![[Image: Cooked-Grabber-2024.png]](https://blackhattool.com/wp-content/uploads/2025/07/Cooked-Grabber-2024.png)
What is Cooked Grabber 2024?
Cooked Grabber 2024 is a stealer malware that specializes in extracting and exfiltrating sensitive information from compromised machines. Once executed, it silently collects:
- Saved browser credentials (Chrome, Firefox, Edge)
- Autofill data & credit card details
- Cryptocurrency wallet files (Exodus, MetaMask, Electrum)
- Session cookies (for account hijacking)
- FTP & VPN credentials
- Browser Password Extraction – Decrypts and steals stored logins from Chrome, Firefox, Edge, and Brave.
- Credit Card & Autofill Data Theft – Captures saved payment details from web browsers.
- Cryptocurrency Wallet Grabber – Targets MetaMask, Exodus, Binance Chain Wallet, and other crypto storage apps.
- Session Cookie Hijacking – Steals active login tokens for persistent access to accounts (e.g., Gmail, Facebook, banking sites).
- Clipboard Monitoring – Swaps crypto wallet addresses during transactions.
- Screen Capture – Takes screenshots of sensitive activities.
- File Grabber – Searches for documents (PDFs, Word files) containing credentials.
- Process Hollowing – Injects malicious code into legitimate processes (e.g., explorer.exe).
- Polymorphic Code – Changes signatures to avoid antivirus detection.
- Delayed Execution – Waits before activating to bypass sandbox analysis.
- Registry Modification – Adds itself to startup via HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
- Task Scheduler Abuse – Creates scheduled tasks for auto-reactivation.
- Encrypted HTTPS Traffic – Hides stolen data in normal-looking web traffic.
- Discord & Telegram Webhook Support – Sends logs directly to attacker-controlled channels.
- Backup Server Fallback – Switches C2 servers if one gets blocked.
- Primarily affects Windows 10/11 but can adapt to older versions.
- Some variants target macOS & Linux via cross-platform malware modules.
