crew3 Crypto Drainer 0827f6e1

Detects the crypto drainer created by a Chinese threat actor that is hidden within the file named main.69e3e80e.js commonly hosted on a subdomain with the apex domain being either server-crew3.xyz or web3-crew3.xyz

References

https://urlscan.io/result/0827f6e1-6d3e-4e2b-8ff4-3024111c18a5

IOK Rule (edit)

title: crew3 Crypto Drainer 0827f6e1
description: |
    Detects the crypto drainer created by a Chinese 
    threat actor that is hidden within the file named 
    `main.69e3e80e.js` commonly hosted on a subdomain
    with the apex domain being either `server-crew3.xyz`
    or `web3-crew3.xyz`
    
references:
    - https://urlscan.io/result/0827f6e1-6d3e-4e2b-8ff4-3024111c18a5

detection:

    drainerScript:
      requests|contains: 'main.69e3e80e.js'

    drainerKeyword:
      js|contains: 'shakeima'

    condition: drainerScript and drainerKeyword

tags:
  - cryptocurrency
  - cryptocurrency.ethereum
  - crypto_drainer.crew3