TerraStealer (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.terra_stealer (Back to overview)

TerraStealer

aka: StealerOne, SONE, Taurus Loader Stealer Module

Actor(s): VENOM SPIDER, FIN6

VTCollection

According to QuoINT, TerraStealer (also known as SONE or StealerOne) is a generic reconnaissance tool, targeting for example email clients, web browsers, and file transfer utilities. Attributed to Golden Chickens.

References

2025-05-01 ⋅ Recorded Future ⋅ Insikt Group
TerraStealerV2 and TerraLogger: Golden Chickens' New Malware Families Discovered
TerraStealer

2020-07-20 ⋅ QuoIntelligence
Golden Chickens: Evolution Oof the MaaS
More_eggs TerraLoader TerraStealer VenomLNK

2020-07-10 ⋅ Github (eset) ⋅ Matías Porolli
Evilnum — Indicators of Compromise
EVILNUM More_eggs EVILNUM TerraStealer

2020-07-09 ⋅ ESET Research ⋅ Matías Porolli
More evil: A deep look at Evilnum and its toolset
EVILNUM More_eggs EVILNUM TerraPreter TerraStealer TerraTV Evilnum

2020-06-24 ⋅ Twitter (@3xp0rtblog) ⋅ 3xp0rt
Tweet on new version of TaurusStealer (v1.4)
TerraStealer

2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER

2020-01-27 ⋅ QuoScient ⋅ QuoScient
The Chicken Keeps Laying New Eggs: Uncovering New GC MaaS Tools Used By Top-tier Threat Actors
TerraRecon TerraStealer TerraTV VenomLNK

Yara Rules

[TLP:WHITE] win_terra_stealer_auto (20260504 | Detects win.terra_stealer.)

rule win_terra_stealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.terra_stealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.terra_stealer"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? eb05 4c8b7c2460 41807f6700 7421 498b8f60010000 488d1509a31300 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   eb05                 | mov                 edx, edi
            //   4c8b7c2460           | dec                 ecx
            //   41807f6700           | mov                 ecx, esi
            //   7421                 | dec                 eax
            //   498b8f60010000       | mov                 eax, dword ptr [esp + 0x70]
            //   488d1509a31300       | dec                 eax

        $sequence_1 = { e8???????? 83f875 0f858e020000 488bcb e8???????? 83f8ff 0f848f020000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83f875               | dec                 eax
            //   0f858e020000         | mov                 ecx, esi
            //   488bcb               | je                  0xf1a
            //   e8????????           |                     
            //   83f8ff               | dec                 eax
            //   0f848f020000         | lea                 edx, [0xa9896]

        $sequence_2 = { f6430466 0f841a010000 397708 0f84df010000 48635708 4c8d3d9c90e7ff 48035508 }
            // n = 7, score = 100
            //   f6430466             | mov                 eax, esp
            //   0f841a010000         | dec                 eax
            //   397708               | add                 esp, 0x38
            //   0f84df010000         | inc                 ecx
            //   48635708             | pop                 esi
            //   4c8d3d9c90e7ff       | inc                 ecx
            //   48035508             | pop                 esp

        $sequence_3 = { f644c81220 7407 814e6400180000 488b4608 6642891460 498b07 803871 }
            // n = 7, score = 100
            //   f644c81220           | jne                 0x1de0
            //   7407                 | dec                 eax
            //   814e6400180000       | inc                 edi
            //   488b4608             | cmp                 dword ptr [ebp - 0x3d], 0xc
            //   6642891460           | jge                 0x1de0
            //   498b07               | dec                 eax
            //   803871               | lea                 edx, [0x84387]

        $sequence_4 = { e8???????? 48894558 e9???????? 488d0dafdf0a00 ff15???????? 48894550 4885c0 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   48894558             | nop                 
            //   e9????????           |                     
            //   488d0dafdf0a00       | dec                 ebp
            //   ff15????????         |                     
            //   48894550             | mov                 edx, dword ptr [esp]
            //   4885c0               | movsx               eax, word ptr [esi + edi*4]

        $sequence_5 = { eb0d e8???????? 488bf0 4889442428 33ff 4983e7f0 4c03fe }
            // n = 7, score = 100
            //   eb0d                 | dec                 ecx
            //   e8????????           |                     
            //   488bf0               | inc                 eax
            //   4889442428           | dec                 eax
            //   33ff                 | lea                 eax, [0x810e9]
            //   4983e7f0             | dec                 esp
            //   4c03fe               | cmovne              ecx, eax

        $sequence_6 = { e8???????? 48897c2450 488b8c2428010000 4885c9 0f84f6030000 8bd5 498bcc }
            // n = 7, score = 100
            //   e8????????           |                     
            //   48897c2450           | dec                 esp
            //   488b8c2428010000     | mov                 ecx, eax
            //   4885c9               | dec                 eax
            //   0f84f6030000         | arpl                cx, dx
            //   8bd5                 | dec                 eax
            //   498bcc               | mov                 eax, ebp

        $sequence_7 = { c785a40400001f2f535b c785a804000024011905 c785ac040000052f2a38 c785b00400003c2f303b c785b40400002b090321 c785b80400005d09391b c785bc04000018225e0c }
            // n = 7, score = 100
            //   c785a40400001f2f535b     | mov    dword ptr [eax + ecx*8 + 4], edx
            //   c785a804000024011905     | dec    eax
            //   c785ac040000052f2a38     | mov    dword ptr [eax + ecx*8 + 8], edx
            //   c785b00400003c2f303b     | dec    eax
            //   c785b40400002b090321     | mov    dword ptr [eax + ecx*8 + 0x10], edi
            //   c785b80400005d09391b     | dec    ecx
            //   c785bc04000018225e0c     | mov    eax, dword ptr [esi + 8]

        $sequence_8 = { e9???????? 488b8a60000000 e9???????? 488b8a00010000 e9???????? 488b8a08010000 e9???????? }
            // n = 7, score = 100
            //   e9????????           |                     
            //   488b8a60000000       | mov                 esi, dword ptr [esp + 0xa0]
            //   e9????????           |                     
            //   488b8a00010000       | cmp                 esi, 0x51
            //   e9????????           |                     
            //   488b8a08010000       | jne                 0x2cc
            //   e9????????           |                     

        $sequence_9 = { e8???????? 8be8 4885f6 7452 4c8b4670 41f6403420 743f }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8be8                 | inc                 esp
            //   4885f6               | mov                 edi, dword ptr [ebp - 0x6c]
            //   7452                 | dec                 eax
            //   4c8b4670             | lea                 ecx, [esp + 0x50]
            //   41f6403420           | dec                 eax
            //   743f                 | mov                 edx, eax

    condition:
        7 of them and filesize < 4621312
}

Download all Yara Rules

TerraStealer Propose Change

References

Yara Rules

TerraStealer