win.arkei_stealer (Back to overview)

Arkei Stealer

URLhaus    

There is no description at this point.

References
https://www.bleepingcomputer.com/news/security/hacker-breaches-syscoin-github-account-and-poisons-official-client/
Yara Rules
[TLP:WHITE] win_arkei_stealer_auto (20190620 | autogenerated rule brought to you by yara-signator)
rule win_arkei_stealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-07-05"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.2a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.arkei_stealer"
        malpedia_version = "20190620"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 0f8????????? ba424d0000 668955ec 8b4620 8b0e 8d1481 }
            // n = 6, score = 400
            //   0f8?????????         |                     
            //   ba424d0000           | mov                 edx, 0x4d42
            //   668955ec             | mov                 word ptr [ebp - 0x14], dx
            //   8b4620               | mov                 eax, dword ptr [esi + 0x20]
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   8d1481               | lea                 edx, [ecx + eax*4]

        $sequence_1 = { 56 6a00 6a00 57 53 56 6a00 }
            // n = 7, score = 400
            //   56                   | push                esi
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   57                   | push                edi
            //   53                   | push                ebx
            //   56                   | push                esi
            //   6a00                 | push                0

        $sequence_2 = { 8bf1 6800000080 56 894590 ff15???????? }
            // n = 5, score = 400
            //   8bf1                 | mov                 esi, ecx
            //   6800000080           | push                0x80000000
            //   56                   | push                esi
            //   894590               | mov                 dword ptr [ebp - 0x70], eax
            //   ff15????????         |                     

        $sequence_3 = { ba424d0000 668955ec 8b4620 8b0e }
            // n = 4, score = 400
            //   ba424d0000           | mov                 edx, 0x4d42
            //   668955ec             | mov                 word ptr [ebp - 0x14], dx
            //   8b4620               | mov                 eax, dword ptr [esi + 0x20]
            //   8b0e                 | mov                 ecx, dword ptr [esi]

        $sequence_4 = { 0f8????????? ba424d0000 668955ec 8b4620 }
            // n = 4, score = 400
            //   0f8?????????         |                     
            //   ba424d0000           | mov                 edx, 0x4d42
            //   668955ec             | mov                 word ptr [ebp - 0x14], dx
            //   8b4620               | mov                 eax, dword ptr [esi + 0x20]

        $sequence_5 = { d3e2 895620 8b4604 83c007 }
            // n = 4, score = 400
            //   d3e2                 | shl                 edx, cl
            //   895620               | mov                 dword ptr [esi + 0x20], edx
            //   8b4604               | mov                 eax, dword ptr [esi + 4]
            //   83c007               | add                 eax, 7

        $sequence_6 = { 8d148d28000000 52 56 57 ff15???????? }
            // n = 5, score = 400
            //   8d148d28000000       | lea                 edx, [ecx*4 + 0x28]
            //   52                   | push                edx
            //   56                   | push                esi
            //   57                   | push                edi
            //   ff15????????         |                     

        $sequence_7 = { 73?? 8d8560feffff 53 50 ff15???????? 6804010000 }
            // n = 6, score = 400
            //   73??                 |                     
            //   8d8560feffff         | lea                 eax, [ebp - 0x1a0]
            //   53                   | push                ebx
            //   50                   | push                eax
            //   ff15????????         |                     
            //   6804010000           | push                0x104

        $sequence_8 = { c70628000000 8b4dc8 894e04 8b55cc }
            // n = 4, score = 400
            //   c70628000000         | mov                 dword ptr [esi], 0x28
            //   8b4dc8               | mov                 ecx, dword ptr [ebp - 0x38]
            //   894e04               | mov                 dword ptr [esi + 4], ecx
            //   8b55cc               | mov                 edx, dword ptr [ebp - 0x34]

        $sequence_9 = { 56 57 ff15???????? 85c0 0f8????????? 8b7614 }
            // n = 6, score = 400
            //   56                   | push                esi
            //   57                   | push                edi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f8?????????         |                     
            //   8b7614               | mov                 esi, dword ptr [esi + 0x14]

    condition:
        7 of them
}
[TLP:WHITE] win_arkei_stealer_w0   (20181023 | No description)
rule win_arkei_stealer_w0 {
    meta:
        Author = "Fumik0_"
        Description = "Arkei Stealer"
        Date = "2018/07/10"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.predator"
        malpedia_version = "20181023"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
 
    strings:
        $s1 = "Arkei" wide ascii
        $s2 = "/server/gate" wide ascii
        $s3 = "/server/grubConfig" wide ascii
        $s4 = "\\files\\" wide ascii
        $s5 = "SQLite" wide ascii
 
    condition:
        all of ($s*)   
}
Download all Yara Rules