{ "id": "d5c2abaa-92e9-407b-8335-5a61e7404f02", "created_at": "2026-04-06T00:10:26.360465Z", "updated_at": "2026-04-10T03:36:47.997539Z", "deleted_at": null, "sha1_hash": "99a41f6df4e1eab534dc2a5c39402e85fd627568", "title": "Analysis of August stealer malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 973796, "plain_text": "Analysis of August stealer malware\r\nArchived: 2026-04-05 17:22:44 UTC\r\nNOTE: This blog has been merged with WordPress. You will be redirected to this\r\narticle on the WordPress site in 10 seconds...\r\nIf you want to go there now, click here - https://hazmalware.wordpress.com/2016/12/27/analysis-of-august-stealer-malware/\r\nAugust malware is designed to steal various data from compromised systems. It was observed appearing for sale\r\naround 10/20/2016. According to the malware authors post on underground forums it has the ability to steal\r\nvarious passwords, cookies, bitcoin wallets, RDP and FTP saved connections, and can even grab specified files. At\r\nthe time of this writing the latest version can steal data from the following applications:\r\nBrowsers:\r\nMozilla FireFox\r\nGoogle Chrome\r\nComodo IceDragon\r\nVivaldi Browser\r\nMail.Ru Browser\r\nTorch Browser\r\nDooble Browser\r\nU Browser\r\nCoowon\r\nAmigo Browser\r\nBromium\r\nYandex Browser\r\nOpera Browser\r\nChromium\r\nSRWare Iron\r\nCoolNovo Browser\r\nRockMelt Browser\r\nFTP Clients:\r\nWinSCP\r\nTotal Commander\r\nEmail Clients:\r\nMS Outlook \u003c= 2013\r\nhttps://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html\r\nPage 1 of 12\n\nIM Clients:\r\nWindows Live\r\nPidgin\r\nPsi\r\nBitcoin Wallets:\r\nwallet.dat\r\nRDP remote connection files\r\nAny specified files/documents\r\nHere is a look at the admin panel of this malware:\r\nThe malware has been observed being delivered in malspam emails that have word document attachments. It is the\r\ntypical phishing type email that entices the user to open the attachment. The word documents contain VBA that\r\nwill use powershell to download the malware payload from a remote URL where it is encoded into a byte array in\r\nthe webpage. It is then programmed to load the byte array and decode it with an exclusive or (XOR) and call the\r\nmain function from the loaded executable.\r\nThis post is geared more towards the binary analysis of the August malware, but the great people over at\r\nProofpoint have done a fantastic job on an overview of the threat - you can read it on their blog here. So let's\r\ncontinue with our analysis.\r\nhttps://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html\r\nPage 2 of 12\n\nRunning the strings command on files can often give you quite a bit of interesting information regarding the\r\nsample you are analyzing. You have to be careful though, because strings can sometimes be misleading as\r\nmalware authors can put junk strings in to confuse analysis -- remember to validate anything you find. Here are a\r\nfew of the interesting strings I found in this sample:\r\nYou can see that there appears to be some strings related to crypto functions, encryption, decryption, HTTP\r\nfunctions, and even some anti-debugging. There are many, many more but we have to consolidate for the post.\r\nOne of the more interesting items is the strings 'ConfusedByAttribute' and 'Confuser v1.9.0.0'.\r\nConfuser is a packer / obfuscation tool for .NET applications. It offers a variety of obfuscation methods such as\r\nanti-debugging, anti-memory dumping, anti-decompiling, encrypting constants,  methods, and resources, etc.\r\nWhen analyzing an unknown binary it is always good to verify what type of file you are dealing with. PEiD shows\r\nthat this is a .NET executable designed for 32 bit computers.\r\nhttps://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html\r\nPage 3 of 12\n\nDiE (detect it easy) is another good tool to analyze exe files, especially if you think it might be packed. Looking at\r\nour sample it shows again that this is a .NET executable and it was designed for 32 bit. It also shows that this\r\nsample was packed with Confuser v1.9.0.0 - just like we saw in our strings.\r\nIt is good practice to not just rely on a single source of information, but to verify with multiple sources. CFF\r\nExplorer is one of my favorite apps for analyzing binary files because it gives you so much detailed information.\r\nLooking at this in CFF shows much of the same.\r\nhttps://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html\r\nPage 4 of 12\n\nWe see that the File Type is listed as a Portable Executable 32 .NET Assembly and File Info shows Microsoft\r\nVisual Studio .NET. So we are probably dealing with a .NET file... but let's do a little more analysis just to make\r\nsure. Do not pay attention to the created/modified/access times as these are when this binary was copied to the\r\nwindows analysis computer... remember windows MAC time rules.\r\nThe Dos Header shows the 4D5A MZ magic number indicating that this is an executable file.\r\nChecking the Optional Header info we can see the 2 byte value 010B (PE32) indicating that it is designed as a 32\r\nbit application.\r\nhttps://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html\r\nPage 5 of 12\n\nIn the Data Directories section, under NT Headers -\u003e Optional Header, we can see that .NET MetaData Directory\r\nRVA \u0026 Size on the right details page both contain values. These are good indications that we are indeed dealing\r\nwith a .NET executable.\r\nOne last thing to verify - .NET files only have 1 import and 1 function imported. Here we see mscoree.dll and\r\n_CorDllMain, respectfully:\r\nWe can now confidently say that we are dealing with a .NET executable file.\r\nThere are a couple of other items of interest that we will take a look at. The exe compile datetime that shows the\r\ndate and time the project was compiled from VisualStudio. This can easily be changed by anyone with a little\r\nknowledge. The compile time for this binary shows the following\r\nhttps://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html\r\nPage 6 of 12\n\nWhich converted becomes\r\nGiven other indicators going on for this around the same time, confidence is pretty high that the compile time is\r\nlegit. The other item of interest is the module directory that shows the name of this file at compile time. Because\r\nanyone can rename a file at anytime, this entry will often show the original name of the file the malware author\r\nhad set at the time it was compiled. Here we see it was indeed called 'August@.dll'\r\nNow that we know we are dealing with a .NET file, we can open it up in a decompiler and see what we get.\r\nAll of the methods and assemblies are encrypted by the Confuser packer that was identified earlier.\r\nhttps://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html\r\nPage 7 of 12\n\nLooks like we're going to have to decrypt it first before analyzing. For this we can use a program called NoFuser\r\nto help with decryption. Running our binary through NoFuser shows that it detected Confuser v1.9 as well and\r\nsuccessfully cleaned our binary.\r\nNow open it back up in side the decompiler and we should have readable data.\r\nhttps://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html\r\nPage 8 of 12\n\nMoving into the Main() method, because this is where code execution starts, we see that right away the malware\r\nhides itself by setting the FileAttribute to 'Hidden'.\r\nNext it has functions to check whether there are analysis programs currently running as processes, and will sleep\r\nfor 20000ms if it finds any (roughly 30 seconds).\r\nhttps://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html\r\nPage 9 of 12\n\n\u003c-snip-\u003e\r\nIt then gathers some information about the computer that it has just infected, such as the type of CPU, amount of\r\nRAM, networking info, etc.\r\nIt also grabs the username of the person currently logged in\r\nhttps://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html\r\nPage 10 of 12\n\nIt then encrypts the data and sends it to the pre-programmed C2 server via the following web request\r\nWe can see that it is using a POST method and has a timeout value set to 100000ms. The C2 URL value is\r\ncompletely configurable and will change from sample to sample.\r\nAfter checking in with its C2 the malware immediately begins its data exfiltration routines. Checking through the\r\ncode shows functions for all the data exfil types listed at the beginning of this post. I will not list all of the code\r\nhere for brevity sake.\r\nAll-in-all this is a pretty interesting sample. I am still analyzing and learning more about it, but I think that about\r\nwraps it up for this post!\r\nThe sample analyzed in this post was found on hybrid-analysis over here.\r\nFiletype PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows\r\nMimetype application/x-dosexec\r\nhttps://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html\r\nPage 11 of 12\n\nSize 102912\r\nMD5 11c445c509f6a86fde366076502f085a\r\nSHA1 47edb81b7ab25a632c6d2911581e800f700208b2\r\nSHA256 c725e62b5aa3dfbf41b979bb55b04d43fa7042ca34cb914892872267e79de8d1\r\nSource: https://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html\r\nhttps://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html" ], "report_names": [ "analysis-of-august-stealer-malware.html" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434226, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/99a41f6df4e1eab534dc2a5c39402e85fd627568.pdf", "text": "https://archive.orkl.eu/99a41f6df4e1eab534dc2a5c39402e85fd627568.txt", "img": "https://archive.orkl.eu/99a41f6df4e1eab534dc2a5c39402e85fd627568.jpg" } }