# Mini Stealer: Possible Predecessor of Parrot Stealer **[blog.cyble.com/2022/08/29/mini-stealer-possible-predecessor-of-parrot-stealer/](https://blog.cyble.com/2022/08/29/mini-stealer-possible-predecessor-of-parrot-stealer/)** ## Mini Stealer’s Builder & Panel released for free August 29, 2022 During a routine threat hunting exercise, Cyble Research and Intelligence Labs (CRIL) discovered a post on a cybercrime forum where a Threat Actor (TA) released MiniStealer’s builder and panel for free. The TA claims that the stealer can target operating systems such as Windows 7, 10, and 11. Using such builders, TAs can easily generate malicious payloads. MiniStealer mainly targets FTP applications and Chromium-based browsers. ----- Figure 1 – Post on a cybercrime forum Nearly a month after the release of MiniStealer, the same TA made a post selling Parrot Stealer’s builder and panel for USD 50. The TA stated that this stealer is based on MiniStealer. We suspect that the TA might have added the functionalities in Parrot stealer which were missing in MiniStealer. Figure 2 – TA Selling Parrot stealer The figure below shows the Parrot stealer panel. ----- Figure 3 – Parrot Stealer Web Panel ### Builder and Web Panel The zip file leaked by TA contains two folders, as shown below. These folders contain the following files: Builder: MiniStealerBuilder.exe, Stub Panel: Web Panel Source code Figure 4 – Leaked Files The builder released by the TA is a .NET-based binary. It has the functionality to add the Command and Control (C&C) details to the payload. The builder loads a file named “stub,” which is the actual payload, and then writes the C&C details to it for generating the final payload. The test button shown in the figure below sends the Test Logs to the C&C server to check if the connection can be established. These logs contain three connection strings TestUser, TestPass, and TestHost. ----- Figure 5 – MiniStealer Builder The TA has also released the source code of the web panel, which can be used to receive stolen data from a target network. The figure below shows the web panel. Figure 6 – MiniStealer panel ## Technical Analysis (Sample SHA256:e837a0e6b01ca695010ee8bc4df57a6a9c6ef6e2c22e279501e06f61f0354f67) Mini Stealer is a 64-bit .NET-binary that uses Timestomping. Timestomping is a technique that modifies the timestamps of a file. Adversaries use this technique on their payloads to deflect any unnecessary attention during forensic investigations. ----- Figure 7 – File Details The stealer uses multiple AntiAnalysis checks to prevent debugging of the sample. To detect profiling, the code verifies if the COR_ENABLE_PROFILING environment variable is present and set to 1. Profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET Common Language Runtime. The figure below showcases the stealer detecting profiling. Figure 8 – Detecting profiling This stealer spawns a thread for continuously checking if the stealer payload is being debugged. To check for the presence of debuggers, this thread executes methods such as IsDebuggerPresent, _OutputDebugString, and Debugger.IsLogging._ ----- Figure 9 – Anti-Analysis This stealer payload steals data from the following Chromium-based browsers and FTP applications. The stealer appears to be in the development stage as several FTP applications are hardcoded in the stealer, but it does not appear to target all of them. The TA might have added these functionalities in Parrot Stealer, which is suspected to be an upgraded paid version of MiniStealer. For the FTP application, the stealer steals data from configuration files. For browsers, the stealer copies certain files for exfiltration present in the AppData\Browser directory, which stores user session and login credentials, as shown in the figure below. Figure 10 – Stealing Data **Over 25 Chromium-based browsers:** ----- Chrome, AvastBrowser, AVGBrowser, Browser360, CCleanerBrowser, CentBrowser, Chedot, Citrio, CocCoc, ComodoDragon, CoolNovo, Coowon, ElementsBrowser, EpicPrivacyBrowser, IridiumBrowser, Kometa, LiebaoBrowser, Maxthon, OperaGX, OperaNeon, Orbitum, QIPSurf, Sleipnir, SlimJet, Sputnik, SRWareIron, uCozMedia, Vivaldi, Yandex, **Over 20 FTP Applications:** Filezilla, FlashFXP, AutoFTPManager, AutoFTPPro, BitKinex, BulletproofFTP, ClassicFTP, CoreFTP, CuteFTP, Cyberduck, Dreamweaver, FreeFTP, DirectFTP, ftpcommander, FTPEXPLORER, FTPRush, FTPvoyager, LeapFTP, MultiCommander, SmartFTP, SuperPutty, TotalCommander, TurboFTP, WSFTP, WinSCP ## Conclusion The availability of free malware builders and panels can assist TAs in carrying out attacks, as TAs do not need to invest time and money to get malware payloads for cybercrime purposes. There is always the possibility that TA might have released the builder and panel of MiniStealer for free for marketing purposes and to build a reputation amongst themselves on cybercrime forums. The TA’s behavior further reinforces this theory as after 1 month; they began selling a paid stealer, which is suspected to be based on MiniStealer. CRIL continuously monitors emerging threats and has observed a surge in the use of stealer malware by TAs. ## Our Recommendations We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below: **How to prevent malware infection?** Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., contains such malware. Use strong passwords and enforce multi-factor authentication wherever possible. Turn on the automatic software update feature on your computer, mobile, and other connected devices. Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile. Refrain from opening untrusted links and email attachments without first verifying their authenticity. Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs. Block URLs that could be used to spread the malware, e.g., Torrent/Warez. Monitor the beacon on the network level to block data exfiltration by malware or TAs. ## MITRE ATT&CK® Techniques **Tactic** **Technique ID** **Technique Name** ----- **Execution** [T1204](https://attack.mitre.org/techniques/T1204/) User Execution **Defense Evasion** [T1497.001](https://attack.mitre.org/techniques/T1497/001/) [T1070.006](https://attack.mitre.org/techniques/T1070/006/) **Credential Access** [T1555](https://attack.mitre.org/techniques/T1555/) [T1539](https://attack.mitre.org/techniques/T1539/) [T1552](https://attack.mitre.org/techniques/T1552/) [T1528](https://attack.mitre.org/techniques/T1528/) **Discovery** [T1087](https://attack.mitre.org/techniques/T1087/) [T1518](https://attack.mitre.org/techniques/T1518/) [T1057](https://attack.mitre.org/techniques/T1057/) [T1007](https://attack.mitre.org/techniques/T1007/) Virtualization/Sandbox Evasion: System Checks Indicator Removal on Host: Timestomp Credentials from Password Stores Steal Web Session Cookie Unsecured Credentials Steal Application Access Token Account Discovery Software Discovery Process Discovery System Service Discovery **Command and Control** [T1071](https://attack.mitre.org/techniques/T1071/) Application Layer Protocol **Exfiltration** [T1041](https://attack.mitre.org/techniques/T1041/) Exfiltration Over C2 Channel ## Indicators of Compromise (IOCs) **Indicators** **Indicator** **type** d65def0ad7f1b428bc1045cf2214b82f e2beda0ef5d1c38bb96fb7eb6ee25990073e6a17 e837a0e6b01ca695010ee8bc4df57a6a9c6ef6e2c22e279501e06f61f0354f67 **MD5** **SHA1** **SHA256** **Description** Malicious binary -----