Page 1 of 1

trojan.Evrial Cryptocurrency stealer

PostPosted:Wed Feb 21, 2018 7:14 pm
by markusg
SHA-256
2816e869afc0bb09635c15d64f9fd1e6e02aaefc68fe227c454af302e6bb453a
File name
WinRar Setup (1).exe
https://www.virustotal.com/#/file/2816e ... /detection

Re: trojan.Evrial Cryptocurrency stealer

PostPosted:Fri Mar 02, 2018 2:23 pm
by fonavozia
C&C moved to hxxps://projectevrial.com/login/.

Re: trojan.Evrial Cryptocurrency stealer

PostPosted:Fri Mar 16, 2018 7:58 am
by fonavozia
C&C address is downloaded from hxxps://github.com/sevampir/evrial (hxxps://raw.githubusercontent.com/sevampir/evrial/master/LICENSE.md/evrial)

Re: trojan.Evrial Cryptocurrency stealer

PostPosted:Fri Mar 16, 2018 8:00 am
by fonavozia
Sample in attachment (379aa4c0fe0e2027e76341e075321fa0).

Re: trojan.Evrial Cryptocurrency stealer

PostPosted:Tue Aug 07, 2018 2:24 pm
by ohdae
File: b2ac53ffa2ee13e30ff0a78208d4c9b28251c00a3cd7e5345a07cd8664b943b1
Size: 46080
MD5: 379aa4c0fe0e2027e76341e075321fa0
SHA1: 8940ea910db97a4ecff02bd95218a2add8d728ce
SHA256: b2ac53ffa2ee13e30ff0a78208d4c9b28251c00a3cd7e5345a07cd8664b943b1

Pretty basic YARA rule strings for this sample here as well:
Code: Select all
	$name0 = "Evrial" ascii fullword
	$name1 = "Evrial.Hardware" ascii fullword
	$name2 = "Evrial.Cookies" ascii fullword
Thats^ the bare-minimum. I've let this hunting for awhile so I should have many more samples by EOD.