SYMBOLCOMMON_NAMEaka. SYNONYMS
win.arkei_stealer (Back to overview)

Arkei Stealer

aka: ArkeiStealer
URLhaus    

Arkei is a stealer that appeared around May 2018. It collects data about browsers (saved passwords and autofill forms), cryptocurrency wallets, and steal files matching an attacker-defined pattern. It then exfiltrates everything in a zip file uploaded to the attacker's panel. Later, it was forked and used as a base to create Vidar stealer.

References
2022-12-18ZAYOTEMEmre TÜRKYILMAZ, Celal Doğan DURAN
@online{trkyilmaz:20221218:arkei:a18364a, author = {Emre TÜRKYILMAZ and Celal Doğan DURAN}, title = {{Arkei Stealer Technical Analysis Report}}, date = {2022-12-18}, organization = {ZAYOTEM}, url = {https://drive.google.com/file/d/1wTH-BZrjxEBZwCnXJ3pQWGB7ou0IoBEr/view}, language = {English}, urldate = {2022-12-20} } Arkei Stealer Technical Analysis Report
Arkei Stealer
2022-11-07ThreatMonThreatMon Malware Research Team
@online{team:20221107:arkei:2d87f78, author = {ThreatMon Malware Research Team}, title = {{Arkei Staler Analysis}}, date = {2022-11-07}, organization = {ThreatMon}, url = {https://threatmon.io/arkei-stealer-analysis-threatmon/}, language = {English}, urldate = {2023-02-17} } Arkei Staler Analysis
Arkei Stealer
2022-10-13SpamhausSpamhaus Malware Labs
@techreport{labs:20221013:spamhaus:43e3190, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q3 2022}}, date = {2022-10-13}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2022-12-29} } Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm
2022-07-13KELAKELA Cyber Intelligence Center
@online{center:20220713:next:b2e43e4, author = {KELA Cyber Intelligence Center}, title = {{The Next Generation of Info Stealers}}, date = {2022-07-13}, organization = {KELA}, url = {https://ke-la.com/information-stealers-a-new-landscape/}, language = {English}, urldate = {2022-07-18} } The Next Generation of Info Stealers
Arkei Stealer Azorult BlackGuard Eternity Stealer Ginzo Stealer Mars Stealer MetaStealer Raccoon RedLine Stealer Vidar
2022-03-23InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20220323:arkei:f9a44a4, author = {Brad Duncan}, title = {{Arkei Variants: From Vidar to Mars Stealer}}, date = {2022-03-23}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/Arkei+Variants%3A+From+Vidar+to+Mars+Stealer/28468}, language = {English}, urldate = {2023-04-25} } Arkei Variants: From Vidar to Mars Stealer
Arkei Stealer Mars Stealer Oski Stealer Vidar
2022-03-23InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20220323:arkei:b2a08f5, author = {Brad Duncan}, title = {{Arkei Variants: From Vidar to Mars Stealer}}, date = {2022-03-23}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/28468}, language = {English}, urldate = {2022-03-25} } Arkei Variants: From Vidar to Mars Stealer
Arkei Stealer Mars Stealer Vidar
2022-02-17BlackberryBlackBerry Research & Intelligence Team
@online{team:20220217:threat:899b90a, author = {BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: Arkei Infostealer Expands Reach Using SmokeLoader to Target Crypto Wallets and MFA}}, date = {2022-02-17}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/02/threat-thursday-arkei-infostealer}, language = {English}, urldate = {2022-02-26} } Threat Thursday: Arkei Infostealer Expands Reach Using SmokeLoader to Target Crypto Wallets and MFA
Arkei Stealer SmokeLoader
2022-02-12forensicitguyTony Lambert
@online{lambert:20220212:analyzing:cea05eb, author = {Tony Lambert}, title = {{Analyzing a Stealer MSI using msitools}}, date = {2022-02-12}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/analyzing-stealer-msi-using-msitools/}, language = {English}, urldate = {2022-02-14} } Analyzing a Stealer MSI using msitools
Arkei Stealer
2021-11-23Minerva LabsNatalie Zargarov
@online{zargarov:20211123:long:6d3da55, author = {Natalie Zargarov}, title = {{A Long List Of Arkei Stealer's Crypto Browser Wallets}}, date = {2021-11-23}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/a-long-list-of-arkei-stealers-browser-crypto-wallets}, language = {English}, urldate = {2022-01-12} } A Long List Of Arkei Stealer's Crypto Browser Wallets
Arkei Stealer
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2018-12-24fumik0 blogfumik0
@online{fumik0:20181224:lets:f7dfc2c, author = {fumik0}, title = {{Let’s dig into Vidar – An Arkei Copycat/Forked Stealer (In-depth analysis)}}, date = {2018-12-24}, organization = {fumik0 blog}, url = {https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/}, language = {English}, urldate = {2022-01-12} } Let’s dig into Vidar – An Arkei Copycat/Forked Stealer (In-depth analysis)
Arkei Stealer Vidar
2018-06-15Bleeping ComputerCatalin Cimpanu
@online{cimpanu:20180615:hacker:e0452dd, author = {Catalin Cimpanu}, title = {{Hacker Breaches Syscoin GitHub Account and Poisons Official Client}}, date = {2018-06-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hacker-breaches-syscoin-github-account-and-poisons-official-client/}, language = {English}, urldate = {2019-12-20} } Hacker Breaches Syscoin GitHub Account and Poisons Official Client
Arkei Stealer
Yara Rules
[TLP:WHITE] win_arkei_stealer_auto (20230715 | Detects win.arkei_stealer.)
rule win_arkei_stealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.arkei_stealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.arkei_stealer"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d448a0e 6a00 8d4de4 51 6a0e 8d55ec }
            // n = 6, score = 400
            //   8d448a0e             | lea                 eax, [edx + ecx*4 + 0xe]
            //   6a00                 | push                0
            //   8d4de4               | lea                 ecx, [ebp - 0x1c]
            //   51                   | push                ecx
            //   6a0e                 | push                0xe
            //   8d55ec               | lea                 edx, [ebp - 0x14]

        $sequence_1 = { 56 894590 ff15???????? 8bf8 897d94 83ffff }
            // n = 6, score = 400
            //   56                   | push                esi
            //   894590               | mov                 dword ptr [ebp - 0x70], eax
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   897d94               | mov                 dword ptr [ebp - 0x6c], edi
            //   83ffff               | cmp                 edi, -1

        $sequence_2 = { 668b4dd6 66894e0e 6683fb18 730c ba01000000 8acb d3e2 }
            // n = 7, score = 400
            //   668b4dd6             | mov                 cx, word ptr [ebp - 0x2a]
            //   66894e0e             | mov                 word ptr [esi + 0xe], cx
            //   6683fb18             | cmp                 bx, 0x18
            //   730c                 | jae                 0xe
            //   ba01000000           | mov                 edx, 1
            //   8acb                 | mov                 cl, bl
            //   d3e2                 | shl                 edx, cl

        $sequence_3 = { 6a00 8d45e4 50 56 53 57 }
            // n = 6, score = 400
            //   6a00                 | push                0
            //   8d45e4               | lea                 eax, [ebp - 0x1c]
            //   50                   | push                eax
            //   56                   | push                esi
            //   53                   | push                ebx
            //   57                   | push                edi

        $sequence_4 = { 51 50 6a00 6a00 ff15???????? 50 8945fc }
            // n = 7, score = 400
            //   51                   | push                ecx
            //   50                   | push                eax
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   50                   | push                eax
            //   8945fc               | mov                 dword ptr [ebp - 4], eax

        $sequence_5 = { 51 6a00 ffd6 8b55e8 52 6a00 ffd6 }
            // n = 7, score = 400
            //   51                   | push                ecx
            //   6a00                 | push                0
            //   ffd6                 | call                esi
            //   8b55e8               | mov                 edx, dword ptr [ebp - 0x18]
            //   52                   | push                edx
            //   6a00                 | push                0
            //   ffd6                 | call                esi

        $sequence_6 = { 57 ff15???????? 8945e0 85c0 7513 33c0 5f }
            // n = 7, score = 400
            //   57                   | push                edi
            //   ff15????????         |                     
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   85c0                 | test                eax, eax
            //   7513                 | jne                 0x15
            //   33c0                 | xor                 eax, eax
            //   5f                   | pop                 edi

        $sequence_7 = { 8b00 50 ff15???????? 83f8ff 740b a810 7507 }
            // n = 7, score = 400
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   83f8ff               | cmp                 eax, -1
            //   740b                 | je                  0xd
            //   a810                 | test                al, 0x10
            //   7507                 | jne                 9

        $sequence_8 = { 0fb7cb c1f803 0fafc1 0faf4608 33ff }
            // n = 5, score = 400
            //   0fb7cb               | movzx               ecx, bx
            //   c1f803               | sar                 eax, 3
            //   0fafc1               | imul                eax, ecx
            //   0faf4608             | imul                eax, dword ptr [esi + 8]
            //   33ff                 | xor                 edi, edi

        $sequence_9 = { 33d2 894dee 8955f2 8b4e20 }
            // n = 4, score = 400
            //   33d2                 | xor                 edx, edx
            //   894dee               | mov                 dword ptr [ebp - 0x12], ecx
            //   8955f2               | mov                 dword ptr [ebp - 0xe], edx
            //   8b4e20               | mov                 ecx, dword ptr [esi + 0x20]

    condition:
        7 of them and filesize < 1744896
}
[TLP:WHITE] win_arkei_stealer_w0   (20181023 | Arkei Stealer)
rule win_arkei_stealer_w0 {
    meta:
        author = "Fumik0_"
        description = "Arkei Stealer"
        Date = "2018/07/10"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.arkei_stealer"
        malpedia_version = "20181023"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
 
    strings:
        $s1 = "Arkei" wide ascii
        $s2 = "/server/gate" wide ascii
        $s3 = "/server/grubConfig" wide ascii
        $s4 = "\\files\\" wide ascii
        $s5 = "SQLite" wide ascii
 
    condition:
        all of ($s*)   
}
Download all Yara Rules