperfield\r\nFrankLin\r\nWebGL\r\nVindiesel\r\nexchangework\r\nchangenewsys\r\nhellojackma\r\nFigure 7: The DGA seed observed in process memory strings.\r\nVersion 50.0 – Version 52.0\r\nhttps://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft\r\nPage 7 of 22\n\nAs of February 21, 2021, we observed a slightly modified DGA beginning with Version 51.0\r\n(cde543ca4a84d89bd3c7c0e908b044f2).   The DGA is still based on the middle 16 characters of an MD5 hash of\r\na concatenated string of a “seed” and the current UTC month in YYYYMM format.  Five additional DGA domain\r\nvariants created by appending the digit “1”, “2”, “3”, “4”, “5” to the concatenated string and contains a single\r\nhardcoded backup server (Figure 8).\r\nC2 string MD5 DGA Domain\r\nhellojackma202102 6efdb73ec8224b778f8d7e733cdda77a c8224b778f8d7e73[.]com\r\nhellojackma2021021 92fc307e52959825ae41ce72ebbe0bc6 52959825ae41ce72[.]com\r\nhellojackma2021022 8e4bb5a0574e0f440d5d411d0189ab9d 574e0f440d5d411d[.]com\r\nhellojackma2021023 4e2b0de8844106c92ac5210af536e236 844106c92ac5210a[.]com\r\nhellojackma2021024 42f6d2b8687b318f1a4e0afc52fa4eb9 687b318f1a4e0afc[.]com\r\nhellojackma2021025 52612d7eeaa5cd71691e472c2e4182da eaa5cd71691e472c[.]com\r\nTable 1: February 2021 C2 domains for Version 51.0 DGA.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft\r\nPage 8 of 22\n\nFigure 8: Version 51 DGA seed observed in process memory strings.\r\nVersion 60.0\r\nOn March 11, 2021, we identified another slight modification in Version 60.0 that resulted in additional DGA\r\ndomains being generated for each month.  These are the same methods from Version 50.0, but this version\r\nincluded two additional hardcoded domains and extended the DGA domain variants by appending the digits “1” –\r\n“10” to the concatenated string.  This results in an “extended” list of domains compared to the Version 50.0\r\nsample.\r\nC2 Traffic Examples\r\nThe analyzed sample exhibits several different types of messages sent to the C2 server. All messages from the\r\nclient to the server are sent via POST requests using encrypted message content within the \"info\" key and all\r\ndecrypted content is `^A` (\\x5e\\x41) delimited.\r\nStatus Updates\r\nThe analyzed sample sends status update messages to the HTTP Request URI of `/info/step` via a POST with the\r\nkey of `info` and the value contains encrypted message data (Figure 9).  The decryption and encoding methods are\r\ndetailed within the report.\r\nFigure 9: A status update being delivered via an HTTP request made by the malware.\r\nThe status update message contains three fields (Figure 10). The “guid” value, a 16 character string matching the\r\nregex \"^(?:[a-f0-9]{16}|[A-F0-9]{16})$\", appears to be generated based on the MachineGuid value and the\r\nComputerName.\r\nThe analyzed sample has the following \"status\" values:\r\nmain_start\r\ncheck_start\r\nfb_start\r\nins_start\r\ndl_start\r\nhttps://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft\r\nPage 9 of 22\n\nFigure 10: Decrypted and split content of a status update message.\r\nData Exfiltration\r\nCopperStealer sends the exfiltrated data to the C2 server via a POST request to a variety of target specific URIs\r\n(Figure 11).  The data is stored withing the “info” key and is encrypted as described within the “C2 Traffic\r\nencryption” section of this report.  The data exfiltrated contains target specific data fields (Figure 12). \r\nFigure 11: Facebook Data exfiltrated to the C2 server via “/info/fb”\r\nhttps://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft\r\nPage 10 of 22\n\nFigure 12:  The decrypted Facebook data sent to the C2 server.\r\nThe ads_info key contains a modified base64 encoded string (not encrypted) which decodes to a json string with\r\ninformation of any setup ad accounts (Figure 13).\r\nFigure 13: Details of the ads_info decoded data.\r\nReverse engineering indicated Instagram data is exfiltrated via POST requests to \"/info/ins\" with the following\r\nkeys: \r\nguid\r\nver\r\nseller\r\nos\r\ncookie\r\nhttps://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft\r\nPage 11 of 22\n\nfans\r\nDownload Status Updates\r\nAfter completing the downloader function, a downloader specific status update message is sent the C2 server. \r\nThese status updates messages are sent using the same encryption method as other messages via a POST requests\r\nto \"/info/retdl\" with the following keys: \r\nname\r\nchannel\r\nos\r\nguid\r\ndownok\r\nregok\r\nFigure 14: Downloader status update being send to the C2 server.\r\nC2 Traffic encryption\r\nWhile the malware does not use HTTPS communications, it does leverage DES encryption and a modified base64\r\nencoding.   Within the HTTP traffic, the 'info' form item contains the encrypted details.  Several different key and\r\niv values have been observed (Table 2).\r\nKey IV\r\ntaskhost winlogon\r\nrundll32 explorer\r\nloadfaid unsigned\r\nhttps://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft\r\nPage 12 of 22\n\nTable 2: DES Encryption Keys and IVs for network communication.\r\nA Python3 script has been created to decrypt the communications using the observed key and ivs.\r\nMalware Evolution\r\nThe first observed sample using the DGA method is associated with Version 10 of the malware. Proofpoint has\r\nobserved rapid development most recently finding Version 52 first observed on March 5, 2021.\r\nSeed Changes\r\nSeed\r\nFirst\r\nObserved\r\nSample SHA256\r\nDavidCopperfield\r\nJuly 26,\r\n2019\r\n81202529443a234489720c0030b05d3b5c28fe046a412953e95110699cc9b7cf\r\nFrankLin\r\nJune 1,\r\n2020\r\n3225ce04d0b89652ac6b1f59180eefd41b5a6fdcbabd9066da710cdab462383e\r\nWebGL\r\nSeptember\r\n22, 2020\r\n449973a46282cfbce784d86b42a26a5a259b3f552627986aec57bac4902d3461\r\nVindiesel\r\nDecember\r\n8, 2020\r\ndaa6931054a125d49f43537a7c07a3bfad8854e18c0c25b49ad7808040f92bb8\r\nexchangework\r\nJanuary\r\n10, 2021\r\n6ec80bae15601abfa57fc8ca0a3a83bd6af876a47123c3d8a0ac1761ca3b1289\r\nchangenewsys\r\nJanuary\r\n13, 2021\r\n10bb601f27c0aae7fb9cc88a45434a8dcd759c03698c00b322f8b7f78ed64164\r\nhellojackma\r\nFebruary\r\n8, 2021\r\nf9188822ce06ba4017508737fd6304babaee4832cfb94803b7ef83e0de9d5327\r\nhttps://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft\r\nPage 13 of 22\n\nSeed\r\nFirst\r\nObserved\r\nSample SHA256\r\nhellojackma\r\nFebruary\r\n21, 2021\r\n1edec40732a728195ffea9946dd65ede6072c3c5061cfa3cc6e7cf6b7769052c\r\nhellojackma\r\nMarch\r\n11\r\nth\r\n, 2021\r\nb2996f082d4b43cf9ea3de083ba882269b5f63d6ac53bf31449831e75cb6e4a9\r\nTable 3: A Timeline of DGA Seeds\r\nMajor Version Updates\r\nThere have been 80 different versions observed in the year and half CopperStealer has been distributed in the\r\nwild. Our investigation found that the release of new versions increased in frequency starting in August 2020 and\r\naccelerated between October 2020 and February 2021, with several updates being released every month (Figure\r\n15).\r\nFigure 15: A graph showing the frequency of new version observations.\r\nC2 Traffic Changes\r\nSome versions exhibit different URI structures for sending status updates and exfiltrated data (Figure 16).\r\nhttps://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft\r\nPage 14 of 22\n\nFigure 16: Network Traffic from Version 46.0.0\r\nTarget Variation\r\nWhile the analyzed sample targets Facebook and Instagram, network traffic gathered from other versions indicates\r\nother service providers were targeted with unique URI paths that were used for exfiltration (Table 4).\r\nVersion Sample SHA256\r\nTarget Service\r\nProvider\r\n13 ebcc7681c6634a22090b9eec8e1a82151173bb74d6668c3e7915a7558b2e9fbe\r\nBing / Apple /\r\nPaypal\r\n13 42e2411108492987315588c71e15f3e6ad266bd380a6f8c6607a577414a332bb\r\nTwitter / Google\r\n/ Facebook\r\n13 1088966f9f137b15a34da54765d7773743a77da4ac2f70e82e6d603af28cf58e Google\r\n22.4 8b4c5372b95dbc8705b82f2223b6086795004b5ad559091f607a43d0b5038595 Tumblr\r\n46.0.0 772062075a6ce77768bd462428eb6554ccaefec146f2f79cf22032614364d800 Amazon\r\nhttps://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft\r\nPage 15 of 22\n\n51.0 b3681d24634f9b10af333470d1f50404fce978bd78bbe22a283716327cfd48c1 Google\r\nTable 4: Samples observed targeting other service providers.\r\nDynamic Cookie Collection\r\nDuring a brief dynamic analysis of a Ver 51.0 sample (ed21e90c75aec59d0278efb7107f9253) an HTTP request to\r\n“/info/r” is made.  The response from the C2 server contains an encrypted partial domain name “amazon.” (Figure\r\n17). The next HTTP request made by the malware is a data exfiltration containing data fields which reference of\r\nthe amazon URL (Figure 18).\r\nFigure 17:  The C2 server responding with a partial domain.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft\r\nPage 16 of 22\n\nFigure 18: Amazon details exfiltrated to the C2 server.\r\nHardcoded Backup C2s\r\nStarting with Version 47.0 (c2227bff513c463298e61ef82a5c4665) the malware implements hardcoded backup\r\nservers in addition to the standard DGA generated domains. The specific hardcoded domains have changed from\r\nversion to version.  In the case of Version 47.0, the sample introduced hardcoded backup C2 servers from the\r\n\"changenewsys\" seed covering the DGAs for Feb 12, 2021 to Feb 23, 2021 (Figure 19).  The most Version 60.0\r\nsample is configured to use domains in other Top Level Domains (TLDs) such as the .io, .ru and .su. These\r\ndomains can be found in the Indicators of Compromise section of this report.\r\nFigure 19: Process memory strings of Version 47.0 showing backup C2 servers.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft\r\nPage 17 of 22\n\nConclusion\r\nWhile CopperStealer isn't the most nefarious credential/account stealer in existence, it goes to show that even with\r\nbasic capabilities, the overall impact can be large. Previous research from Facebook and Bitdefender has exposed\r\na rapidly increasing ecosystem of Chinese-based malware focused on the monetization of compromised social\r\nmedia and other service accounts. Findings from this investigation point towards CopperStealer being another\r\npiece of this everchanging ecosystem. CopperStealer’s active development and use of DGA based C2 servers\r\ndemonstrates operational maturity as well as redundancy. After sinkholing activities helped disrupt CopperStealers\r\ncurrent activities, we will continue to monitor the threat landscape to identify and detect future evolutions of this\r\nmalware.\r\nProofpoint threat research would like to thank those in the information security research community who share\r\nand provide observations for all to use. As described earlier in this post, the collaborative efforts granted us the\r\nopportunity to proceed further than just creating detections. Our team encourages researchers to work\r\ncollaboratively and share information together to move detections, disruption, and research forward. Feel free to\r\nreach out via the Emerging Threats feedback portal!\r\nIndicators of Compromise\r\nIndicator Note\r\n5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5 Version 41.4.0\r\nc8224b778f8d7e73[.]com February 2021 C2 Server\r\n52959825ae41ce72[.]com February 2021 C2 Server\r\n574e0f440d5d411d[.]com February 2021 C2 Server\r\n844106c92ac5210a[.]com February 2021 C2 Server\r\n687b318f1a4e0afc[.]com February 2021 C2 Server\r\neaa5cd71691e472c[.]com February 2021 C2 Server\r\nhttps://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft\r\nPage 18 of 22\n\nc41676c07a61a961[.]com March 2021 C2 Server\r\na36e971e03d9cbf8[.]com March 2021 C2 Server\r\n9a3a97f6f45f2c2b[.]com March 2021 C2 Server\r\n768deefde7eecd74[.]com March 2021 C2 Server\r\n60d5acb6460b4221[.]com\r\nMarch 2021 C2 Server\r\n(sinkholed)\r\n1c6706c3d3e47cd1[.]com\r\nMarch 2021 C2 Server\r\n(sinkholed)\r\nback19e64ea00d6ecfe1[.]io Hard Coded C2 Server\r\nru94cb2b5ed89d7c[.]ru Hard Coded C2 Server\r\nsu94cb2b5ed89d7c[.]su Hard Coded C2 Server\r\n6c34589d7d1b8d7a[.]com\r\nMarch 2021 C2 Server\r\n(sinkholed)\r\nda5ae4747ff1851c[.]com\r\nMarch 2021 C2 Server\r\n(sinkholed)\r\nf27655e1f8eb05de[.]com\r\nMarch 2021 C2 Server\r\n(sinkholed)\r\nhttps://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft\r\nPage 19 of 22\n\n5071e6e7fd9c82ec[.]com\r\nMarch 2021 C2 Server\r\n(sinkholed)\r\nb4f3ae0279bacc16[.]com\r\nMarch 2021 C2 Server\r\n(sinkholed)\r\nb2996f082d4b43cf9ea3de083ba882269b5f63d6ac53bf31449831e75cb6e4a9 Version 60.0\r\nb3681d24634f9b10af333470d1f50404fce978bd78bbe22a283716327cfd48c1 Version 51.0\r\n2101fe7d90649a84586e01a615330c95db03c33327cae640cd0e2d7a36f3f2cc Version 51.0\r\n1edec40732a728195ffea9946dd65ede6072c3c5061cfa3cc6e7cf6b7769052c Version 50.0\r\n77daf2ac4fd26e13adbd6b7db03c1fadd30cafc513d03a8412896bb6b4f0f39b Version 47.0\r\nf9188822ce06ba4017508737fd6304babaee4832cfb94803b7ef83e0de9d5327 Version 47.0\r\n772062075a6ce77768bd462428eb6554ccaefec146f2f79cf22032614364d800 Version 46.0\r\n10bb601f27c0aae7fb9cc88a45434a8dcd759c03698c00b322f8b7f78ed64164 Version 45.0.0\r\n6ec80bae15601abfa57fc8ca0a3a83bd6af876a47123c3d8a0ac1761ca3b1289 Version 43.3.0\r\ndaa6931054a125d49f43537a7c07a3bfad8854e18c0c25b49ad7808040f92bb8 Version 30.0\r\n449973a46282cfbce784d86b42a26a5a259b3f552627986aec57bac4902d3461 Version 23.0\r\n8b4c5372b95dbc8705b82f2223b6086795004b5ad559091f607a43d0b5038595 Version 22.4\r\nhttps://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft\r\nPage 20 of 22\n\n3225ce04d0b89652ac6b1f59180eefd41b5a6fdcbabd9066da710cdab462383e Version 13\r\nebcc7681c6634a22090b9eec8e1a82151173bb74d6668c3e7915a7558b2e9fbe Version 13\r\n42e2411108492987315588c71e15f3e6ad266bd380a6f8c6607a577414a332bb Version 13\r\n1088966f9f137b15a34da54765d7773743a77da4ac2f70e82e6d603af28cf58e Version 13\r\n81202529443a234489720c0030b05d3b5c28fe046a412953e95110699cc9b7cf Version 10\r\ne03f2a3c636d458e8122361377ba641b1b7d6b5ff950948820359e5eebed4221\r\nInstaller Leading to\r\nCopperStealer\r\n729b2cb357db3f9fbca4eff18274c5ce59e4fd18e944c3d36cc7e04f8453a9f6\r\nInstaller Leading to\r\nCopperStealer\r\nhxxps://piratewares[.]com/allavsoft-downloader-converter-keygen/\r\nInstaller Leading to\r\nCopperStealer\r\nhxxps://startcrack[.]com/adobe-photoshop-cc-2021-crack-updated/\r\nInstaller Leading to\r\nCopperStealer\r\nhxxps://keygenninja[.]com/serial/gta_4_all.html\r\nInstaller Leading to\r\nCopperStealer\r\n9f9ec27591faea47ca6c72cf26911d932a2a7efe20fdd1a6df8ea82e226fbf38 Dropped Smokeloader\r\nc9d92e36006663f53a01a14800389bd29f3266f00727cce1f39862cceccc50b0 Dropped Smokeloader\r\nbb5d2c07ce902c78227325bf5f336c04335874445fc0635a6b67ae5ba9d2fefc Dropped Smokeloader\r\nhttps://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft\r\nPage 21 of 22\n\n381ab701bc1e092cb3ad5902e3b828e4822500418fbde8f8102081892e0a095a Dropped Smokeloader\r\n29c0dca8a7ce4f8be136e51bb4a042778277198e76ddd57dda995b7fb0ce5b35 Dropped Smokeloader\r\n3c1f7af5e69a599268bcb3343b8609006a255090234d699c77922c95743e9e98 Dropped Smokeloader\r\n679150089d1fa44cf099ff4cf677dc683a3fb1bab81b193a56414ac5a046aeeb Dropped Smokeloader\r\n9902a7fdaac2e764b8e50adbd9ebca4d8d510c2df9af6c5c6a19c721621dd873 Dropped Smokeloader\r\nd74b612aa9f21f0d12bdb8a8e8af894bd718a1145c41ec64a646cf4fa78e9f75 Dropped Smokeloader\r\nEmerging Threats Signatures\r\nET MALWARE Win32/CopperStealer CnC Activity M2 - 2031926\r\nET MALWARE Win32/CopperStealer CnC Activity M3 - 2031927\r\nET MALWARE Win32/CopperStealer CnC Activity - 2031916\r\nET MALWARE Win32/CopperStealer Installer Started - 2031928\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft\r\nhttps://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft"
	],
	"report_names": [
		"now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft"
	],
	"threat_actors": [],
	"ts_created_at": 1775434713,
	"ts_updated_at": 1775826783,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/60c4167fa0f41e5e48de2313588829f4a8759cc8.pdf",
		"text": "https://archive.orkl.eu/60c4167fa0f41e5e48de2313588829f4a8759cc8.txt",
		"img": "https://archive.orkl.eu/60c4167fa0f41e5e48de2313588829f4a8759cc8.jpg"
	}
}