SYMBOLCOMMON_NAMEaka. SYNONYMS
win.aresloader (Back to overview)

AresLoader

AresLoader is a new malware "downloader" that has been advertised on some Russian language Dark Web forums “RAMP and "XSS" by a threat actor called "DarkBLUP". Researchers assess this loader is likely a legitimate penetration testing tool that is now being abused by threat actors. This is because of a similar project, dubbed “Project Ares,” was previously uploaded to GitHub as a proof-of-concept (PoC) by the well-regarded user and red teamer “CerberSec.”

The loader mimics legitimate software to trick victims into executing malware with administrator rights on their machines. Additional features of the loader include:

1. Written in C/C++
2. Supports 64-bit payloads
3. Makes it look like malware spawned by another process
4. Prevents non-Microsoft signed binaries from being injected into malware
5. Hides suspicious imported Windows APIs
6. Leverages anti-analysis techniques to avoid reverse engineering

Furthermore, It was observed that SystemBC, Amadey, and several Raccoon Stealers were directly installing AresLoader. To date, the AresLoader downloader has been seen delivering payloads like SystemBC, Lumma Stealer, StealC, Aurora Stealer, and Laplas Clipper.

References
2023-04-02OALabsSergei Frankoff
@online{frankoff:20230402:aresloader:c216327, author = {Sergei Frankoff}, title = {{AresLoader Taking a closer look at this new loader}}, date = {2023-04-02}, organization = {OALabs}, url = {https://research.openanalysis.net/ares/aresloader/loader/2023/04/02/aresloader.html}, language = {English}, urldate = {2023-04-22} } AresLoader Taking a closer look at this new loader
AresLoader
2023-03-22Intel 471Roberto Martinez, Taisiia Garkava
@online{martinez:20230322:new:e2a79b6, author = {Roberto Martinez and Taisiia Garkava}, title = {{New loader on the bloc - AresLoader}}, date = {2023-03-22}, organization = {Intel 471}, url = {https://intel471.com/blog/new-loader-on-the-bloc-aresloader}, language = {English}, urldate = {2023-04-14} } New loader on the bloc - AresLoader
AresLoader
2023-03-18Twitter (@k3dg3)Kelsey Merriman
@online{merriman:20230318:ta579:3af0e58, author = {Kelsey Merriman}, title = {{Tweet on TA579 distributing AresLoader via WeTransfer URLs}}, date = {2023-03-18}, organization = {Twitter (@k3dg3)}, url = {https://twitter.com/k3dg3/status/1636873721200746496}, language = {English}, urldate = {2023-04-14} } Tweet on TA579 distributing AresLoader via WeTransfer URLs
AresLoader
2023-03-06FlashpointFlashpoint
@online{flashpoint:20230306:private:ad3b11a, author = {Flashpoint}, title = {{Private Malware for Sale: A Closer Look at AresLoader}}, date = {2023-03-06}, organization = {Flashpoint}, url = {https://flashpoint.io/blog/private-malware-for-sale-aresloader/}, language = {English}, urldate = {2023-04-08} } Private Malware for Sale: A Closer Look at AresLoader
AresLoader
2022-12-28ZeroFoxDARK OPS
@online{ops:20221228:underground:d247ef5, author = {DARK OPS}, title = {{The Underground Economist: Volume 2, Issue 24}}, date = {2022-12-28}, organization = {ZeroFox}, url = {https://www.zerofox.com/blog/the-underground-economist-volume-2-issue-24/}, language = {English}, urldate = {2023-04-14} } The Underground Economist: Volume 2, Issue 24
AresLoader
Yara Rules
[TLP:WHITE] win_aresloader_auto (20230715 | Detects win.aresloader.)
rule win_aresloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.aresloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.aresloader"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85db 7435 85f6 7431 896c240c 897c2408 }
            // n = 6, score = 400
            //   85db                 | test                ebx, ebx
            //   7435                 | je                  0x37
            //   85f6                 | test                esi, esi
            //   7431                 | je                  0x33
            //   896c240c             | mov                 dword ptr [esp + 0xc], ebp
            //   897c2408             | mov                 dword ptr [esp + 8], edi

        $sequence_1 = { 741d 896c243c 897c2438 89742434 }
            // n = 4, score = 400
            //   741d                 | je                  0x1f
            //   896c243c             | mov                 dword ptr [esp + 0x3c], ebp
            //   897c2438             | mov                 dword ptr [esp + 0x38], edi
            //   89742434             | mov                 dword ptr [esp + 0x34], esi

        $sequence_2 = { a1???????? 8b5c2430 8b742434 8b7c2438 8b6c243c 3d???????? }
            // n = 6, score = 400
            //   a1????????           |                     
            //   8b5c2430             | mov                 ebx, dword ptr [esp + 0x30]
            //   8b742434             | mov                 esi, dword ptr [esp + 0x34]
            //   8b7c2438             | mov                 edi, dword ptr [esp + 0x38]
            //   8b6c243c             | mov                 ebp, dword ptr [esp + 0x3c]
            //   3d????????           |                     

        $sequence_3 = { 893424 e8???????? 85c0 7831 }
            // n = 4, score = 400
            //   893424               | mov                 dword ptr [esp], esi
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7831                 | js                  0x33

        $sequence_4 = { 7831 39d8 7205 c6441eff00 83c41c }
            // n = 5, score = 400
            //   7831                 | js                  0x33
            //   39d8                 | cmp                 eax, ebx
            //   7205                 | jb                  7
            //   c6441eff00           | mov                 byte ptr [esi + ebx - 1], 0
            //   83c41c               | add                 esp, 0x1c

        $sequence_5 = { 7431 896c240c 897c2408 895c2404 893424 e8???????? }
            // n = 6, score = 400
            //   7431                 | je                  0x33
            //   896c240c             | mov                 dword ptr [esp + 0xc], ebp
            //   897c2408             | mov                 dword ptr [esp + 8], edi
            //   895c2404             | mov                 dword ptr [esp + 4], ebx
            //   893424               | mov                 dword ptr [esp], esi
            //   e8????????           |                     

        $sequence_6 = { 893424 e8???????? 85c0 7831 39d8 7205 }
            // n = 6, score = 400
            //   893424               | mov                 dword ptr [esp], esi
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7831                 | js                  0x33
            //   39d8                 | cmp                 eax, ebx
            //   7205                 | jb                  7

        $sequence_7 = { 85f6 7431 896c240c 897c2408 895c2404 893424 e8???????? }
            // n = 7, score = 400
            //   85f6                 | test                esi, esi
            //   7431                 | je                  0x33
            //   896c240c             | mov                 dword ptr [esp + 0xc], ebp
            //   897c2408             | mov                 dword ptr [esp + 8], edi
            //   895c2404             | mov                 dword ptr [esp + 4], ebx
            //   893424               | mov                 dword ptr [esp], esi
            //   e8????????           |                     

        $sequence_8 = { 895c2404 893424 e8???????? 85c0 7831 39d8 }
            // n = 6, score = 400
            //   895c2404             | mov                 dword ptr [esp + 4], ebx
            //   893424               | mov                 dword ptr [esp], esi
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7831                 | js                  0x33
            //   39d8                 | cmp                 eax, ebx

        $sequence_9 = { 8b6c243c 85db 7435 85f6 }
            // n = 4, score = 400
            //   8b6c243c             | mov                 ebp, dword ptr [esp + 0x3c]
            //   85db                 | test                ebx, ebx
            //   7435                 | je                  0x37
            //   85f6                 | test                esi, esi

    condition:
        7 of them and filesize < 2657280
}
Download all Yara Rules