Krypton Stealer – Credential Stealer

Krypton Stealer is a credential stealing spyware tool sold through a number of hacking forums and dark web sites.

As Krypton is sold directly to attackers it is likely that multiple methods are used to distribute it; however, as of the time of publication it has only been observed as a payload in spam campaigns.

Once installed, Krypton will collect system and user information before sending it to a command and control (C2) server. It will then attempt to extract credentials from the following applications:

• Multiple web browsers including Google Chrome, Mozilla Firefox, and Microsoft Edge and Internet Explorer.
• The ProtonVPN and NordVPN VPNapplications.
• Messaging applications including WhatsApp and Telegram.
• FTP clients such as FileZilla, Total Command and WinSCP.

Any extracted credentials are stored within TXT files and sent to the C2 server. You can read the full report on this malware here.

Indicators of Compromise

Hashes

a84f1fe984e6fb04af0e029b67245f2167bcec766959f5033bfbf5ac00f0d396 – kryp_XoxoxolUa_6.8_22.59.exe – krypton stealer binary

c5bc8c7d3b78d7e7b1ffa25130983e8498e127bb5fe2e2a05adb0838c7f6fb4a – kryp_XoxoxolUa_6.8_22.59.rar – krypton stealer archive

Command & Control Server

f0304768[.]xsph[.]ru

PDB File

krypton8.pdb