Derkziel info stealer (Steam, Opera, Yandex, ...)

Hunt Hypothesis

Derkziel info stealer is used to exfiltrate sensitive user data from compromised systems, including credentials and browser data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data exfiltration and credential theft incidents early.

YARA Rule

rule Derkziel
{
    
    meta:
        description = "Derkziel info stealer (Steam, Opera, Yandex, ...)"
        author = "The Malware Hunter"
        filetype = "pe"
        date = "2015-11"
        md5 = "f5956953b7a4acab2e6fa478c0015972"
        site = "https://zoo.mlw.re/samples/f5956953b7a4acab2e6fa478c0015972"
        reference = "https://bhf.su/threads/137898/"
    
    strings:
        $drz = "{!}DRZ{!}"
        $ua = "User-Agent: Uploador"
        $steam = "SteamAppData.vdf"
        $login = "loginusers.vdf"
        $config = "config.vdf"
    
    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• https://bhf.su/threads/137898/
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using Steam for remote desktop access to manage a server.
  Filter/Exclusion: Exclude processes initiated by the steam user or those running from the /opt/steam/ directory.

• Scenario: A scheduled job is configured to download and install Opera browser updates using a script.
  Filter/Exclusion: Exclude processes that match the opera-updater or opera-update executable names, or those initiated by a known update scheduler.

• Scenario: A system cleanup task is using Yandex Browser to clear cache and temporary files.
  Filter/Exclusion: Exclude processes with the yandex-browser executable that are running from a known cleanup script location, such as /usr/local/bin/cleanup.sh.

• Scenario: A third-party tool like SteamCMD is being used to deploy game servers, which may trigger the Steam-related detection.
  Filter/Exclusion: Exclude processes that match steamcmd and are executed from a server deployment directory, such as /var/games/deploy/.

• Scenario: A Windows task scheduler job is running a legitimate Yandex Search tool for indexing internal documents.
  Filter/Exclusion: Exclude processes that match yandexsearch.exe and are associated with a known internal indexing service, such as indexer_service.exe.