chrome.exe

  • File Path: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
  • Description: Google Chrome

Screenshot

chrome.exe

Hashes

Type Hash
MD5 184AC5D5E7A81024DD8B3A961ED70735
SHA1 C571FC25BE6876C37C47C0F90BB8D1550F3A843F
SHA256 7CF0BB881E8EE0B4ED43D73B4ECA634F9C1B14D2DE4DE916177BB4ED2939F16E
SHA384 2F64B9479612AA8D85BD602E3E529708AC88C6DD50C26E16F2C5472581F59E4DCA037E41830AB6B1F7692F4F75E4F2B8
SHA512 43C42D00CD5CA5B0D7612C17C4FF112290B46583EB456EFC98A2B27DF8CC1B4146686F7D1C5081E5AFD8B0280F8B5E2531C4E20B9C19CEFAE591FCE0FAE285DB
SSDEEP 24576:RmduWOgCPLdX/JmrLAWZ71C6/63V1b2vxB7CT2fg10oi:RmEWO/PLTuLrZpCnF1Kv/WTC

Runtime Data

Child Processes:

chrome.exe chrome.exe chrome.exe chrome.exe chrome.exe chrome.exe chrome.exe chrome.exe chrome.exe

Signature

  • Status: Signature verified.
  • Serial: 0C15BE4A15BB0903C901B1D6C265302F
  • Thumbprint: CB7E84887F3C6015FE7EDFB4F8F36DF7DC10590E
  • Issuer: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  • Subject: CN=Google LLC, O=Google LLC, L=Mountain View, S=ca, C=US

File Metadata

  • Original Filename: chrome.exe
  • Product Name: Google Chrome
  • Company Name: Google LLC
  • File Version: 84.0.4147.125
  • Product Version: 84.0.4147.125
  • Language: English (United States)
  • Legal Copyright: Copyright 2020 Google LLC. All rights reserved.

Possible Misuse

The following table contains possible examples of chrome.exe being misused. While chrome.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proxy_apt40.yml c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36' DRL 1.0
sigma proxy_ua_apt.yml - 'Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36' # Hidden Cobra malware DRL 1.0
sigma proxy_ua_apt.yml - 'Mozilla/5.0 Chrome/72.0.3626.109 Safari/537.36' # SideWalk malware used by Sparkling Goblin DRL 1.0
sigma proxy_ua_frameworks.yml - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13' DRL 1.0
sigma proxy_ua_malware.yml - 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0' # DargonOK DRL 1.0
sigma web_exchange_exploitation_hafnium.yml - 'Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36' DRL 1.0
sigma win_suspicious_outbound_kerberos_connection.yml - '\chrome.exe' DRL 1.0
sigma win_user_driver_loaded.yml - '\Google\Chrome\Application\chrome.exe' DRL 1.0
sigma win_alert_lsass_access.yml - Google Chrome GoogleUpdate.exe DRL 1.0
sigma dns_query_win_susp_ipify.yml - \chrome.exe DRL 1.0
sigma file_event_win_mal_vhd_download.yml - chrome.exe DRL 1.0
sigma net_connection_win_suspicious_outbound_kerberos_connection.yml - '\chrome.exe' DRL 1.0
sigma net_connection_win_susp_rdp.yml - '\chrome.exe' DRL 1.0
sigma pipe_created_susp_cobaltstrike_pipe_patterns.yml - Chrome instances using the exactly same name pipe named mojo.something DRL 1.0
sigma posh_ps_access_to_browser_login_data.yml - '\Google\Chrome\User Data\Default\Login Data' DRL 1.0
sigma posh_ps_access_to_browser_login_data.yml - '\Google\Chrome\User Data\Default\Login Data For Account' DRL 1.0
sigma posh_ps_access_to_chrome_login_data.yml title: Accessing Encrypted Credentials from Google Chrome Login Database DRL 1.0
sigma posh_ps_access_to_chrome_login_data.yml - '\Google\Chrome\User Data\Default\Login Data' DRL 1.0
sigma posh_ps_access_to_chrome_login_data.yml - '\Google\Chrome\User Data\Default\Login Data For Account' DRL 1.0
sigma proc_creation_win_headless_browser_file_download.yml - '\chrome.exe' DRL 1.0
sigma proc_creation_win_plugx_susp_exe_locations.yml Image\|contains: '\Google\Chrome\application\' DRL 1.0
sigma proc_creation_win_susp_powershell_parent_process.yml - '\chrome.exe' DRL 1.0
sigma registry_event_chrome_extension.yml title: Running Chrome VPN Extensions via the Registry 2 VPN Extension DRL 1.0
sigma registry_event_chrome_extension.yml description: Running Chrome VPN Extensions via the Registry install 2 vpn extension DRL 1.0
sigma registry_event_chrome_extension.yml - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension DRL 1.0
sigma registry_event_chrome_extension.yml TargetObject\|contains: 'Software\Wow6432Node\Google\Chrome\Extensions' DRL 1.0
sigma registry_event_chrome_extension.yml - klnkiajpmpkkkgpgbogmcgfjhdoljacg # Free VPN for Chrome DRL 1.0
sigma registry_event_dns_over_https_enabled.yml TargetObject\|endswith: '\SOFTWARE\Google\Chrome\DnsOverHttpsMode' DRL 1.0
sigma registry_event_runonce_persistence.yml Details\|startswith: '"C:\Program Files\Google\Chrome\Application\' DRL 1.0
sigma sysmon_process_hollowing.yml - '\chrome.exe' DRL 1.0
malware-ioc badiis.yar $p4 = "X-Chrome-Variations" © ESET 2014-2018
malware-ioc misp-badiis.json "value": "COM_InterProt, X-Chrome-Variations", © ESET 2014-2018
malware-ioc misp-badiis.json "value": "Sense-Pwd, X-Chrome-Variations", © ESET 2014-2018
malware-ioc misp-badiis.json "value": "X-Password, X-Chrome-Variations", © ESET 2014-2018
malware-ioc misp-badiis.json "value": "XXXYYY-Ref, X-Chrome-Variations", © ESET 2014-2018
malware-ioc badiis * COM_InterProt, X-Chrome-Variations``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc badiis * Sense-Pwd, X-Chrome-Variations``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc badiis * X-Password, X-Chrome-Variations``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc badiis * XXXYYY-Ref, X-Chrome-Variations``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc misp-machete-event.json "value": "Chrome.exe", © ESET 2014-2018
malware-ioc misp-machete-event.json "value": "chrome.sfx.exe", © ESET 2014-2018
malware-ioc machete === Chrome.exe © ESET 2014-2018
malware-ioc machete \|03929A5530639C1D9DBD395A298C59FD7EFF1DEC\|chrome.sfx.exe © ESET 2014-2018
malware-ioc machete \|0AC64E08E63601AD9D6A4EF019E5B374784AF80A\|chrome.sfx.exe © ESET 2014-2018
malware-ioc machete \|161629F63422AB34108854662313F87A278DD7F5\|chrome.sfx.exe © ESET 2014-2018
malware-ioc machete \|67ECBC1E9A66719C599E6DDED33A85F70DACA13E\|chrome.sfx.exe © ESET 2014-2018
malware-ioc mispadu === Google Chrome extension © ESET 2014-2018
malware-ioc mispadu \| 8B950BF660AA7B5FB619E1F6E665D348BF56C86A \| Google Chrome credential stealer \| Win32/PSWTool.ChromePass.A © ESET 2014-2018
malware-ioc 2020_Q2 === Chrome addons © ESET 2014-2018
malware-ioc stantinko.yar $x1 = "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36" fullword ascii © ESET 2014-2018
malware-ioc misp-turla-crutch-event.json "value": "%PROGRAMFILES%\\(x86)\\Google\\Chrome\\Application\\dwmapi.dll", © ESET 2014-2018
malware-ioc turla * ++C:\Program Files (x86)\Google\Chrome\Application\dwmapi.dll++``{:.highlight .language-cmhg} © ESET 2014-2018
atomic-red-team index.md - Atomic Test #1: Run Chrome-password Collector [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #4: Simulating access to Chrome Login Data [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #3: List Google Chrome Bookmark JSON Files on macOS [macos] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #4: List Google Chrome / Opera Bookmarks on Windows with powershell [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #5: List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #7: Headless Chrome code execution via VBA [windows] MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos] MIT License. © 2018 Red Canary
atomic-red-team linux-index.md - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos] MIT License. © 2018 Red Canary
atomic-red-team macos-index.md - Atomic Test #3: List Google Chrome Bookmark JSON Files on macOS [macos] MIT License. © 2018 Red Canary
atomic-red-team macos-index.md - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos] MIT License. © 2018 Red Canary
atomic-red-team macos-index.md - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Run Chrome-password Collector [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #4: Simulating access to Chrome Login Data [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #4: List Google Chrome / Opera Bookmarks on Windows with powershell [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #5: List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #7: Headless Chrome code execution via VBA [windows] MIT License. © 2018 Red Canary
atomic-red-team T1133.md - Atomic Test #1 - Running Chrome VPN Extensions via the Registry 2 vpn extension MIT License. © 2018 Red Canary
atomic-red-team T1133.md ## Atomic Test #1 - Running Chrome VPN Extensions via the Registry 2 vpn extension MIT License. © 2018 Red Canary
atomic-red-team T1133.md Running Chrome VPN Extensions via the Registry install 2 vpn extension, please see “T1133\src\list of vpn extension.txt” to view complete list MIT License. © 2018 Red Canary
atomic-red-team T1133.md | chrome_url | chrome installer download URL | Url | https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD62DDBC-14C6-20BD-706F-C7744738E422%7D%26lang%3Den%26browser%3D3%26usagestats%3D0%26appname%3DGoogle%2520Chrome%26needsadmin%3Dprefers%26ap%3Dx64-stable-statsdef_1%26installdataindex%3Dempty/chrome/install/ChromeStandaloneSetup64.exe| MIT License. © 2018 Red Canary
atomic-red-team T1133.md | extension_id | chrome extension id | String | “fcfhplploccackoneaefokcmbjfbkenj”, “fdcgdnkidjaadafnichfpabhfomcebme”| MIT License. © 2018 Red Canary
atomic-red-team T1133.md New-Item -Path HKLM:\Software\Wow6432Node\Google\Chrome\Extensions$extension -Force MIT License. © 2018 Red Canary
atomic-red-team T1133.md New-ItemProperty -Path “HKLM:\Software\Wow6432Node\Google\Chrome\Extensions$extension” -Name “update_url” -Value “https://clients2.google.com/service/update2/crx” -PropertyType “String” -Force} MIT License. © 2018 Red Canary
atomic-red-team T1133.md Start chrome MIT License. © 2018 Red Canary
atomic-red-team T1133.md Stop-Process -Name “chrome” MIT License. © 2018 Red Canary
atomic-red-team T1133.md Remove-Item -Path “HKLM:\Software\Wow6432Node\Google\Chrome\Extensions$extension” -ErrorAction Ignore} MIT License. © 2018 Red Canary
atomic-red-team T1133.md ##### Description: Chrome must be installed MIT License. © 2018 Red Canary
atomic-red-team T1133.md if ((Test-Path “C:\Program Files\Google\Chrome\Application\chrome.exe”) -Or (Test-Path “C:\Program Files (x86)\Google\Chrome\Application\chrome.exe”)) {exit 0} else {exit 1} MIT License. © 2018 Red Canary
atomic-red-team T1176.md <blockquote>Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser’s app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition) MIT License. © 2018 Red Canary
atomic-red-team T1176.md Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension’s update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions. MIT License. © 2018 Red Canary
atomic-red-team T1176.md Previous to macOS 11, adversaries could silently install browser extensions via the command line using the profiles tool to install malicious .mobileconfig files. In macOS 11+, the use of the profiles tool can no longer install configuration profiles, however .mobileconfig files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS) MIT License. © 2018 Red Canary
atomic-red-team T1176.md Once the extension is installed, it can browse to websites in the background,(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions) steal all information that a user enters into a browser (including credentials)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension) and be used as an installer for a RAT for persistence. MIT License. © 2018 Red Canary
atomic-red-team T1176.md There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions.(Citation: Stantinko Botnet) There have also been similar examples of extensions being used for command & control.(Citation: Chrome Extension C2 Malware)</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1176.md - Atomic Test #1 - Chrome (Developer Mode) MIT License. © 2018 Red Canary
atomic-red-team T1176.md - Atomic Test #2 - Chrome (Chrome Web Store) MIT License. © 2018 Red Canary
atomic-red-team T1176.md ## Atomic Test #1 - Chrome (Developer Mode) MIT License. © 2018 Red Canary
atomic-red-team T1176.md Turn on Chrome developer mode and Load Extension found in the src directory MIT License. © 2018 Red Canary
atomic-red-team T1176.md 1. Navigate to chrome://extensions and MIT License. © 2018 Red Canary
atomic-red-team T1176.md ## Atomic Test #2 - Chrome (Chrome Web Store) MIT License. © 2018 Red Canary
atomic-red-team T1176.md Install the “Minimum Viable Malicious Extension” Chrome extension MIT License. © 2018 Red Canary
atomic-red-team T1176.md 1. Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend MIT License. © 2018 Red Canary
atomic-red-team T1176.md in Chrome MIT License. © 2018 Red Canary
atomic-red-team T1176.md 2. Click ‘Add to Chrome’ MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md - Atomic Test #7 - Headless Chrome code execution via VBA MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md ## Atomic Test #7 - Headless Chrome code execution via VBA MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md This module uses Google Chrome combined with ScriptControl to achieve code execution. It spawns a local MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md webserver hosting our malicious payload. Headless Google Chrome will then reach out to this webserver MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md ##### Description: Google Chrome must be installed MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md $chromeInstalled = (Get-Item (Get-ItemProperty ‘HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe’).’(Default)’).VersionInfo.FileName MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md Write-Host “You will need to install Google Chrome manually to meet this requirement” MIT License. © 2018 Red Canary
atomic-red-team T1217.md - Atomic Test #3 - List Google Chrome Bookmark JSON Files on macOS MIT License. © 2018 Red Canary
atomic-red-team T1217.md - Atomic Test #4 - List Google Chrome / Opera Bookmarks on Windows with powershell MIT License. © 2018 Red Canary
atomic-red-team T1217.md - Atomic Test #5 - List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt MIT License. © 2018 Red Canary
atomic-red-team T1217.md ## Atomic Test #3 - List Google Chrome Bookmark JSON Files on macOS MIT License. © 2018 Red Canary
atomic-red-team T1217.md Searches for Google Chrome’s Bookmark file (on macOS) that contains bookmarks in JSON format and lists any found instances to a text file. MIT License. © 2018 Red Canary
atomic-red-team T1217.md | output_file | Path where captured results will be placed. | Path | /tmp/T1217-Chrome.txt| MIT License. © 2018 Red Canary
atomic-red-team T1217.md find / -path “/Google/Chrome//Bookmarks” -exec echo {} » #{output_file} \; MIT License. © 2018 Red Canary
atomic-red-team T1217.md ## Atomic Test #4 - List Google Chrome / Opera Bookmarks on Windows with powershell MIT License. © 2018 Red Canary
atomic-red-team T1217.md Searches for Google Chrome’s and Opera’s Bookmarks file (on Windows distributions) that contains bookmarks. MIT License. © 2018 Red Canary
atomic-red-team T1217.md ## Atomic Test #5 - List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\Local\Google\Chrome\User Data\Default\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim’s cached logon credentials as the decryption key. (Citation: Microsoft CryptUnprotectData April 2018) MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md - Atomic Test #1 - Run Chrome-password Collector MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md - Atomic Test #4 - Simulating access to Chrome Login Data MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md ## Atomic Test #1 - Run Chrome-password Collector MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md A modified sysinternals suite will be downloaded and staged. The Chrome-password collector, renamed accesschk.exe, will then be executed from #{file_path}. MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md ## Atomic Test #4 - Simulating access to Chrome Login Data MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md Simulates an adversary accessing encrypted credentials from Google Chrome Login database. MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md Copy-Item “$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data” -Destination $env:temp MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md Copy-Item “$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data For Account” -Destination $env:temp MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md ##### Description: Chrome must be installed MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md if ((Test-Path “C:\Program Files\Google\Chrome\Application\chrome.exe”) -Or (Test-Path “C:\Program Files (x86)\Google\Chrome\Application\chrome.exe”)) {exit 0} else {exit 1} MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md Invoke-WebRequest -OutFile $env:temp\ChromeStandaloneSetup64.msi https://dl.google.com/chrome/install/googlechromestandaloneenterprise64.msi MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md Start-Process -FilePath “chrome.exe” MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md Stop-Process -Name “chrome” MIT License. © 2018 Red Canary
signature-base airbnb_binaryalert.yar description = “Decrypt Google Chrome / Chromium passwords and credit cards on macOS / OS X.” CC BY-NC 4.0
signature-base airbnb_binaryalert.yar $a1 = “Credit Cards for Chrome Profile” wide ascii CC BY-NC 4.0
signature-base airbnb_binaryalert.yar $a2 = “Passwords for Chrome Profile” wide ascii CC BY-NC 4.0
signature-base airbnb_binaryalert.yar $a4 = “ERROR getting Chrome Safe Storage Key” wide ascii CC BY-NC 4.0
signature-base apt_apt27_hyperbro.yar $s2 = “Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36” ascii wide nocase CC BY-NC 4.0
signature-base apt_apt37_bluelight.yar $chrome1 = “Failed to get chrome cookie” CC BY-NC 4.0
signature-base apt_apt37_bluelight.yar 24 of ($chrome*) or CC BY-NC 4.0
signature-base apt_apt41.yar $s3 = “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36” fullword ascii CC BY-NC 4.0
signature-base apt_buckeye.yar $x3 = “Chrome User Data folder where the password file is stored” wide CC BY-NC 4.0
signature-base apt_buckeye.yar $s4 = “Chrome Passwords List!Select the windows profile folder” fullword wide CC BY-NC 4.0
signature-base apt_buckeye.yar $s8 = “Chrome Password Recovery” fullword wide CC BY-NC 4.0
signature-base apt_dragonfly.yar $s7 = “\Appdata\Local\Google\Chrome\User Data\Default\” fullword wide CC BY-NC 4.0
signature-base apt_duqu2.yar $x2 = “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7xs5D9rRDFpg2g” fullword wide CC BY-NC 4.0
signature-base apt_freemilk.yar $s3 = “\Google\Chrome\User Data\Default\Login Data” fullword ascii CC BY-NC 4.0
signature-base apt_hafnium_log_sigs.yar $xr3 = /POST \/owa\/auth\/Current\/[^\n]{100,600} (DuckDuckBot\/1.0;+(+http:\/\/duckduckgo.com\/duckduckbot.html)|facebookexternalhit\/1.1+(+http:\/\/www.facebook.com\/externalhit_uatext.php)|Mozilla\/5.0+(compatible;+Baiduspider\/2.0;++http:\/\/www.baidu.com\/search\/spider.html)|Mozilla\/5.0+(compatible;+Bingbot\/2.0;++http:\/\/www.bing.com\/bingbot.htm)|Mozilla\/5.0+(compatible;+Googlebot\/2.1;++http:\/\/www.google.com\/bot.html|Mozilla\/5.0+(compatible;+Konqueror\/3.5;+Linux)+KHTML\/3.5.5+(like+Gecko)+(Exabot-Thumbnails)|Mozilla\/5.0+(compatible;+Yahoo!+Slurp;+http:\/\/help.yahoo.com\/help\/us\/ysearch\/slurp)|Mozilla\/5.0+(compatible;+YandexBot\/3.0;++http:\/\/yandex.com\/bots)|Mozilla\/5.0+(X11;+Linux+x86_64)+AppleWebKit\/537.36+(KHTML,+like+Gecko)+Chrome\/51.0.2704.103+Safari\/537.3)/ CC BY-NC 4.0
signature-base apt_iamtheking.yar $s3 = “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75” ascii fullword CC BY-NC 4.0
signature-base apt_rokrat.yar $a1 = “\Google\Chrome\User Data\Default\Login Data” fullword ascii CC BY-NC 4.0
signature-base apt_shellcrew_streamex.yar $d = “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36” wide CC BY-NC 4.0
signature-base apt_stonedrill.yar $s1 = “WshShell.CopyFile "%COMMON_APPDATA%\Chrome\” ascii CC BY-NC 4.0
signature-base apt_stonedrill.yar $s5 = “ , "%COMMON_APPDATA%\Chrome\” ascii CC BY-NC 4.0
signature-base apt_telebots.yar $s5 = “\Local\Google\Chrome\User Data\Default\Login Data” fullword ascii CC BY-NC 4.0
signature-base apt_turla_mosquito.yar $s1 = “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” fullword wide CC BY-NC 4.0
signature-base apt_turla_mosquito.yar $a2 = “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” fullword wide CC BY-NC 4.0
signature-base apt_wilted_tulip.yar description = “Detects Chrome password dumper used in Operation Wilted Tulip” CC BY-NC 4.0
signature-base apt_wilted_tulip.yar $x1 = “%s.exe -f "C:\Users\Admin\Google\Chrome\TestProfile" -o "c:\passlist.txt"” fullword ascii CC BY-NC 4.0
signature-base apt_wilted_tulip.yar $x3 = “//Dump Chrome Passwords to a Output file "c:\passlist.txt"” fullword ascii CC BY-NC 4.0
signature-base apt_xrat.yar $s3 = “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36” fullword wide CC BY-NC 4.0
signature-base crime_bad_patch.yar $s2 = “\Appdata\Local\Google\Chrome\User Data\Default\Login Data.*” fullword wide CC BY-NC 4.0
signature-base crime_bad_patch.yar $s4 = “\Appdata\Local\Google\Chrome\User Data\Default\Cookies.*” fullword wide CC BY-NC 4.0
signature-base crime_credstealer_generic.yar $s5 = “%s\Google\Chrome\User Data\Default\Login Data” fullword ascii CC BY-NC 4.0
signature-base crime_envrial.yar $a3 = “\Google\Chrome\User Data\Default\Login Data” fullword wide CC BY-NC 4.0
signature-base crime_mirai.yar $s1 = “User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36” fullword ascii CC BY-NC 4.0
signature-base crime_rombertik_carbongrabber.yar $s4 = “chrome.exe” fullword ascii CC BY-NC 4.0
signature-base crime_rombertik_carbongrabber.yar $s6 = “chrome.dll” fullword ascii CC BY-NC 4.0
signature-base crime_rombertik_carbongrabber.yar $s8 = “Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome” ascii CC BY-NC 4.0
signature-base crime_socgholish.yar $a2 = “Chrome” ascii CC BY-NC 4.0
signature-base exploit_cve_2015_2426.yar $s3 = “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36” fullword ascii /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base general_cloaking.yar and not filepath contains “Chrome” CC BY-NC 4.0
signature-base generic_anomalies.yar description = “Detects uncommon file size of chrome.exe” CC BY-NC 4.0
signature-base generic_anomalies.yar and filename == “chrome.exe” CC BY-NC 4.0
signature-base mal_passwordstate_backdoor.yar $s3 = “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari” wide fullword CC BY-NC 4.0
signature-base spy_equation_fiveeyes.yar $s5 = “Chrome” fullword wide CC BY-NC 4.0
signature-base thor-hacktools.yar $s4 = “softwares.chrome(“ fullword ascii CC BY-NC 4.0
stockpile 830bb6ed-9594-4817-b1a1-c298c0f9f425.yml name: Check Chrome Apache-2.0
stockpile 830bb6ed-9594-4817-b1a1-c298c0f9f425.yml description: Check to see if Gooogle Chrome browser is installed Apache-2.0
stockpile 830bb6ed-9594-4817-b1a1-c298c0f9f425.yml which google-chrome Apache-2.0
stockpile b007fc38-9eb7-4320-92b3-9a3ad3e6ec25.yml name: Get Chrome Bookmarks Apache-2.0
stockpile b007fc38-9eb7-4320-92b3-9a3ad3e6ec25.yml description: Get Chrome Bookmarks Apache-2.0
stockpile b007fc38-9eb7-4320-92b3-9a3ad3e6ec25.yml cat ~/Library/Application\ Support/Google/Chrome/Default/Bookmarks Apache-2.0
stockpile b007fc38-9eb7-4320-92b3-9a3ad3e6ec25.yml - source: host.chrome.bookmark_title Apache-2.0
stockpile b007fc38-9eb7-4320-92b3-9a3ad3e6ec25.yml target: host.chrome.bookmark_url Apache-2.0
stockpile de52784d-4de6-4d4e-b79e-e7b68fe037fb.yml osascript bookmark.scpt #{host.chrome.bookmark_title[filters(max=1)]} #{server.malicious.url[filters(max=1)]} Apache-2.0
stockpile 110cea7a-5b03-4443-92ee-7ccefaead451.yml $userAgentField = \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36\"; Apache-2.0
stockpile ea713bc4-63f0-491c-9a6f-0b01d560b87e.yml $client.DefaultRequestHeaders.Add("User-Agent","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"); Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.