SYMBOLCOMMON_NAMEaka. SYNONYMS
win.chrgetpdsi_stealer (Back to overview)

ChrGetPdsi Stealer

VTCollection    

ChrGetPdsi is a basic infostealer written in Golang which is designed to steal browser history and logins, and targets Chrome, Edge, and Firefox. The output is written to a text file named chrgetpdsi.txt. Based on the samples analysed, the malware does not appear to have networking capabilities, and therefore it is likely that it is intended to be used in a post-compromise situation where the attacker already has access to the target system and can retrieve the created output file via other means.ChrGetPdsi has been observed being deployed by the Broomstick malware.

References
2024-06-17Rapid7Rapid7
Malvertising Campaign Leads to Execution of Oyster Backdoor
Broomstick ChrGetPdsi Stealer
2024-01-05IBMIBM X-Force Exchange
Tomb Crypter and ChrGetPdsi Stealer Analysis Report (INT00011701)
Broomstick ChrGetPdsi Stealer
Yara Rules
[TLP:WHITE] win_chrgetpdsi_stealer_auto (20260504 | Detects win.chrgetpdsi_stealer.)
rule win_chrgetpdsi_stealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.chrgetpdsi_stealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chrgetpdsi_stealer"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 803800 7532 488b5008 4889d9 48c1eb06 660f1f440000 48395810 }
            // n = 7, score = 500
            //   803800               | mov                 ecx, edi
            //   7532                 | inc                 ecx
            //   488b5008             | mov                 dword ptr [edi + 0x38], 2
            //   4889d9               | dec                 eax
            //   48c1eb06             | mov                 ecx, ebp
            //   660f1f440000         | inc                 ecx
            //   48395810             | mov                 eax, 1

        $sequence_1 = { ffd2 488b4c2478 488b5940 488b5148 488d05723b1400 4889d1 e8???????? }
            // n = 7, score = 500
            //   ffd2                 | sub                 esp, 0x38
            //   488b4c2478           | dec                 eax
            //   488b5940             | mov                 dword ptr [esp + 0x30], ebp
            //   488b5148             | dec                 eax
            //   488d05723b1400       | lea                 ebp, [esp + 0x30]
            //   4889d1               | dec                 ebp
            //   e8????????           |                     

        $sequence_2 = { c3 e8???????? e8???????? 488d0548981800 488d1d31832000 90 e8???????? }
            // n = 7, score = 500
            //   c3                   | lea                 ecx, [0x4a54]
            //   e8????????           |                     
            //   e8????????           |                     
            //   488d0548981800       | dec                 eax
            //   488d1d31832000       | mov                 dword ptr [eax], ecx
            //   90                   | dec                 eax
            //   e8????????           |                     

        $sequence_3 = { e8???????? 488b0d???????? 48898c24a8060000 488d05734e1900 e8???????? 833d????????00 750e }
            // n = 7, score = 500
            //   e8????????           |                     
            //   488b0d????????       |                     
            //   48898c24a8060000     | je                  0x99b
            //   488d05734e1900       | inc                 esp
            //   e8????????           |                     
            //   833d????????00       |                     
            //   750e                 | movups              xmmword ptr [esp + 0x150], xmm7

        $sequence_4 = { 85db 754d 8b5920 4863411c 85c0 7924 48f7d8 }
            // n = 7, score = 500
            //   85db                 | dec                 eax
            //   754d                 | mov                 edx, dword ptr [ecx + 0x88]
            //   8b5920               | dec                 esp
            //   4863411c             | mov                 esp, dword ptr [ecx + 0x38]
            //   85c0                 | inc                 ebp
            //   7924                 | movzx               eax, bp
            //   48f7d8               | dec                 eax

        $sequence_5 = { e9???????? c70301000000 458b4c2458 89442430 4585c9 0f85cdfdffff 31c9 }
            // n = 7, score = 500
            //   e9????????           |                     
            //   c70301000000         | dec                 eax
            //   458b4c2458           | sub                 edx, eax
            //   89442430             | dec                 eax
            //   4585c9               | shl                 edx, 4
            //   0f85cdfdffff         | dec                 eax
            //   31c9                 | cmp                 dword ptr [esi + edx + 0x3a8], 0

        $sequence_6 = { e9???????? 488d15d94f2300 48895068 e9???????? 488d15c14f2300 48895070 4889d0 }
            // n = 7, score = 500
            //   e9????????           |                     
            //   488d15d94f2300       | dec                 ecx
            //   48895068             | lea                 eax, [eax - 1]
            //   e9????????           |                     
            //   488d15c14f2300       | dec                 eax
            //   48895070             | cmp                 edi, eax
            //   4889d0               | jb                  0x154d

        $sequence_7 = { e8???????? 488b442438 488b5c2428 e8???????? 488d0584982e00 bb0f000000 e8???????? }
            // n = 7, score = 500
            //   e8????????           |                     
            //   488b442438           | mov                 ecx, dword ptr [esp + 0x20]
            //   488b5c2428           | dec                 eax
            //   e8????????           |                     
            //   488d0584982e00       | mov                 dword ptr [esp], ecx
            //   bb0f000000           | inc                 esp
            //   e8????????           |                     

        $sequence_8 = { f30f6f6810 410f116a18 f30f6f6020 410f116228 f30f6f6830 410f116a38 f30f6f6040 }
            // n = 7, score = 500
            //   f30f6f6810           | mov                 edx, dword ptr [esp + 0x218]
            //   410f116a18           | dec                 eax
            //   f30f6f6020           | mov                 ecx, ebx
            //   410f116228           | dec                 eax
            //   f30f6f6830           | mov                 dword ptr [esp + 0x148], 0
            //   410f116a38           | mov                 dword ptr [esp + 0x128], 0
            //   f30f6f6040           | inc                 esp

        $sequence_9 = { 81f992d74abd 0f8783000000 0f1f00 81f90241adbb 7538 488d0d911c2c00 4839c8 }
            // n = 7, score = 500
            //   81f992d74abd         | mov                 eax, ecx
            //   0f8783000000         | dec                 eax
            //   0f1f00               | lea                 ecx, [0x161652]
            //   81f90241adbb         | dec                 eax
            //   7538                 | mov                 eax, dword ptr [ecx]
            //   488d0d911c2c00       | dec                 eax
            //   4839c8               | mov                 ebx, dword ptr [ecx + 8]

    condition:
        7 of them and filesize < 10027008
}
Download all Yara Rules