TempStealer (Malware Family)

TempStealer

VTCollection
According to Cyble, this is a stealer targeting several crypto currency wallets along browser data.
References

2022-10-20 ⋅ cyble ⋅ Cyble Research Labs
New Temp Stealer Spreading Via Free & Cracked Software
TempStealer
Yara Rules

[TLP:WHITE] win_temp_stealer_auto (20230808 | Detects win.temp_stealer.)
rule win_temp_stealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.temp_stealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.temp_stealer"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4d8bc7 498bce e8???????? 4885c0 7405 492bc6 eb04 }
            // n = 7, score = 100
            //   4d8bc7               | dec                 eax
            //   498bce               | mov                 dword ptr [esp + 0x30], 1
            //   e8????????           |                     
            //   4885c0               | dec                 eax
            //   7405                 | lea                 eax, [0x3b462]
            //   492bc6               | dec                 eax
            //   eb04                 | cmp                 esi, 1

        $sequence_1 = { 488d4c2430 e8???????? 488b442430 48635004 488d051a730300 4889441430 488b442430 }
            // n = 7, score = 100
            //   488d4c2430           | lea                 edx, [esp + 0x50]
            //   e8????????           |                     
            //   488b442430           | dec                 eax
            //   48635004             | lea                 ecx, [esp + 0x40]
            //   488d051a730300       | movups              xmmword ptr [ebp + 0x27], xmm1
            //   4889441430           | dec                 esp
            //   488b442430           | mov                 dword ptr [ebp - 0x49], esi

        $sequence_2 = { 5e 5d c3 4889542410 48894c2408 55 53 }
            // n = 7, score = 100
            //   5e                   | dec                 esp
            //   5d                   | mov                 dword ptr [esp + 0x40], ebp
            //   c3                   | dec                 esp
            //   4889542410           | mov                 dword ptr [esp + 0x50], ebp
            //   48894c2408           | dec                 eax
            //   55                   | mov                 dword ptr [esp + 0x20], edx
            //   53                   | dec                 eax

        $sequence_3 = { 488d4dc0 e8???????? 0f10442460 0f1145c0 0f104c2470 0f114dd0 660f6f05???????? }
            // n = 7, score = 100
            //   488d4dc0             | nop                 word ptr [eax + eax]
            //   e8????????           |                     
            //   0f10442460           | vpsrad              xmm4, xmm4, 6
            //   0f1145c0             | vpsllq              xmm4, xmm4, 0x34
            //   0f104c2470           | and                 eax, ecx
            //   0f114dd0             | dec                 eax
            //   660f6f05????????     |                     

        $sequence_4 = { 418ac7 84c0 0f8408010000 8b4c2448 488d154240fdff 2b4c244c 41b826000000 }
            // n = 7, score = 100
            //   418ac7               | dec                 eax
            //   84c0                 | mov                 dword ptr [esp + 0x28], eax
            //   0f8408010000         | dec                 esp
            //   8b4c2448             | lea                 ecx, [esp + 0x60]
            //   488d154240fdff       | dec                 eax
            //   2b4c244c             | cmp                 dword ptr [esp + 0x78], 8
            //   41b826000000         | dec                 esp

        $sequence_5 = { 488d4c2430 e8???????? 488d542430 488d4c2470 e8???????? 90 }
            // n = 6, score = 100
            //   488d4c2430           | dec                 eax
            //   e8????????           |                     
            //   488d542430           | sub                 esp, 0x20
            //   488d4c2470           | dec                 esp
            //   e8????????           |                     
            //   90                   | mov                 esp, dword ptr [ecx + 0x18]

        $sequence_6 = { 488d4c2450 e8???????? 660f6f05???????? 488d152a670300 488d4de0 4c896de0 f30f7f45f0 }
            // n = 7, score = 100
            //   488d4c2450           | cmp                 eax, esi
            //   e8????????           |                     
            //   660f6f05????????     |                     
            //   488d152a670300       | jbe                 0x7e4
            //   488d4de0             | dec                 eax
            //   4c896de0             | mov                 ecx, 0xfffffffe
            //   f30f7f45f0           | jmp                 0x816

        $sequence_7 = { 4183f805 0f8582000000 8b470c 458d487a c744243001000000 4c8d05ee7f0100 89442428 }
            // n = 7, score = 100
            //   4183f805             | dec                 eax
            //   0f8582000000         | mov                 ecx, ebx
            //   8b470c               | dec                 esp
            //   458d487a             | lea                 edi, [0x372]
            //   c744243001000000     | dec                 esp
            //   4c8d05ee7f0100       | mov                 dword ptr [esp + 0x20], edi
            //   89442428             | dec                 esp

        $sequence_8 = { ff15???????? 4c8be0 488985a0000000 488d15b9a30300 488bcb ff15???????? 4c8bf8 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   4c8be0               | dec                 eax
            //   488985a0000000       | lea                 eax, [0xffffee08]
            //   488d15b9a30300       | dec                 eax
            //   488bcb               | mov                 dword ptr [esp + 0x20], eax
            //   ff15????????         |                     
            //   4c8bf8               | dec                 esp

        $sequence_9 = { 488d4c2458 e8???????? 90 488d8d48010000 e8???????? 488d45a8 }
            // n = 6, score = 100
            //   488d4c2458           | push                edi
            //   e8????????           |                     
            //   90                   | dec                 eax
            //   488d8d48010000       | lea                 ebp, [esp - 0x5b8]
            //   e8????????           |                     
            //   488d45a8             | dec                 eax

    condition:
        7 of them and filesize < 652288
}
Download all Yara Rules
TempStealer Propose Change

References

Yara Rules

TempStealer
