CRITICAL: Browser Credential Stealer Special Report

DESCRIPTION LAST UPDATED: 2024-10-10

DEFAULT SEVERITY LEVEL: CRITICAL

This report contains browser credential stealer data reported from an external source (likely stolen via AI based software).

Shadowserver Special Reports are unlike all of our other standard free daily network reports. They do not cover a specific daily 24-hour time period.

Instead, we send out Special Reports in situations where we are able to share one-time, high value datasets that we feel should be reported responsibly for maximum public benefit. Sometimes there are incidents when it would be useful to be able to notify potential victims about events or breaches that may have impacted them outside of the previous 24-hour period, when it may take a number of days for incident responders to conduct forensic investigations and analyzed data becomes available for sharing with potential victims. Although the events included in these Special Reports will fall outside of our usual 24-hour daily reporting window, we believe that there would still be significant benefit to our constituents in receiving and, hopefully, acting on the retrospective data.

If you have missed a Special Report because you were NOT yet a subscriber at the time a report was pushed out, simply subscribe for your network now and specifically request all recent Shadowserver Special Reports – and we will regenerate them specifically for your network, at no cost.

Note that the data shared across special reports may differ on a case by case basis, hence the report formats for individual Special Reports may be different.

This special report has severity level CRITICAL set on all events.  Severity levels are described here.

Filename prefix: 2024-09-10-special. Searchable by the API using 2024-09-10 date.

Fields

  • timestamp
    The timestamp has been set to "2024-09-10 00:00:00" to represent when this data set was reported
  • ip
    IP address of the affected device.
  • port
    TCP or UDP port identified
  • protocol
    Protocol associated with the malicious activity
  • asn
    Autonomous System Number of the affected device
  • geo
    Country of the affected device
  • region
    Region of the affected device
  • city
    City of the affected device
  • hostname
    Hostname of the affected device (may be from reverse DNS)
  • naics
    North American Industry Classification System Code
  • sector
    Sector of the IP in question
  • tag
    tagged as ailures-browsercredential-stealer
  • infection
    Description of the malware/infection
  • public_source
    Source of the data
  • status
    Status of the affected IP, for example, "compromised"
  • detail
    Log detail
  • account
    The Microsoft Windows user name of the infected users on the infected victim system
  • method
    The bot method used
  • severity
    Severity level
  • hostname_source
    Hostname source
  • first_seen_time
    Timestamp the device was first recorded
  • last_seen_time
    Timestamp the device was last recorded
  • potential_exposure_time
    The number of seconds between first and last seen times
  • machine_name
    The Microsoft Windows computer host name of the infected victim system
  • os_version
    The operating system version of the infected victim system
  • logfile_name
    The log file name
  • logfile_hash
    SHA-256 hash of the log file

Sample

"timestamp","ip","port","protocol","asn","geo","region","city","hostname","naics","sector","tag","infection","public_source","status","detail","account","method","severity","hostname_source","first_seen_time","last_seen_time","potential_exposure_time","machine_name","os_version","logfile_name","logfile_hash"
"2024-09-10 00:00:00",192.168.0.1,,,64512,ZZ,Region,City,node01.example.com,0,Information,,ailures-browsercredential-stealer,,compromised,"ID BOT: Video Express AI-background|IP: 192.168.0.1|Time run: 05-09-2024 10-18-36|Username: PC-1023/pam|Timezone: (UTC)|OS: Microsoft Windows 10 Pro (10.0.19045) (64 bits)|CPU: Intel(R) Core(TM) i7-7700 CPU @ 3.60GHz | 4 core",pam,"Video Express AI-background",critical,ptr,"2024-09-05 15:18:42","2024-09-05 15:18:42",,PC-1023,"Microsoft Windows 10 Pro (10.0.19045) (64 bits)","ZZ_Video Express AI-background_05-09-2024 10-18-39.zip",02cb61e81c7d3831f516c7026dcac9972a6597011d556dc1dd1580e18705f2b5
"2024-09-10 00:00:01",192.168.0.2,,,64512,ZZ,Region,City,node02.example.com,0,Information,,ailures-browsercredential-stealer,,compromised,"ID BOT: Open AI Sora I-background|IP: 192.168.0.2|Time run: 05-09-2024 14-10-25|Username: PC-1024/sam|Timezone: (UTC)|OS: Microsoft Windows 10 Pro (10.0.19045) (64-bit)|CPU: Intel(R) Core(TM) i5-3550S CPU @ 3.00GHz | 4 core",sam,"Open AI Sora I-background",critical,ptr,"2024-09-05 15:10:37","2024-09-05 15:10:37",,PC-1024,"Microsoft Windows 10 Pro (10.0.19045) (64-bit)","ZZ_Open AI Sora I-background_05-09-2024 14-10-35.zip",81a8ee1b4621193f3fa581de62a80332f5b6fa385b156dc4779af8a8054b0861
"2024-09-10 00:00:02",192.168.0.3,,,64512,ZZ,Region,City,node03.example.com,0,,,ailures-browsercredential-stealer,,compromised,"ID BOT: Open AI Sora-background|IP: 192.168.0.3|Time run: 05-09-2024 08-00-50|Username: PC-1025/alice|Timezone: (UTC)|OS: Microsoft Windows 10 Pro (10.0.19045) (64 bits)|CPU: Intel(R) Core(TM) i5-9400 CPU @ 2.90GHz | 6 core",alice,"Open AI Sora-background",critical,,"2024-09-05 15:01:06","2024-09-05 15:01:06",,PC-1025,"Microsoft Windows 10 Pro (10.0.19045) (64 bits)","ZZ_Open AI Sora-background_05-09-2024 08-00-52.zip",c3f5a03d89988b6a4e77e7ef2c5d7437a601c600808effeee2a1803bc1cfce4f

Our 135 Report Types

« Back to Network Reporting