UAC-0226

api.ipify.org

conn-ectionor.cfd

ques-tion-ing.xyz

shaer-likn.store

bestshopu.online

idea-home.online

world-shop.online

first-course.online

make-house.online

zra-roll.online

clame-rade.online

word-course.online

expressmarket.online

sky-writer.online

adams-cooling.online

royalsoul.online

teammate-live.online

ude-final.online

door-black-meter.online

albert-company.online

dmn-for-car.online

goods-companies.online

ricardo-mell.online

wer-d.info

all-for-city.info

amg-car-ger.info

steve-brown.info

live-gml.online

exir-juice.online

live-conn.online

platinum-cnt.info

lynda-tricks.online

white-life-bl.info

prj-ph.info

ntp-clock-h.info

ph-crtdomain.info

warning-d.info

live-meet.blog

live-meet.cfd

network-show.online

arizonaclub.me

cloth-model.blog

network-review.xyz

gallery-shop.online

good-news.cfd

panel-network.online

encryption-redirect.online

rap-art.info

arrow-click.info

shadow-network.best

warplogic.pro

show-verify.xyz

suite-moral.info

crysus-p.info

ptr-cc.online

live-content.online

storm-wave.online

food-tips-blog.online

ph-work.info

panel-meeting.info

ntp-clock-p.info

pa-crtdomain.info

alex-mendez-fire.info

everything-here.info

alpha-man.info

master-club.info

www.siamgas.com

www.zuelligindustrial.com

ewet.bts.co.th

powershell.exe

wmic.exe

diskshadow.exe

wbadmin.exe

document.docm

spring-club.inf

beta-man.inf

cc-newton.inf

platinum-cnt.inf

white-life-bl.inf

prj-ph.inf

ntp-clock-h.inf

ph-crtdomain.inf

warning-d.inf

backback.inf

rap-art.inf

arrow-click.inf

crysus-p.inf

white-life.inf

normal-dmn.inf

prj-pa.inf

nsim-pa.inf

infinit-world.inf

reg-d.inf

alpha-man.inf

master-club.inf

ITG18

45.12.2.158

91.222.173.141

195.66.213.132

194.11.226.29

194.61.120.185

194.11.226.5

T1490

T1203

T1055

T1036

T1564.003

T1012

T1071

T1573

T1496

APT42

https://www.quaser.com/

https://service.seeyon.com/patchtools/tp.html

rule GIFTEDCROOK_Infostealer {
	meta:
		description = "Detects GIFTEDCROOK Infostealer based on known strings and behaviors"
		author = "CYFIRMA"
		date = "2025-07-01"
		malware_family = "GIFTEDCROOK"
		threat_type = "Infostealer"
		reference = "Internal Analysis / OSINT"
	strings:
		$s1 = "GIFTEDCROOK" ascii wide
		$s2 = "Crypto Wallets Found:"
		$s3 = "Collected browser credentials"
		$s4 = "Discord Token Grabber"
		$s5 = "System Information Collected"
		$s6 = "https://api.ipify.org"
		$s7 = "AppData\\Local\\Temp\\giftedcrook" wide
		$s8 = "Mozilla\\Firefox\\Profiles" wide
		$s9 = "Chrome\\User Data\\Default\\Login Data" wide
	condition:
		uint16(0) == 0x5A4D and (1 of ($s*) or all of ($s1, $s2, $s3))
}