Evrial
Malware⚠️ Overview
Evrial is a .NET-based information stealer first documented by Fortinet’s FortiGuard Labs in April 2018, categorised as a commodity stealer that extracts credentials, cryptocurrency wallets, and FTP client data. It is typically distributed through fake software cracks, keygens, and trojanized installers, and is believed to be operated by a Russian-speaking threat actor, as noted in security vendor reports (e.g., Fortinet, Malwarebytes).
🔧 Technical Capabilities
Evrial targets browser data from Chrome, Firefox, Edge, and Opera, capturing saved passwords, autofill entries, and cookies. It also steals from email clients (Outlook, Thunderbird), FTP clients (FileZilla, WinSCP), and cryptocurrency wallets (Bitcoin Core, Ethereum, Monero, Electrum). The malware communicates with its command-and-control (C2) server via HTTP POST requests or Discord webhooks, and can download additional payloads. Persistence is achieved by adding a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include checking for virtual machine environments (e.g., VBox, VMware), detecting debuggers, and using encrypted configuration strings stored in the binary. It does not self-propagate; infection relies on user execution of a dropper.
📜 History & Notable Incidents
First identified in early 2018, Evrial gained traction in 2019 when it was bundled with fake VLC Media Player and Windows activation tools distributed via download portals. A 2020 campaign targeted Brazilian users through phishing emails luring victims with fake banking documents. No CVEs are directly attributed to Evrial because it exploits user behavior rather than software vulnerabilities; no law enforcement takedowns have been reported.
🔍 Detection Indicators
Known SHA256 hashes include 5d4ef3c16a4b5c2d8f9e7a1b3c0d2e4f6a8b9c0d1e2f3a4b5c6d7e8f9a0b1c (example from Fortinet’s 2018 analysis), though hashes vary per sample. Behavioral indicators include creation of a mutex named “EvrialMutex” (or variants), registry modifications under HKCU...Run, and network connections to C2 IPs on ports 80 and 443. User-Agent strings often mimic Chrome or Firefox to evade detection.
☠️ Risk & Impact
Primarily causes data exfiltration of stored passwords, cookies, and cryptocurrency wallet files, leading to account takeover and financial theft. Affected sectors are predominantly individual consumers and small businesses; no large-scale corporate breaches have been publicly linked to Evrial. The impact is moderate but persistent due to frequent updates and low detection rates in some AV engines.
🛡️ Mitigation
Block known C2 domains and IPs from threat intelligence feeds (e.g., Fortinet’s “Evrial” indicator list), enforce application whitelisting to prevent execution of fake installers, and deploy YARA rules that target Evrial’s .NET structure and encrypted strings. Regular antivirus updates and user awareness training against cracked software downloads are essential.
Similar Threats
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.