SYMBOLCOMMON_NAMEaka. SYNONYMS
win.arkei_stealer (Back to overview)

Arkei Stealer

aka: ArkeiStealer
URLhaus    

There is no description at this point.

References
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2018-06-15Bleeping ComputerCatalin Cimpanu
@online{cimpanu:20180615:hacker:e0452dd, author = {Catalin Cimpanu}, title = {{Hacker Breaches Syscoin GitHub Account and Poisons Official Client}}, date = {2018-06-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hacker-breaches-syscoin-github-account-and-poisons-official-client/}, language = {English}, urldate = {2019-12-20} } Hacker Breaches Syscoin GitHub Account and Poisons Official Client
Arkei Stealer
Yara Rules
[TLP:WHITE] win_arkei_stealer_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_arkei_stealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.arkei_stealer"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 8945e0 85c0 7513 33c0 5f }
            // n = 6, score = 300
            //   ff15????????         |                     
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   85c0                 | test                eax, eax
            //   7513                 | jne                 0x15
            //   33c0                 | xor                 eax, eax
            //   5f                   | pop                 edi

        $sequence_1 = { 33d2 894dee 8955f2 8b4e20 }
            // n = 4, score = 300
            //   33d2                 | xor                 edx, edx
            //   894dee               | mov                 dword ptr [ebp - 0x12], ecx
            //   8955f2               | mov                 dword ptr [ebp - 0xe], edx
            //   8b4e20               | mov                 ecx, dword ptr [esi + 0x20]

        $sequence_2 = { 397814 7202 8b00 53 50 ff15???????? }
            // n = 6, score = 300
            //   397814               | cmp                 dword ptr [eax + 0x14], edi
            //   7202                 | jb                  4
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   53                   | push                ebx
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_3 = { 8bf0 c70628000000 8b4dc8 894e04 8b55cc 895608 668b45d4 }
            // n = 7, score = 300
            //   8bf0                 | mov                 esi, eax
            //   c70628000000         | mov                 dword ptr [esi], 0x28
            //   8b4dc8               | mov                 ecx, dword ptr [ebp - 0x38]
            //   894e04               | mov                 dword ptr [esi + 4], ecx
            //   8b55cc               | mov                 edx, dword ptr [ebp - 0x34]
            //   895608               | mov                 dword ptr [esi + 8], edx
            //   668b45d4             | mov                 ax, word ptr [ebp - 0x2c]

        $sequence_4 = { 56 53 52 57 50 51 ff15???????? }
            // n = 7, score = 300
            //   56                   | push                esi
            //   53                   | push                ebx
            //   52                   | push                edx
            //   57                   | push                edi
            //   50                   | push                eax
            //   51                   | push                ecx
            //   ff15????????         |                     

        $sequence_5 = { c70628000000 8b4dc8 894e04 8b55cc 895608 668b45d4 6689460c }
            // n = 7, score = 300
            //   c70628000000         | mov                 dword ptr [esi], 0x28
            //   8b4dc8               | mov                 ecx, dword ptr [ebp - 0x38]
            //   894e04               | mov                 dword ptr [esi + 4], ecx
            //   8b55cc               | mov                 edx, dword ptr [ebp - 0x34]
            //   895608               | mov                 dword ptr [esi + 8], edx
            //   668b45d4             | mov                 ax, word ptr [ebp - 0x2c]
            //   6689460c             | mov                 word ptr [esi + 0xc], ax

        $sequence_6 = { 682000cc00 53 56 6a00 6a00 57 }
            // n = 6, score = 300
            //   682000cc00           | push                0xcc0020
            //   53                   | push                ebx
            //   56                   | push                esi
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   57                   | push                edi

        $sequence_7 = { 85c0 0f840efeffff 53 ff15???????? 8b4ddc 8b35???????? }
            // n = 6, score = 300
            //   85c0                 | test                eax, eax
            //   0f840efeffff         | je                  0xfffffe14
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   8b4ddc               | mov                 ecx, dword ptr [ebp - 0x24]
            //   8b35????????         |                     

        $sequence_8 = { 57 8945e8 ffd3 6a0a 57 8bf0 ffd3 }
            // n = 7, score = 300
            //   57                   | push                edi
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   ffd3                 | call                ebx
            //   6a0a                 | push                0xa
            //   57                   | push                edi
            //   8bf0                 | mov                 esi, eax
            //   ffd3                 | call                ebx

        $sequence_9 = { 8d148d28000000 52 56 57 }
            // n = 4, score = 300
            //   8d148d28000000       | lea                 edx, [ecx*4 + 0x28]
            //   52                   | push                edx
            //   56                   | push                esi
            //   57                   | push                edi

    condition:
        7 of them and filesize < 1744896
}
[TLP:WHITE] win_arkei_stealer_w0   (20181023 | No description)
rule win_arkei_stealer_w0 {
    meta:
        Author = "Fumik0_"
        Description = "Arkei Stealer"
        Date = "2018/07/10"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.predator"
        malpedia_version = "20181023"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
 
    strings:
        $s1 = "Arkei" wide ascii
        $s2 = "/server/gate" wide ascii
        $s3 = "/server/grubConfig" wide ascii
        $s4 = "\\files\\" wide ascii
        $s5 = "SQLite" wide ascii
 
    condition:
        all of ($s*)   
}
Download all Yara Rules