DeltaStealer (Malware Family)

DeltaStealer

Rust-based infostealer.
References

2023-05-19 ⋅ Trend Micro ⋅ Nitesh Surana, Jaromír Hořejší
Rust-Based Info Stealers Abuse GitHub Codespaces
DeltaStealer
Yara Rules

[TLP:WHITE] win_deltastealer_auto (20230715 | Detects win.deltastealer.)
rule win_deltastealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.deltastealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.deltastealer"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 742f 4c8b7608 4c89f1 4889da 4189f8 e8???????? 3c3a }
            // n = 7, score = 100
            //   742f                 | inc                 ecx
            //   4c8b7608             | or                  dl, byte ptr [eax + 0x23]
            //   4c89f1               | jae                 0x689
            //   4889da               | dec                 eax
            //   4189f8               | mov                 ecx, dword ptr [edi + 0x18]
            //   e8????????           |                     
            //   3c3a                 | mov                 dl, byte ptr [esp + eax + 0x28]

        $sequence_1 = { c3 56 4883ec20 4889ce 8b09 83f907 7310 }
            // n = 7, score = 100
            //   c3                   | ud2                 
            //   56                   | mov                 ecx, 0x400
            //   4883ec20             | ret                 
            //   4889ce               | dec                 eax
            //   8b09                 | lea                 ecx, [0x121f92]
            //   83f907               | dec                 esp
            //   7310                 | lea                 eax, [0xf03a3]

        $sequence_2 = { 09d1 c1e106 83e33f 09cb 81fb00001100 0f8462010000 84c0 }
            // n = 7, score = 100
            //   09d1                 | dec                 eax
            //   c1e106               | mov                 dword ptr [esp + 0x20], eax
            //   83e33f               | jae                 0x33e
            //   09cb                 | dec                 ecx
            //   81fb00001100         | lea                 ecx, [esi + 0x10]
            //   0f8462010000         | dec                 esp
            //   84c0                 | mov                 edx, esi

        $sequence_3 = { ffc9 4889f2 e8???????? 66c746080100 4883c609 eb02 31f6 }
            // n = 7, score = 100
            //   ffc9                 | dec                 eax
            //   4889f2               | test                eax, eax
            //   e8????????           |                     
            //   66c746080100         | je                  0xd2
            //   4883c609             | dec                 eax
            //   eb02                 | mov                 ecx, dword ptr [esi + 0x20]
            //   31f6                 | dec                 eax

        $sequence_4 = { 89c3 4889f9 4889f2 e8???????? 84db 7405 8a5f39 }
            // n = 7, score = 100
            //   89c3                 | movzx               ecx, word ptr [esp + 0x2a]
            //   4889f9               | mov                 word ptr [edi + 0x7f], cx
            //   4889f2               | dec                 eax
            //   e8????????           |                     
            //   84db                 | mov                 ecx, dword ptr [esp + 0x50]
            //   7405                 | dec                 eax
            //   8a5f39               | mov                 dword ptr [edi + 0x10], ecx

        $sequence_5 = { 750f 488b4210 48894110 0f1002 0f1101 c3 4c8b02 }
            // n = 7, score = 100
            //   750f                 | inc                 ebx
            //   488b4210             | xor                 esi, esi
            //   48894110             | dec                 eax
            //   0f1002               | dec                 ebx
            //   0f1101               | je                  0x449
            //   c3                   | dec                 eax
            //   4c8b02               | mov                 ecx, edi

        $sequence_6 = { c0e005 08d3 4008e8 48ffc1 38c3 74c7 4c39f9 }
            // n = 7, score = 100
            //   c0e005               | dec                 eax
            //   08d3                 | lea                 edi, [esp + 0x260]
            //   4008e8               | dec                 eax
            //   48ffc1               | mov                 ecx, dword ptr [esp + 0x78]
            //   38c3                 | dec                 eax
            //   74c7                 | mov                 esi, eax
            //   4c39f9               | mov                 ebp, 1

        $sequence_7 = { f348a5 488db42460190000 488d9424301d0000 41b8a0000000 4889f1 e8???????? c683d202000001 }
            // n = 7, score = 100
            //   f348a5               | dec                 esp
            //   488db42460190000     | mov                 dword ptr [esp + 0x60], ebp
            //   488d9424301d0000     | dec                 eax
            //   41b8a0000000         | mov                 dword ptr [esp + 0x68], edi
            //   4889f1               | dec                 eax
            //   e8????????           |                     
            //   c683d202000001       | mov                 edx, dword ptr [esp + 0x350]

        $sequence_8 = { eb4c 488d4c2428 488901 488d442430 488908 488d15cda90600 488d4c2440 }
            // n = 7, score = 100
            //   eb4c                 | mov                 ecx, edi
            //   488d4c2428           | jmp                 0x441
            //   488901               | mov                 byte ptr [ebx + 0x10], 0
            //   488d442430           | jmp                 0x430
            //   488908               | xor                 edi, edi
            //   488d15cda90600       | dec                 eax
            //   488d4c2440           | mov                 eax, dword ptr [esi + 0x18]

        $sequence_9 = { 48c784247001000001000000 4883a4247801000000 e9???????? 89b42480010000 e9???????? 488b842478010000 83bc24e000000000 }
            // n = 7, score = 100
            //   48c784247001000001000000     | dec    eax
            //   4883a4247801000000     | mov    dword ptr [esp + 0x20], 0
            //   e9????????           |                     
            //   89b42480010000       | dec                 eax
            //   e9????????           |                     
            //   488b842478010000     | lea                 eax, [0x25746]
            //   83bc24e000000000     | dec                 eax

    condition:
        7 of them and filesize < 3532800
}
Download all Yara Rules
DeltaStealer Propose Change

References

Yara Rules

DeltaStealer
