SYMBOLCOMMON_NAMEaka. SYNONYMS
win.temp_stealer (Back to overview)

TempStealer

According to Cyble, this is a stealer targeting several crypto currency wallets along browser data.

References
2022-10-20cybleCyble Research Labs
@online{labs:20221020:new:b8a4b5a, author = {Cyble Research Labs}, title = {{New Temp Stealer Spreading Via Free & Cracked Software}}, date = {2022-10-20}, organization = {cyble}, url = {https://blog.cyble.com/2022/10/20/infostealer-distributed-using-bundled-installer/}, language = {English}, urldate = {2022-11-21} } New Temp Stealer Spreading Via Free & Cracked Software
TempStealer
Yara Rules
[TLP:WHITE] win_temp_stealer_auto (20230125 | Detects win.temp_stealer.)
rule win_temp_stealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.temp_stealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.temp_stealer"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 49c1fa06 4e8d1ced00000000 4d03dd 418a0438 41ffc1 4b8b8cd7f0940400 4903c8 }
            // n = 7, score = 100
            //   49c1fa06             | dec                 esp
            //   4e8d1ced00000000     | lea                 ecx, [0x168d9]
            //   4d03dd               | dec                 eax
            //   418a0438             | mov                 ebp, ecx
            //   41ffc1               | dec                 esp
            //   4b8b8cd7f0940400     | lea                 eax, [0x168c7]
            //   4903c8               | dec                 eax

        $sequence_1 = { 4c8bb5b0000000 e9???????? 488b4d28 e8???????? 90 488b4d38 }
            // n = 6, score = 100
            //   4c8bb5b0000000       | inc                 edx
            //   e9????????           |                     
            //   488b4d28             | test                byte ptr [eax + ebp*8 + 0x38], 1
            //   e8????????           |                     
            //   90                   | je                  0x168
            //   488b4d38             | dec                 eax

        $sequence_2 = { 0f45f8 897db0 89b578020000 4889742478 48897588 48897590 488d542458 }
            // n = 7, score = 100
            //   0f45f8               | dec                 eax
            //   897db0               | mov                 edx, dword ptr [ebx]
            //   89b578020000         | dec                 eax
            //   4889742478           | shl                 edx, 4
            //   48897588             | dec                 ebp
            //   48897590             | mov                 ecx, esi
            //   488d542458           | inc                 esp

        $sequence_3 = { 49635608 48035608 0fb60a 83e10f 4a0fbe840160280300 428a8c0170280300 482bd0 }
            // n = 7, score = 100
            //   49635608             | push                esi
            //   48035608             | inc                 ecx
            //   0fb60a               | push                edi
            //   83e10f               | dec                 eax
            //   4a0fbe840160280300     | lea    ebp, [esp - 0x1fc0]
            //   428a8c0170280300     | mov                 eax, 0x20c0
            //   482bd0               | dec                 eax

        $sequence_4 = { 4885c9 7426 488d59f8 4d8bcc 4c8b03 498bd7 }
            // n = 6, score = 100
            //   4885c9               | cmp                 eax, 0xc
            //   7426                 | jb                  0x29e
            //   488d59f8             | dec                 esp
            //   4d8bcc               | mov                 ecx, edx
            //   4c8b03               | dec                 eax
            //   498bd7               | cmp                 dword ptr [edx + 0x18], 8

        $sequence_5 = { 90 488b4dc0 e8???????? 90 488b4d90 e8???????? }
            // n = 6, score = 100
            //   90                   | dec                 esp
            //   488b4dc0             | mov                 esp, eax
            //   e8????????           |                     
            //   90                   | dec                 edx
            //   488b4d90             | cmp                 eax, dword ptr [ecx + edi*8 + 0x30]
            //   e8????????           |                     

        $sequence_6 = { e8???????? 4883f8ff 743c 488b5c2450 48895c2440 488bcb e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4883f8ff             | dec                 eax
            //   743c                 | mov                 ecx, dword ptr [ebp + 0x48]
            //   488b5c2450           | nop                 
            //   48895c2440           | dec                 eax
            //   488bcb               | mov                 ecx, dword ptr [ebp - 0x18]
            //   e8????????           |                     

        $sequence_7 = { 488b9c2460060000 4881c420060000 415f 415e 415d 415c 5f }
            // n = 7, score = 100
            //   488b9c2460060000     | mov                 eax, dword ptr [esp + 0x68]
            //   4881c420060000       | test                eax, eax
            //   415f                 | dec                 eax
            //   415e                 | lea                 edx, [esp + 0x70]
            //   415d                 | dec                 eax
            //   415c                 | lea                 ecx, [ebp + 0x1d0]
            //   5f                   | add                 ebx, edi

        $sequence_8 = { e8???????? 488bcb ff15???????? ffc0 4863c8 e8???????? 488bcb }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488bcb               | dec                 eax
            //   ff15????????         |                     
            //   ffc0                 | mov                 esi, edi
            //   4863c8               | jb                  0x267
            //   e8????????           |                     
            //   488bcb               | dec                 eax

        $sequence_9 = { 488d15c1a30300 488bcb ff15???????? 488985a8000000 488b5710 48befeffffffffffff7f 488bce }
            // n = 7, score = 100
            //   488d15c1a30300       | je                  0x5a
            //   488bcb               | dec                 esp
            //   ff15????????         |                     
            //   488985a8000000       | mov                 dword ptr [edi + 0x68], esp
            //   488b5710             | jmp                 0xa0
            //   48befeffffffffffff7f     | dec    esp
            //   488bce               | mov                 dword ptr [edi + 0x68], esi

    condition:
        7 of them and filesize < 652288
}
Download all Yara Rules