The Stealthy Email Stealer in the TA505 Arsenal - Yoroi
Tags
Common Information
| Type | Value |
|---|---|
| UUID | ffd56ce9-9386-4c37-a2db-2d8aaed49610 |
| Fingerprint | ae30099b09a30609 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | May 16, 2019, 11:56 a.m. |
| Added to db | Sept. 26, 2022, 9:33 a.m. |
| Last updated | Nov. 17, 2024, 6:54 p.m. |
| Headline | The Stealthy Email Stealer in the TA505 Arsenal |
| Title | The Stealthy Email Stealer in the TA505 Arsenal - Yoroi |
| Detected Hints/Tags/Attributes | 84/3/19 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 1 | bullettruth.com |
|
| Details | Domain | 1 | nettubex.top |
|
| Details | File | 173 | outlook.exe |
|
| Details | sha256 | 1 | f3e8f68c31c86d431adea1633c875c32434a42aee5ed70af74af5c5e5aa58883 |
|
| Details | sha256 | 1 | 104dae7457c10b7fe6c42a335f2a57ff708ff20d70597fbaa5fe0083c1c628c7 |
|
| Details | sha256 | 1 | e4b40cba02dc1de1a1c2ed2001d39a87c476c11ca08f09a80fd3f1fbaae0daeb |
|
| Details | sha256 | 1 | 899bfac53c3439a7ea68f9a5bbff2733ebf7b9158f18ef5d03360a09b18b5e0d |
|
| Details | IPv4 | 1 | 178.48.154.38 |
|
| Details | IPv4 | 1 | 5.253.53.236 |
|
| Details | IPv4 | 1 | 87.241.136.1 |
|
| Details | IPv4 | 1 | 197.255.225.249 |
|
| Details | IPv4 | 1 | 95.140.195.178 |
|
| Details | IPv4 | 1 | 186.74.208.84 |
|
| Details | IPv4 | 2 | 86.61.75.99 |
|
| Details | IPv4 | 1 | 86.101.230.109 |
|
| Details | IPv4 | 1 | 89.47.94.113 |
|
| Details | IPv4 | 1 | 130.204.181.90 |
|
| Details | IPv4 | 2 | 78.90.243.124 |
|
| Details | Yara rule | 1 | import "pe"
rule EmailStealer_201905 {
meta:
description = "Yara rule for EmailStealer"
author = "Cybaze - Yoroi ZLab"
last_updated = "2019-05-14"
tlp = "white"
category = "informational"
strings:
$a1 = { 80 F2 F3 00 56 53 A7 }
$a2 = { 4D 26 9A 00 56 4B AC 55 }
$a3 = { 1C 4A 77 00 00 89 B4 B7 }
condition:
uint16(0) == 0x5A4D and pe.number_of_sections == 3 and all of them
} |