SYMBOLCOMMON_NAMEaka. SYNONYMS
win.arkei_stealer (Back to overview)

Arkei Stealer

aka: ArkeiStealer
URLhaus    

There is no description at this point.

References
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2018-06-15Bleeping ComputerCatalin Cimpanu
@online{cimpanu:20180615:hacker:e0452dd, author = {Catalin Cimpanu}, title = {{Hacker Breaches Syscoin GitHub Account and Poisons Official Client}}, date = {2018-06-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hacker-breaches-syscoin-github-account-and-poisons-official-client/}, language = {English}, urldate = {2019-12-20} } Hacker Breaches Syscoin GitHub Account and Poisons Official Client
Arkei Stealer
Yara Rules
[TLP:WHITE] win_arkei_stealer_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_arkei_stealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.arkei_stealer"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d4de4 51 6a0e 8d55ec 52 }
            // n = 5, score = 400
            //   8d4de4               | lea                 ecx, [ebp - 0x1c]
            //   51                   | push                ecx
            //   6a0e                 | push                0xe
            //   8d55ec               | lea                 edx, [ebp - 0x14]
            //   52                   | push                edx

        $sequence_1 = { 57 897ddc ff15???????? 8b1d???????? 6a08 57 8945e8 }
            // n = 7, score = 400
            //   57                   | push                edi
            //   897ddc               | mov                 dword ptr [ebp - 0x24], edi
            //   ff15????????         |                     
            //   8b1d????????         |                     
            //   6a08                 | push                8
            //   57                   | push                edi
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax

        $sequence_2 = { 39b574feffff 7306 8d8560feffff 53 50 ff15???????? 6804010000 }
            // n = 7, score = 400
            //   39b574feffff         | cmp                 dword ptr [ebp - 0x18c], esi
            //   7306                 | jae                 8
            //   8d8560feffff         | lea                 eax, [ebp - 0x1a0]
            //   53                   | push                ebx
            //   50                   | push                eax
            //   ff15????????         |                     
            //   6804010000           | push                0x104

        $sequence_3 = { 0f841dfeffff 57 ff15???????? 85c0 0f840efeffff 53 }
            // n = 6, score = 400
            //   0f841dfeffff         | je                  0xfffffe23
            //   57                   | push                edi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f840efeffff         | je                  0xfffffe14
            //   53                   | push                ebx

        $sequence_4 = { ff15???????? 85c0 74de 8b4de8 682000cc00 }
            // n = 5, score = 400
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   74de                 | je                  0xffffffe0
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   682000cc00           | push                0xcc0020

        $sequence_5 = { 895620 8b4604 83c007 99 }
            // n = 4, score = 400
            //   895620               | mov                 dword ptr [esi + 0x20], edx
            //   8b4604               | mov                 eax, dword ptr [esi + 4]
            //   83c007               | add                 eax, 7
            //   99                   | cdq                 

        $sequence_6 = { 85c0 0f840efeffff 53 ff15???????? 8b4ddc 8b35???????? }
            // n = 6, score = 400
            //   85c0                 | test                eax, eax
            //   0f840efeffff         | je                  0xfffffe14
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   8b4ddc               | mov                 ecx, dword ptr [ebp - 0x24]
            //   8b35????????         |                     

        $sequence_7 = { 6a00 8d4de4 51 6a0e }
            // n = 4, score = 400
            //   6a00                 | push                0
            //   8d4de4               | lea                 ecx, [ebp - 0x1c]
            //   51                   | push                ecx
            //   6a0e                 | push                0xe

        $sequence_8 = { 85c0 0f841dfeffff 57 ff15???????? 85c0 0f840efeffff }
            // n = 6, score = 400
            //   85c0                 | test                eax, eax
            //   0f841dfeffff         | je                  0xfffffe23
            //   57                   | push                edi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f840efeffff         | je                  0xfffffe14

        $sequence_9 = { 6a00 8d45e4 50 8d148d28000000 52 56 }
            // n = 6, score = 400
            //   6a00                 | push                0
            //   8d45e4               | lea                 eax, [ebp - 0x1c]
            //   50                   | push                eax
            //   8d148d28000000       | lea                 edx, [ecx*4 + 0x28]
            //   52                   | push                edx
            //   56                   | push                esi

    condition:
        7 of them and filesize < 1744896
}
[TLP:WHITE] win_arkei_stealer_w0   (20181023 | Arkei Stealer)
rule win_arkei_stealer_w0 {
    meta:
        author = "Fumik0_"
        description = "Arkei Stealer"
        Date = "2018/07/10"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.arkei_stealer"
        malpedia_version = "20181023"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
 
    strings:
        $s1 = "Arkei" wide ascii
        $s2 = "/server/gate" wide ascii
        $s3 = "/server/grubConfig" wide ascii
        $s4 = "\\files\\" wide ascii
        $s5 = "SQLite" wide ascii
 
    condition:
        all of ($s*)   
}
Download all Yara Rules