New Go-based Bandit Stealer aims multiple browsers & cryptocurrency wallets

Evasion:

• In order to determine whether Bandit Stealer is operating in a sandbox environment, it looks for the following.
  container, jail, KVM, QEMU, sandbox, Virtual Machine, VirtualBox, VMware, Xen
• The malware will use os_user_Current to get the current username and os_hostname to get the device name. Blacklisted processes for malware analysis tools will be terminated after the malware has checked for IP addresses, MAC addresses, HWIDs, and users that are on the list. Blacklisted processes are httpdebuggerui, wireshark, fiddler, regedit, cmd, taskmgr, vboxservice, df5serv, peocesshacker, vboxtray, vmtoolsd, vmwaretray, ida64, ollydbg, pestudio, vmwareuser, vgauthservice, vmacthlp, x96dbg, vmsrvc, x32dbg, vmusrvc, prl_cc, prl_tools, xenservice, qemu-ga, joeboxcontrol, ksdumperclient, ksdumper, joeboxserver
• The malware terminates the blacklisted processes using the pgrep and pkill Linux-specific commands.

Persistence: 

• It will create an autorun registry entry with a value name “BANDIT STEALER” to ensure that the malware is executed every time the infected system starts up or restarts.

Collects the victim's data:

• Once the persistence is established, Bandit Stealer collects the victim's stolen information and stores it in the “vicinfo” folder in \AppData\Local\>.
• After gathering all the information, the malware saves these in a file named "userinfo.txt" within the \AppData\Local\vicinfo> folder.
• The following information will be stolen from the victim’s browser: Login data, Cookies, Web history, Credit card details
• The following cryptocurrencies will be collected: Bitcoin, Litecoin, Dash, Ethereum, Electrum, Exodus, Atomic

Send the victim’s information:

• The below screenshot shows the Telegram BOT ID and chat ID (top), and where Bandit Stealer sends the data, https[:]//api[.]telegram[.]org/bot%s/sendDocument with filename “%localappdata%\{Victim’s IP Address}.zip” (bottom)