From ca635cc3fcba747eb4d26afe24533740645567e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=BCrgen=20L=C3=B6hel?= Date: Mon, 30 Jan 2023 18:29:25 -0600 Subject: [PATCH 1/2] chg: [stealer] Adds DarkCloud and BluStealer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jürgen Löhel --- clusters/stealer.json | 41 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/clusters/stealer.json b/clusters/stealer.json index 5ac032e4..d65006fc 100644 --- a/clusters/stealer.json +++ b/clusters/stealer.json @@ -166,7 +166,46 @@ ], "uuid": "d410b534-07a4-4190-b253-f6616934bea6", "value": "WorldWind" + }, + { + "description": "Avast describe this malware as a recombination of other malware including SpyEx, ThunderFox, ChromeRecovery, StormKitty, and firepwd.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.blustealer", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", + "https://minerva-labs.com/blog/a-new-blustealer-loader-uses-direct-syscalls-to-evade-edrs/", + "https://blogs.blackberry.com/en/2021/10/threat-thursday-blustealer-infostealer", + "https://www.gosecure.net/blog/2021/09/22/gosecure-titan-labs-technical-report-blustealer-malware-threat/", + "https://decoded.avast.io/anhho/blustealer/", + "https://twitter.com/GoSecure_Inc/status/1437435265350397957" + ] + }, + "synonyms": [ + "a310logger" + ], + "uuid": "ac565486-89c1-4984-9bee-9202d8a5134d", + "value": "BluStealer" + }, + { + "description": "Stealer is written in Visual Basic.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcloud", + "https://c3rb3ru5d3d53c.github.io/malware-blog/darkcloud-stealer/" + ] + }, + "related": [ + { + "dest-uuid": "ac565486-89c1-4984-9bee-9202d8a5134d", + "tags": [ + "estimative-language:likelihood-probability=\"very-likely\"" + ], + "type": "variant-of" + } + ], + "uuid": "e550f534-dc8b-4f94-a276-ce3d5d9c8115", + "value": "DarkCloud Stealer" } ], - "version": 9 + "version": 10 } From c7c2b8441a11233f7261f27a48bb32da975da05d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=BCrgen=20L=C3=B6hel?= Date: Mon, 30 Jan 2023 18:35:28 -0600 Subject: [PATCH 2/2] chg: [stealer] Removes BluStealer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The BluStealer is already in the malpedia cluster. Signed-off-by: Jürgen Löhel --- clusters/stealer.json | 21 +-------------------- 1 file changed, 1 insertion(+), 20 deletions(-) diff --git a/clusters/stealer.json b/clusters/stealer.json index d65006fc..dd460564 100644 --- a/clusters/stealer.json +++ b/clusters/stealer.json @@ -167,25 +167,6 @@ "uuid": "d410b534-07a4-4190-b253-f6616934bea6", "value": "WorldWind" }, - { - "description": "Avast describe this malware as a recombination of other malware including SpyEx, ThunderFox, ChromeRecovery, StormKitty, and firepwd.", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.blustealer", - "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", - "https://minerva-labs.com/blog/a-new-blustealer-loader-uses-direct-syscalls-to-evade-edrs/", - "https://blogs.blackberry.com/en/2021/10/threat-thursday-blustealer-infostealer", - "https://www.gosecure.net/blog/2021/09/22/gosecure-titan-labs-technical-report-blustealer-malware-threat/", - "https://decoded.avast.io/anhho/blustealer/", - "https://twitter.com/GoSecure_Inc/status/1437435265350397957" - ] - }, - "synonyms": [ - "a310logger" - ], - "uuid": "ac565486-89c1-4984-9bee-9202d8a5134d", - "value": "BluStealer" - }, { "description": "Stealer is written in Visual Basic.", "meta": { @@ -196,7 +177,7 @@ }, "related": [ { - "dest-uuid": "ac565486-89c1-4984-9bee-9202d8a5134d", + "dest-uuid": "cb4bfed3-3042-4a29-a72d-c8b5c510faea", "tags": [ "estimative-language:likelihood-probability=\"very-likely\"" ],