|
| 1 | +# Target Files for Infostealers |
| 2 | + |
| 3 | +Since the files targeted by infostealers on compromised machines share common characteristics, I have summarized them below. |
| 4 | + |
| 5 | +## AI |
| 6 | + |
| 7 | +- OpenClaw: `%USERPROFILE%\.openclaw` |
| 8 | + |
| 9 | +## Browser Credentials |
| 10 | + |
| 11 | +### Chromium-based Browsers |
| 12 | + |
| 13 | +- 360browser: `%LOCALAPPDATA%\360browser\Browser\User Data` |
| 14 | +- Brave: `%LOCALAPPDATA%\BraveSoftware\Brave-Browser\User Data` |
| 15 | +- CentBrowser: `%LOCALAPPDATA%\CentBrowser\User Data` |
| 16 | +- Chrome: `%LOCALAPPDATA%\Google\Chrome\User Data` |
| 17 | +- CocCoc Browser: `%LOCALAPPDATA%\CocCoc\Browser\User Data` |
| 18 | +- Edge: `%LOCALAPPDATA%\Microsoft\Edge\User Data` |
| 19 | +- Opera: `%APPDATA%\Opera Software\Opera Stable` |
| 20 | +- Opera GX: `%APPDATA%\Opera Software\Opera Stable GX Stable` |
| 21 | +- Vivaldi: `%LOCALAPPDATA%\Vivaldi\User Data` |
| 22 | +- Yandex: `%LOCALAPPDATA%\Yandex\YandexBrowser\User Data` |
| 23 | + |
| 24 | +Each Chromium-based browser stores a significant amount of sensitive information within its corresponding profile directory. Infostealers selectively extract specific data from these locations, particularly the following: |
| 25 | + |
| 26 | +- **Decryption key**: `Local State` |
| 27 | +- **Autofill data**: `Default\Web Data` (SQL database) |
| 28 | +- **Local Storage**: `Default\Local Storage\leveldb` (LevelDB) |
| 29 | +- **Session Storage**: `Default\Session Storage` (LevelDB) |
| 30 | +- **Browsing History**: `Default\History` (SQL database) |
| 31 | +- **Browser Extensions**: `Default\Local Extension Settings` (LevelDB) |
| 32 | + |
| 33 | +At the same time, browser-side protection mechanisms continue to improve. For example, Google Chrome has adopted **App-Bound Encryption**, making it significantly more difficult to steal credentials and cookies. |
| 34 | + |
| 35 | +However, attackers attempt to bypass these protections by leveraging implementations such as [Chrome App Bound Encryption Decryption](https://github.com/xaitax/Chrome-App-Bound-Encryption-Decryption), which demonstrate methods to circumvent App-Bound Encryption and recover protected data. |
| 36 | + |
| 37 | +#### Browser Extension IDs |
| 38 | + |
| 39 | +In Chromium-based browsers, the `User Data\Default\Local Extension Settings` directory contains ID-specific subdirectories corresponding to installed browser extensions. Infostealers target and exfiltrate the **LevelDB** data stored within each of these directories. |
| 40 | + |
| 41 | +**Authenticators** |
| 42 | + |
| 43 | +- Aegis Authenticator: `ppdjlkfkedmidmclhakfncpfdmdgmjpm` |
| 44 | +- Authenticator: `bhghoamapcdpbohphigoooaddinpkbai` |
| 45 | +- Authy: `gjffdbjndmcafeoehgdldobgjmlepcal` |
| 46 | +- Duo Mobile: `eidlicjlkaiefdbgmdepmmicpbggmhoj` |
| 47 | +- EOS Authenticator: `oeljdldpnmdbchonielidgobddffflal` |
| 48 | +- FreeOTP: `elokfmmmjbadpgdjmgglocapdckdcpkn` |
| 49 | +- Google Authenticator: `khcodhlfkpmhibicdjjblnkgimdepgnd` |
| 50 | +- LastPass Authenticator: `cfoajccjibkjhbdjnpkbananbejpkkjb` |
| 51 | +- MEW CX: `nlbmnnijcnlegkjjpcfjclmcfggfefdm` |
| 52 | +- Microsoft Authenticator: `bfbdnbpibgndpjfhonkflpkijfapmomn` |
| 53 | +- OTP Auth: `bobfejfdlhnabgglompioclndjejolch` |
| 54 | +- Sollet: `fhmfendgdocmcbmfikdcogofphimnkno` |
| 55 | + |
| 56 | +**Crypto Wallets** |
| 57 | + |
| 58 | +- Airbitz: `ieedgmmkpkbiblijbbldefkomatsuahh` |
| 59 | +- Atomic: `bhmlbgebokamljgnceonbncdofmmkedg` |
| 60 | +- BinanceChain: `fhbohimaelbohpjbbldcngcnapndodjp` |
| 61 | +- BitBox: `ocmfilhakdbncmojmlbagpkjfbmeinbd` |
| 62 | +- BRD: `nbokbjkelpmlgflobbohapifnnenbjlh` |
| 63 | +- Coin98: `aeachknmefphepccionboohckonoeemg` |
| 64 | +- Coinomi: `blbpgcogcoohhngdjafgpoagcilicpjh` |
| 65 | +- Copay: `ieedgmmkpkbiblijbbldefkomatsuahh` |
| 66 | +- Digital Bitbox: `dbhklojmlkgmpihhdooibnmidfpeaing` |
| 67 | +- Electrum: `hieplnfojfccegoloniefimmbfjdgcgp` |
| 68 | +- Exodus: `idkppnahnmmggbmfkjhiakkbkdpnmnon` |
| 69 | +- GreenAddress: `gflpckpfdgcagnbdfafmibcmkadnlhpj` |
| 70 | +- Guarda Wallet: `fcglfhcjfpkgdppjbglknafgfffkelnm` |
| 71 | +- iWallet: `kncchdigobghenbbaddojjnnaogfppfj` |
| 72 | +- Jaxx Liberty: `mhonjhhcgphdphdjcdoeodfdliikapmj` |
| 73 | +- KeepKey: `dojmlmceifkfgkgeejemfciibjehhdcl` |
| 74 | +- LastPass: `gabedfkgnbglfbnplfpjddgfnbibkmbb` |
| 75 | +- Keplr: `dmkamcknogkgcdfhhbddcghachkejeap` |
| 76 | +- Ledger Live: `pfkcfdjnlfjcmkjnhcbfhfkkoflnhjln` |
| 77 | +- Ledger Wallet: `hbpfjlflhnmkddbjdchbbifhllgmmhnm` |
| 78 | +- MetaMask: `nkbihfbeogaeaoehlefnkodbefgpgknn` |
| 79 | +- Mycelium: `pidhddgciaponoajdngciiemcflpnnbg` |
| 80 | +- NeoLine: `cphhlgmgameodnhkjdmkpanlelnlohao` |
| 81 | +- OneKey: `ilbbpajmiplgpehdikmejfemfklpkmke` |
| 82 | +- Phantom: `bfnaelmomeimhlpmgjnjophhpkkoljpa` |
| 83 | +- Ronin: `fnjhmkhhmkbjkkabndcnnogagogbneec` |
| 84 | +- Samourai Wallet: `apjdnokplgcjkejimjdfjnhmjlbpgkdi` |
| 85 | +- Station Wallet: `aiifbnbfobpmeekipheeijimdpnlpgpp` |
| 86 | +- TezBox: `mnfifefkajgofkcjkemidiaecocnkjeh` |
| 87 | +- TronLink: `ibnejdfjmmkpcnlpebklmnkoeoihofec` |
| 88 | +- Trust Wallet: `pknlccmneadmjbkollckpblgaaabameg` |
| 89 | +- Wombat: `amkmjjmmflddogmhpjloimipbofnfjih` |
| 90 | + |
| 91 | +**Password Managers** |
| 92 | + |
| 93 | +- Avira Password Manager: `caljgklbbfbcjjanaijlacgncafpegll` |
| 94 | +- Bitwarden: `inljaljiffkdgmlndjkdiepghpolcpki` |
| 95 | +- Browserpass: `naepdomgkenhinolocfifgehidddafch` |
| 96 | +- Dashlane: `flikjlpgnpcjdienoojmgliechmmheek` |
| 97 | +- KeePassXC: `kgeohlebpjgcfiidfhhdlnnkhefajmca` |
| 98 | +- Keeper: `gofhklgdnbnpcdigdgkgfobhhghjmmkj` |
| 99 | +- NordPass: `njgnlkhcjgmjfnfahdmfkalpjcneebpl` |
| 100 | +- Norton Password Manager: `admmjipmmciaobhojoghlmleefbicajg` |
| 101 | +- RoboForm: `hppmchachflomkejbhofobganapojjol` |
| 102 | +- Trezor Password Manager: `imloifkgjagghnncjkhggdhalmcnfklk` |
| 103 | +- Zoho Vault: `igkpcodhieompeloncfnbekccinhapdb` |
| 104 | + |
| 105 | +**Others** |
| 106 | + |
| 107 | +- Splikity: `jhfjfclepacoldmjmkmdlmganfaalklb` |
| 108 | +- YubiKey: `mammpjaaoinfelloncbbpomjcihbkmmc` |
| 109 | + |
| 110 | +### Gecko-based Browsers |
| 111 | + |
| 112 | +- Firefox: `%APPDATA%\Mozilla\Firefox\Profiles\<profile>` |
| 113 | + |
| 114 | +Gecko-based browsers are targeted through files stored within the profile directory, including `cert9.db`, `key4.db`, `logins.json`, `cookies.sqlite`, `formhistory.sqlite`, `places.sqlite`, `sessionstore.jsonlz4`, and `storage\default\moz-extension+++`. |
| 115 | + |
| 116 | +In some cases, the entire profile directory is exfiltrated, and tools such as [firefox_decrypt](https://github.com/unode/firefox_decrypt) are used to extract stored credentials. |
| 117 | + |
| 118 | +## Chat Clients |
| 119 | + |
| 120 | +- Discord: `%APPDATA%\discord` |
| 121 | +- Telegram: `%APPDATA%\Telegram Desktop\tdata` |
| 122 | + |
| 123 | +## Crypto Wallets |
| 124 | + |
| 125 | +- Armory: `%APPDATA%\Armory` |
| 126 | +- Atomic: `%APPDATA%\atomic` |
| 127 | +- Binance: `%APPDATA%\Binance` |
| 128 | +- Bitcoin Core: `%APPDATA%\Bitcoin\wallets` |
| 129 | +- Coinomi: `%LOCALAPPDATA%\Coinomi` |
| 130 | +- Daedalus Mainnet: `%APPDATA%\Daedalus Mainnet` |
| 131 | +- Dash Core: `%APPDATA%\DashCore` |
| 132 | +- Dogecoin Core: `%APPDATA%\Dogecoin` |
| 133 | +- Electron Cash: `%APPDATA%\Electron Cash` |
| 134 | +- Electrum: `%APPDATA%\Electrum` |
| 135 | +- Electrum LTC: `%APPDATA%\Electrum-LTC` |
| 136 | +- Ethereum: `%APPDATA%\Ethereum` |
| 137 | +- Exodus: `%APPDATA%\Exodus` |
| 138 | +- JaxxClassic: `%APPDATA%\Jaxx\Local Storage\leveldb` |
| 139 | +- JaxxLiberty: `%APPDATA%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb` |
| 140 | +- Ledger Live: `%APPDATA%\Ledger Live` |
| 141 | +- Litecoin Core: `%APPDATA%\Litcoin` |
| 142 | +- Monero GUI: `%USERPROFILE%\Documents\Monero\wallets` |
| 143 | +- Raven Core: `%APPDATA%\Raven` |
| 144 | +- Wasabi Wallet: `%APPDATA%\WalletWasabi\Client` |
| 145 | +- Zcash: `%APPDATA%\Zcash` |
| 146 | + |
| 147 | +## Email Clients |
| 148 | + |
| 149 | +- Thunderbird: `%APPDATA%\Thunderbird\Profiles` |
| 150 | + |
| 151 | +## Game Clients |
| 152 | + |
| 153 | +- Steam: `%ProgramFiles(x86)%\Steam` |
0 commit comments