SYMBOLCOMMON_NAMEaka. SYNONYMS
win.arkei_stealer (Back to overview)

Arkei Stealer

aka: ArkeiStealer
URLhaus    

There is no description at this point.

References
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2018-06-15Bleeping ComputerCatalin Cimpanu
@online{cimpanu:20180615:hacker:e0452dd, author = {Catalin Cimpanu}, title = {{Hacker Breaches Syscoin GitHub Account and Poisons Official Client}}, date = {2018-06-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hacker-breaches-syscoin-github-account-and-poisons-official-client/}, language = {English}, urldate = {2019-12-20} } Hacker Breaches Syscoin GitHub Account and Poisons Official Client
Arkei Stealer
Yara Rules
[TLP:WHITE] win_arkei_stealer_auto (20211008 | Detects win.arkei_stealer.)
rule win_arkei_stealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.arkei_stealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.arkei_stealer"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 57 8945e8 ffd3 6a0a 57 8bf0 }
            // n = 6, score = 400
            //   57                   | push                edi
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   ffd3                 | call                ebx
            //   6a0a                 | push                0xa
            //   57                   | push                edi
            //   8bf0                 | mov                 esi, eax

        $sequence_1 = { 6a08 57 8945e8 ffd3 6a0a 57 8bf0 }
            // n = 7, score = 400
            //   6a08                 | push                8
            //   57                   | push                edi
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   ffd3                 | call                ebx
            //   6a0a                 | push                0xa
            //   57                   | push                edi
            //   8bf0                 | mov                 esi, eax

        $sequence_2 = { 57 897e10 894614 897e24 ff15???????? }
            // n = 5, score = 400
            //   57                   | push                edi
            //   897e10               | mov                 dword ptr [esi + 0x10], edi
            //   894614               | mov                 dword ptr [esi + 0x14], eax
            //   897e24               | mov                 dword ptr [esi + 0x24], edi
            //   ff15????????         |                     

        $sequence_3 = { 8bd8 53 56 57 ff15???????? 8945e0 }
            // n = 6, score = 400
            //   8bd8                 | mov                 ebx, eax
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   ff15????????         |                     
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax

        $sequence_4 = { 6a08 57 8945e8 ffd3 }
            // n = 4, score = 400
            //   6a08                 | push                8
            //   57                   | push                edi
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   ffd3                 | call                ebx

        $sequence_5 = { 8d55ec 52 57 8945f6 }
            // n = 4, score = 400
            //   8d55ec               | lea                 edx, dword ptr [ebp - 0x14]
            //   52                   | push                edx
            //   57                   | push                edi
            //   8945f6               | mov                 dword ptr [ebp - 0xa], eax

        $sequence_6 = { c78588fcffff48030000 ff15???????? 33c9 8d85ccfcffff }
            // n = 4, score = 400
            //   c78588fcffff48030000     | mov    dword ptr [ebp - 0x378], 0x348
            //   ff15????????         |                     
            //   33c9                 | xor                 ecx, ecx
            //   8d85ccfcffff         | lea                 eax, dword ptr [ebp - 0x334]

        $sequence_7 = { 397014 7202 8b00 50 ff15???????? 83f8ff }
            // n = 6, score = 400
            //   397014               | cmp                 dword ptr [eax + 0x14], esi
            //   7202                 | jb                  4
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   83f8ff               | cmp                 eax, -1

        $sequence_8 = { 56 6a00 6a00 57 53 56 6a00 }
            // n = 7, score = 400
            //   56                   | push                esi
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   57                   | push                edi
            //   53                   | push                ebx
            //   56                   | push                esi
            //   6a00                 | push                0

        $sequence_9 = { 53 ff15???????? 8b4ddc 8b35???????? 51 }
            // n = 5, score = 400
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   8b4ddc               | mov                 ecx, dword ptr [ebp - 0x24]
            //   8b35????????         |                     
            //   51                   | push                ecx

    condition:
        7 of them and filesize < 1744896
}
[TLP:WHITE] win_arkei_stealer_w0   (20181023 | Arkei Stealer)
rule win_arkei_stealer_w0 {
    meta:
        author = "Fumik0_"
        description = "Arkei Stealer"
        Date = "2018/07/10"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.arkei_stealer"
        malpedia_version = "20181023"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
 
    strings:
        $s1 = "Arkei" wide ascii
        $s2 = "/server/gate" wide ascii
        $s3 = "/server/grubConfig" wide ascii
        $s4 = "\\files\\" wide ascii
        $s5 = "SQLite" wide ascii
 
    condition:
        all of ($s*)   
}
Download all Yara Rules