MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f431b5b6dc04208fe9ffc89eafd94c92d1383857d17702240f14aa19f538b3aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	f431b5b6dc04208fe9ffc89eafd94c92d1383857d17702240f14aa19f538b3aa
SHA3-384 hash:	90f3680c04bccc70abaf5bcb459e18ee94637ea6cecdec73c856bdf4d1854e25c5e7856b8a0bd59a25d2ed8dee6afbad
SHA1 hash:	ab33a17e1bae03fdc35837b0e2d861caa0851b9b
MD5 hash:	a5ada35877cd52e1cfdb3300b322ecd7
humanhash:	pluto-uranus-apart-london
File name:	Windows OneDrive.bin
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	380'416 bytes
First seen:	2020-08-03 10:04:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	88f43c3b7138cca2cf455ab4c9180c07 (1 x ArkeiStealer)
ssdeep	6144:ZAfO1V+UwVwvXMhcKTlqJEgcbQNUimEk3rYCX2lZjy2BqUAdJ0vEN1knJCERS:ZAfOyX1TlqqgcbRidk3hKBy2BqTz6JCX
Threatray	59 similar samples on MalwareBazaar
TLSH	C2845DC1B15DAB04E211A83C6E35AEB1786CDD73E29541A3A7FC17716632F840FCA2D9
Reporter	0xCARNAGE
Tags:	ArkeiStealer vidar

Intelligence

File Origin

# of uploads :

1

# of downloads :

137

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/37716/

Detection(s):

SecuriteInfo.com.ArtemisA5ADA35877CD.15431.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Creating a file

Sending a UDP request

Deleting a recently created file

Reading critical registry keys

Replacing files

Creating a window

Delayed writing of the file

Running batch commands

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Searching for the window

Connection attempt to an infection source

Stealing user critical data

Launching a tool to kill processes

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/407761

Signature

Detected unpacking (creates a PE file in dynamic memory)

Found many strings related to Crypto-Wallets (likely being stolen)

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file access)

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f431b5b6dc04208fe9ffc89eafd94c92d1383857d17702240f14aa19f538b3aa/

Threat name:

Win32.Trojan.Chapak

Status:

Malicious

First seen:

2020-08-03 10:06:06 UTC

AV detection:

37 of 48 (77.08%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6qy3lnw4aqqi72p7zcpk7wkmslitqocx2f3qejapcsvbt5jywova._file

Verdict:

malicious

Similar samples:

033741ca568e4e71a586be960e503415579b0520d2c9ecd298ed03becf406b9c

1d1db9028a99d5ccfd2e898e61dd4c0fbd2b363934f0623aa9503280fa3229a9

1df55177a6326406d491cd9b6d4951392e565dd13e597836684468de6fec52f1

3b9f555888df6326a6a0c7dd2c2c1c2d78bbb969c1b7d40ea0d0e9679a06bbc5

69fe5bb4b975f9437b6c3bcf3f07dc807a8f2e848f1e0c5802012295b06a742c

8959562f5a87f40b9c3917a98e10d68e2c459c8df9bdd9664f615af6d5b9959e

9c2eb5790e7874950db0e51764ba68bb4a0fa5be68b659717c73363883da0db7

a738551436373cba8cfb85daf742426c8374a6c2384035c7c64a71d039308df0

b699a2766f106ff77377780bad431b72ef1748bf989e09f2b82fb73cf30cbde3

d0030a8a47fd678d6f9f2313fdeed1898fb667bcda9167215a90d64b7744d665

+ 49 additional samples on MalwareBazaar

Result

Malware family:

oski

Score:

10/10

Tags:

discovery infostealer family:oski spyware

Link:

https://tria.ge/reports/200803-9j1y9ejgze/

Behaviour

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Accesses cryptocurrency wallets, possible credential harvesting

JavaScript code in executable

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Oski

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

ZLoader

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f431b5b6dc04208fe9ffc89eafd94c92d1383857d17702240f14aa19f538b3aa

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe f431b5b6dc04208fe9ffc89eafd94c92d1383857d17702240f14aa19f538b3aa

(this sample)

anyrun

any.run

https://app.any.run/tasks/59c7e811-03a3-45dc-a6b0-f93ce8b63dd3#

Delivery method

Distributed via web download

Cape

Cape

https://www.capesandbox.com/analysis/37716/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample