Stealer Search Guide

Endpoint: /search-by-stealer

Required Permissions: search-by-stealer

Overview

The Stealer Search endpoint enables searching for compromises using specific stealer IDs. This endpoint is valuable for investigating malware infections and tracking compromises from known malware sources.

Use Cases

Track specific malware infections
Investigate compromise clusters
Monitor stealer families
Analyze infection patterns
Track credential theft campaigns

Request Format

{
    "stealers": [
        "EG_196.158.196.83",
        "US_98.11.162.214_25-01-25_13579"
    ],
    "sort_by": "date_compromised",
    "sort_direction": "desc",
    "filter_credentials": true,
    "start_date": "2024-01-01T00:00:00Z",
    "end_date": "2024-12-31T23:59:59Z"
}

Required Parameters

Parameter	Type	Description	Constraints
stealers	array[string]	List of stealer IDs	1-50 IDs

Optional Parameters

Parameter	Type	Default	Description
sort_by	string	"date_compromised"	Sort by "date_compromised" or "date_uploaded"
sort_direction	string	"desc"	Sort direction: "asc" or "desc"
filter_credentials	boolean	true	Return only matched credentials
start_date	datetime	null	Filter results after this date
end_date	datetime	null	Filter results before this date

Response Structure

{
    "data": [
        {
            "stealer": "EG_196.158.196.83",
            "date_compromised": "2024-02-27T10:53:48.989Z",
            "date_uploaded": "2024-02-27T10:53:48.989Z",
            "stealer_family": "RedLine",
            "ip": "196.158.196.83",
            "computer_name": "DESKTOP-ABC123",
            "operating_system": "Windows 10 Pro",
            "credentials": [
                {
                    "url": "example.com/login",
                    "domain": "example.com",
                    "username": "[email protected]",
                    "password": "",
                    "type": "employee"
                }
            ]
        }
    ],
    "nextCursor": "base64_encoded_cursor"
}

Best Practices

1. Investigation Workflow

Identify related stealer IDs
Group by stealer family
Track temporal patterns
Monitor geographic distribution

2. Search Optimization

{
    "stealers": [
        "EG_196.158.196.83"
    ],
    "sort_by": "date_compromised",
    "sort_direction": "desc",
    "filter_credentials": true
}

3. Batch Processing

Group related stealers
Track stealer families
Monitor infection patterns
Analyze credential theft

Implementation Examples

Basic Stealer Search

async def search_stealers(stealer_ids):
    return await api.post('/search-by-stealer', {
        'stealers': stealer_ids,
        'sort_by': 'date_compromised',
        'sort_direction': 'desc'
    })

Campaign Analysis

async def analyze_campaign(base_stealer_id):
    # Get related stealers from same IP range
    related_stealers = find_related_stealers(base_stealer_id)
    results = await search_stealers(
        stealers=related_stealers[:50],  # Respect limit
        sort_by='date_compromised',
        filter_credentials=True
    )
    return analyze_results(results)

Temporal Analysis

async def temporal_analysis(stealer_id):
    weekly_results = []
    for week in generate_week_ranges():
        results = await search_stealers(
            stealers=[stealer_id],
            start_date=week['start'],
            end_date=week['end']
        )
        weekly_results.append(results)
    return analyze_temporal_pattern(weekly_results)

Analysis Patterns

1. Infection Chain Analysis

Track related stealers
Monitor IP patterns
Analyze timing
Map geographic spread

2. Credential Theft Patterns

Types of stolen credentials
Target services
Victim patterns
Reuse patterns

3. Campaign Tracking

Related stealer IDs
Temporal patterns
Geographic clusters
Target patterns

Error Handling

Common Errors

Status	Cause	Solution
400	Invalid stealer ID	Validate format
400	Too many stealers	Reduce batch size to ≤50
404	Stealer not found	Verify ID exists
408	Request timeout	Reduce batch size

Security Considerations

1. Data Handling

Encrypt sensitive data
Limit access to results
Implement audit logging
Set retention policies

2. Investigation Security

Document investigations
Track access patterns
Monitor search volumes
Secure findings

3. Operational Security

Validate stealer IDs
Monitor API usage
Track investigation patterns
Secure communications

Integration Tips

1. SIEM Integration

Forward findings
Create alerts
Track investigations
Monitor patterns

2. Threat Intelligence

Share stealer IDs
Track campaigns
Monitor patterns
Update blocklists

3. Incident Response

Document findings
Track remediation
Monitor effectiveness
Update procedures

Performance Optimization

1. Search Efficiency

Batch related queries
Cache common results
Implement rate limiting
Monitor timeouts

2. Result Processing

Filter relevant data
Group related findings
Analyze patterns
Generate reports

Monitoring and Alerts

1. Critical Findings

New stealer families
Large campaigns
Critical assets
Pattern changes

2. Investigation Metrics

Search volumes
Result patterns
Error rates
Response times