Arkei Stealer (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.arkei_stealer (Back to overview)

Arkei Stealer

aka: ArkeiStealer

VTCollection URLhaus

Arkei is a stealer that appeared around May 2018. It collects data about browsers (saved passwords and autofill forms), cryptocurrency wallets, and steal files matching an attacker-defined pattern. It then exfiltrates everything in a zip file uploaded to the attacker's panel. Later, it was forked and used as a base to create Vidar stealer.

References

2023-07-24 ⋅ M4lcode ⋅ Mostafa Farghaly
Deep Analysis of Vidar Stealer
Arkei Stealer Vidar

2022-12-18 ⋅ ZAYOTEM ⋅ Celal Doğan DURAN, Emre TÜRKYILMAZ
Arkei Stealer Technical Analysis Report
Arkei Stealer

2022-11-07 ⋅ ThreatMon ⋅ ThreatMon Malware Research Team
Arkei Staler Analysis
Arkei Stealer

2022-10-13 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm

2022-07-13 ⋅ KELA ⋅ KELA Cyber Intelligence Center
The Next Generation of Info Stealers
Arkei Stealer Azorult BlackGuard Eternity Stealer Ginzo Stealer Mars Stealer MetaStealer Raccoon RedLine Stealer Vidar

2022-03-23 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
Arkei Variants: From Vidar to Mars Stealer
Arkei Stealer Mars Stealer Vidar

2022-03-23 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
Arkei Variants: From Vidar to Mars Stealer
Arkei Stealer Mars Stealer Oski Stealer Vidar

2022-02-17 ⋅ Blackberry ⋅ BlackBerry Research & Intelligence Team
Threat Thursday: Arkei Infostealer Expands Reach Using SmokeLoader to Target Crypto Wallets and MFA
Arkei Stealer SmokeLoader

2022-02-12 ⋅ forensicitguy ⋅ Tony Lambert
Analyzing a Stealer MSI using msitools
Arkei Stealer

2021-11-23 ⋅ Minerva Labs ⋅ Natalie Zargarov
A Long List Of Arkei Stealer's Crypto Browser Wallets
Arkei Stealer

2020-07-30 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader

2018-12-24 ⋅ fumik0 blog ⋅ fumik0
Let’s dig into Vidar – An Arkei Copycat/Forked Stealer (In-depth analysis)
Arkei Stealer Vidar

2018-06-15 ⋅ Bleeping Computer ⋅ Catalin Cimpanu
Hacker Breaches Syscoin GitHub Account and Poisons Official Client
Arkei Stealer

Yara Rules

[TLP:WHITE] win_arkei_stealer_auto (20260504 | Detects win.arkei_stealer.)

rule win_arkei_stealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.arkei_stealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.arkei_stealer"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4e20 8b16 8d448a0e 6a00 8d4de4 51 6a0e }
            // n = 7, score = 400
            //   8b4e20               | mov                 ecx, dword ptr [esi + 0x20]
            //   8b16                 | mov                 edx, dword ptr [esi]
            //   8d448a0e             | lea                 eax, [edx + ecx*4 + 0xe]
            //   6a00                 | push                0
            //   8d4de4               | lea                 ecx, [ebp - 0x1c]
            //   51                   | push                ecx
            //   6a0e                 | push                0xe

        $sequence_1 = { 894e04 8b55cc 895608 668b45d4 6689460c 668b4dd6 }
            // n = 6, score = 400
            //   894e04               | mov                 dword ptr [esi + 4], ecx
            //   8b55cc               | mov                 edx, dword ptr [ebp - 0x34]
            //   895608               | mov                 dword ptr [esi + 8], edx
            //   668b45d4             | mov                 ax, word ptr [ebp - 0x2c]
            //   6689460c             | mov                 word ptr [esi + 0xc], ax
            //   668b4dd6             | mov                 cx, word ptr [ebp - 0x2a]

        $sequence_2 = { 6a40 ff15???????? 8bf0 c70628000000 8b4dc8 894e04 8b55cc }
            // n = 7, score = 400
            //   6a40                 | push                0x40
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   c70628000000         | mov                 dword ptr [esi], 0x28
            //   8b4dc8               | mov                 ecx, dword ptr [ebp - 0x38]
            //   894e04               | mov                 dword ptr [esi + 4], ecx
            //   8b55cc               | mov                 edx, dword ptr [ebp - 0x34]

        $sequence_3 = { 8b4dc8 894e04 8b55cc 895608 668b45d4 }
            // n = 5, score = 400
            //   8b4dc8               | mov                 ecx, dword ptr [ebp - 0x38]
            //   894e04               | mov                 dword ptr [esi + 4], ecx
            //   8b55cc               | mov                 edx, dword ptr [ebp - 0x34]
            //   895608               | mov                 dword ptr [esi + 8], edx
            //   668b45d4             | mov                 ax, word ptr [ebp - 0x2c]

        $sequence_4 = { 668b45d4 6689460c 668b4dd6 66894e0e }
            // n = 4, score = 400
            //   668b45d4             | mov                 ax, word ptr [ebp - 0x2c]
            //   6689460c             | mov                 word ptr [esi + 0xc], ax
            //   668b4dd6             | mov                 cx, word ptr [ebp - 0x2a]
            //   66894e0e             | mov                 word ptr [esi + 0xe], cx

        $sequence_5 = { ff15???????? 85c0 74de 8b4de8 682000cc00 53 56 }
            // n = 7, score = 400
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   74de                 | je                  0xffffffe0
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   682000cc00           | push                0xcc0020
            //   53                   | push                ebx
            //   56                   | push                esi

        $sequence_6 = { 56 6a00 6a00 57 53 56 6a00 }
            // n = 7, score = 400
            //   56                   | push                esi
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   57                   | push                edi
            //   53                   | push                ebx
            //   56                   | push                esi
            //   6a00                 | push                0

        $sequence_7 = { 57 8945e8 ffd3 6a0a 57 8bf0 }
            // n = 6, score = 400
            //   57                   | push                edi
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   ffd3                 | call                ebx
            //   6a0a                 | push                0xa
            //   57                   | push                edi
            //   8bf0                 | mov                 esi, eax

        $sequence_8 = { 83ffff 0f849ffeffff ba424d0000 668955ec }
            // n = 4, score = 400
            //   83ffff               | cmp                 edi, -1
            //   0f849ffeffff         | je                  0xfffffea5
            //   ba424d0000           | mov                 edx, 0x4d42
            //   668955ec             | mov                 word ptr [ebp - 0x14], dx

        $sequence_9 = { 6a00 51 ff15???????? 85c0 74be }
            // n = 5, score = 400
            //   6a00                 | push                0
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   74be                 | je                  0xffffffc0

    condition:
        7 of them and filesize < 1744896
}

[TLP:WHITE] win_arkei_stealer_w0 (20181023 | Arkei Stealer)

rule win_arkei_stealer_w0 {
    meta:
        author = "Fumik0_"
        description = "Arkei Stealer"
        Date = "2018/07/10"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.arkei_stealer"
        malpedia_version = "20181023"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
 
    strings:
        $s1 = "Arkei" wide ascii
        $s2 = "/server/gate" wide ascii
        $s3 = "/server/grubConfig" wide ascii
        $s4 = "\\files\\" wide ascii
        $s5 = "SQLite" wide ascii
 
    condition:
        all of ($s*)   
}

Download all Yara Rules

Arkei Stealer Propose Change

References

Yara Rules

Arkei Stealer