LoFP LoFP / legitimate software installed on partitions other than \"c:\\"

Techniques

Sample rules

Access To Crypto Currency Wallets By Uncommon Applications

Description

Detects file access requests to crypto currency files by uncommon processes. Could indicate potential attempt of crypto currency wallet stealing.

Detection logic

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
  Image|startswith:
  - C:\Program Files (x86)\
  - C:\Program Files\
  - C:\Windows\system32\
  - C:\Windows\SysWOW64\
filter_main_system:
  Image: System
filter_optional_defender:
  Image|endswith:
  - \MpCopyAccelerator.exe
  - \MsMpEng.exe
  Image|startswith: C:\ProgramData\Microsoft\Windows Defender\
selection:
- FileName|contains:
  - \AppData\Roaming\Ethereum\keystore\
  - \AppData\Roaming\EthereumClassic\keystore\
  - \AppData\Roaming\monero\wallets\
- FileName|endswith:
  - \AppData\Roaming\Bitcoin\wallet.dat
  - \AppData\Roaming\BitcoinABC\wallet.dat
  - \AppData\Roaming\BitcoinSV\wallet.dat
  - \AppData\Roaming\DashCore\wallet.dat
  - \AppData\Roaming\DogeCoin\wallet.dat
  - \AppData\Roaming\Litecoin\wallet.dat
  - \AppData\Roaming\Ripple\wallet.dat
  - \AppData\Roaming\Zcash\wallet.dat

Suspicious File Access to Browser Credential Storage

Description

Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts. Adversaries may attempt to access browser credential storage to extract sensitive information such as usernames and passwords or cookies. This behavior is often commonly observed in credential stealing malware.

Detection logic

condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
  Image|startswith:
  - C:\Program Files\
  - C:\Program Files (x86)\
  - C:\Windows\System32\
  - C:\Windows\SysWOW64\
filter_main_img:
  Image|endswith:
  - \Sputnik.exe
  - \ChromePlus.exe
  - \QIP Surf.exe
  - \BlackHawk.exe
  - \7Star.exe
  - \Sleipnir5.exe
  - \Citrio.exe
  - \Chrome SxS.exe
  - \Chrome.exe
  - \Coowon.exe
  - \CocCocBrowser.exe
  - \Uran.exe
  - \QQBrowser.exe
  - \Orbitum.exe
  - \Slimjet.exe
  - \Iridium.exe
  - \Vivaldi.exe
  - \Chromium.exe
  - \GhostBrowser.exe
  - \CentBrowser.exe
  - \Xvast.exe
  - \Chedot.exe
  - \SuperBird.exe
  - \360Browser.exe
  - \360Chrome.exe
  - \dragon.exe
  - \brave.exe
  - \torch.exe
  - \UCBrowser.exe
  - \BliskBrowser.exe
  - \Epic Privacy Browser.exe
  - \nichrome.exe
  - \AmigoBrowser.exe
  - \KometaBrowser.exe
  - \XpomBrowser.exe
  - \msedge.exe
  - \LiebaoBrowser.exe
  - \AvastBrowser.exe
  - \Kinza.exe
  - \seamonkey.exe
  - \icedragon.exe
  - \cyberfox.exe
  - \SlimBrowser.exe
  - \palemoon.exe
filter_main_path:
  Image|contains:
  - \Sputnik\
  - \MapleStudio\
  - \QIP Surf\
  - \BlackHawk\
  - \7Star\
  - \Fenrir Inc\
  - \CatalinaGroup\
  - \Google\
  - \Coowon\
  - \CocCoc\
  - \uCozMedia\
  - \Tencent\
  - \Orbitum\
  - \Slimjet\
  - \Iridium\
  - \Vivaldi\
  - \Chromium\
  - \GhostBrowser\
  - \CentBrowser\
  - \Xvast\
  - \Chedot\
  - \SuperBird\
  - \360Browser\
  - \360Chrome\
  - \Comodo\
  - \BraveSoftware\
  - \Torch\
  - \UCBrowser\
  - \Blisk\
  - \Epic Privacy Browser\
  - \Nichrome\
  - \Amigo\
  - \Kometa\
  - \Xpom\
  - \Microsoft\
  - \Liebao7\
  - \AVAST Software\
  - \Kinza\
  - \Mozilla\
  - \8pecxstudios\
  - \FlashPeak\
  - \Moonchild Productions\
filter_main_system:
  Image: System
  ParentImage: Idle
filter_optional_defender:
  Image|contains: \Microsoft\Windows Defender\
  Image|endswith:
  - \MpCopyAccelerator.exe
  - \MsMpEng.exe
filter_optional_msiexec:
  ParentImage: C:\Windows\System32\msiexec.exe
filter_optional_other:
  Image|endswith: \everything.exe
filter_optional_thor:
  Image|endswith:
  - \thor.exe
  - \thor64.exe
selection_browser_paths:
  FileName|contains:
  - \Sputnik\Sputnik
  - \MapleStudio\ChromePlus
  - \QIP Surf
  - \BlackHawk
  - \7Star\7Star
  - \CatalinaGroup\Citrio
  - \Google\Chrome
  - \Coowon\Coowon
  - \CocCoc\Browser
  - \uCozMedia\Uran
  - \Tencent\QQBrowser
  - \Orbitum
  - \Slimjet
  - \Iridium
  - \Vivaldi
  - \Chromium
  - \GhostBrowser
  - \CentBrowser
  - \Xvast
  - \Chedot
  - \SuperBird
  - \360Browser\Browser
  - \360Chrome\Chrome
  - \Comodo\Dragon
  - \BraveSoftware\Brave-Browser
  - \Torch
  - \UCBrowser\
  - \Blisk
  - \Epic Privacy Browser
  - \Nichrome
  - \Amigo
  - \Kometa
  - \Xpom
  - \Microsoft\Edge
  - \Liebao7Default\EncryptedStorage
  - \AVAST Software\Browser
  - \Kinza
  - \Mozilla\SeaMonkey\
  - \Comodo\IceDragon\
  - \8pecxstudios\Cyberfox\
  - \FlashPeak\SlimBrowser\
  - \Moonchild Productions\Pale Moon\
selection_browser_subpaths:
  FileName|contains:
  - \Profiles\
  - \User Data
selection_cred_files:
- FileName|contains:
  - \Login Data
  - \Cookies
  - \EncryptedStorage
  - \WebCache\
- FileName|endswith:
  - cert9.db
  - cookies.sqlite
  - formhistory.sqlite
  - key3.db
  - key4.db
  - Login Data.sqlite
  - logins.json
  - places.sqlite