From ca635cc3fcba747eb4d26afe24533740645567e1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=BCrgen=20L=C3=B6hel?= <juergen.loehel@inlyse.com>
Date: Mon, 30 Jan 2023 18:29:25 -0600
Subject: [PATCH] chg: [stealer] Adds DarkCloud and BluStealer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Jürgen Löhel <juergen.loehel@inlyse.com>
---
 clusters/stealer.json | 41 ++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 40 insertions(+), 1 deletion(-)

diff --git a/clusters/stealer.json b/clusters/stealer.json
index 5ac032e..d65006f 100644
--- a/clusters/stealer.json
+++ b/clusters/stealer.json
@@ -166,7 +166,46 @@
       ],
       "uuid": "d410b534-07a4-4190-b253-f6616934bea6",
       "value": "WorldWind"
+    },
+    {
+      "description": "Avast describe this malware as a recombination of other malware including SpyEx, ThunderFox, ChromeRecovery, StormKitty, and firepwd.",
+      "meta": {
+        "refs": [
+          "https://malpedia.caad.fkie.fraunhofer.de/details/win.blustealer",
+          "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord",
+          "https://minerva-labs.com/blog/a-new-blustealer-loader-uses-direct-syscalls-to-evade-edrs/",
+          "https://blogs.blackberry.com/en/2021/10/threat-thursday-blustealer-infostealer",
+          "https://www.gosecure.net/blog/2021/09/22/gosecure-titan-labs-technical-report-blustealer-malware-threat/",
+          "https://decoded.avast.io/anhho/blustealer/",
+          "https://twitter.com/GoSecure_Inc/status/1437435265350397957"
+        ]
+      },
+      "synonyms": [
+        "a310logger"
+      ],
+      "uuid": "ac565486-89c1-4984-9bee-9202d8a5134d",
+      "value": "BluStealer"
+    },
+    {
+      "description": "Stealer is written in Visual Basic.",
+      "meta": {
+        "refs": [
+          "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcloud",
+          "https://c3rb3ru5d3d53c.github.io/malware-blog/darkcloud-stealer/"
+        ]
+      },
+      "related": [
+        {
+          "dest-uuid": "ac565486-89c1-4984-9bee-9202d8a5134d",
+          "tags": [
+            "estimative-language:likelihood-probability=\"very-likely\""
+          ],
+          "type": "variant-of"
+        }
+      ],
+      "uuid": "e550f534-dc8b-4f94-a276-ce3d5d9c8115",
+      "value": "DarkCloud Stealer"
     }
   ],
-  "version": 9
+  "version": 10
 }