hello i just found these samples in the wild of ailurophile Stealer, a new malware that has no rule detection
Analysis mcrogers.com/installer.exe Malicious activity - Interactive analysis ANY.RUN
C2 is manestvli.shop via https (PID 5332 && 3952)
Hope we can add detection to this emerging threat!
Hey Hey fella. I took a closer look at this and was hoping to be able to do SSL Decrypt against it. Based on observations I think its a GO binary that’s packing its own encryption libraries, meaning most SSL decrypt/MITM stuff isn’t going to work on it.
I’m pretty sure its a go-based binary based on the installer.exe executable looking for a GODEBUG system variable when its executed.
As far as host-based artifacts, if you have sysmon present, EventID 11 (FileCreate) should capture a file creation event for Ailurophile.zip in the user’s AppData\Local directory as a surefire host-based detection method.
Additionally you’ll see FileCreation events for AppData\Local\Ailurophile\info.txt. The info file has the following file format:
Ailurophile Stealer - https://ailurophilestealer.com - Telegram: @Ailurophilevn
IP: [redacted]
Country: [redacted]
Hostname: [redacted]
PC Type: Microsoft Windows [redacted]
Architecture: amd64
File Path: C:\Users\[redacted]\AppData\Local\Temp
Main Path: C:\Users\[redacted]\AppData\Local\Ailurophile
Allowed Extensions: [rdp txt doc docx pdf csv xls xlsx keys ldb log]
Folders to Search: [Documents Desktop Downloads]
Files: [secret password account tax key wallet gang default backup passw mdp motdepasse acc mot_de_passe login secret bot atomic account acount paypal banque bot metamask wallet crypto exodus discord 2fa code memo compte token backup secret seed mnemonic memoric private key passphrase pass phrase steal bank info casino prv privé prive telegram identifiant identifiants personnel trading bitcoin sauvegarde funds recup note]
MAC Address: [redacted]
Screen Resolution: [redacted]
Browsers:
Chrome Default - version: [version string]
Edge Default - version: [version string]
I’ll have TLS SNI and DNS rules for the C2 domain, but unfortunately beyond that, this is all the information I can provide for detection. Thanks as always for sharing with us, and I hope this helps others track down Ailurophile Stealer activity.