MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12935ca1073fff08eb4fbd5d4cd1707b0fce7dd92a2106cac5af92de0451ffaf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 16

Intelligence 16 IOCs 1 YARA 14 File information Comments

SHA256 hash:	12935ca1073fff08eb4fbd5d4cd1707b0fce7dd92a2106cac5af92de0451ffaf
SHA3-384 hash:	9ce82f53219dd62c5083505a5a9114f5d65101921a2161408bed0baa82d5e50894580a5b31801b64f6deab778a661854
SHA1 hash:	9f5f827b33da653ab0db0d13302de2827366bd48
MD5 hash:	4987a7297078ad273f19351af8f535e9
humanhash:	princess-spring-ohio-cat
File name:	4987a7297078ad273f19351af8f535e9.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	461'767 bytes
First seen:	2022-09-18 16:15:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	672f4cae333cd1c185b703423ad03761 (4 x Smoke Loader, 2 x Stop, 1 x ArkeiStealer)
ssdeep	12288:M+oYUA43ajwZ11gkuM+SlaJKXeR2NA+ULt70BjvrEH7SsN9:43apkAzP2K++wrEH7SsN9
Threatray	443 similar samples on MalwareBazaar
TLSH	T197A4C000BA50C2B9E0B315F4797E9268B9797AB85B7540CB93D126ED5B3CAD1EC3031B
TrID	40.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 17.0% (.SCR) Windows screen saver (13101/52/3) 13.6% (.EXE) Win64 Executable (generic) (10523/12/4) 8.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	64e0d8f0e0e0b0b4 (1 x ArkeiStealer)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

abuse_ch

ArkeiStealer C2:
http://5.253.18.213/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://5.253.18.213/	https://threatfox.abuse.ch/ioc/850369/

Intelligence

File Origin

# of uploads :

# of downloads :

430

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

floxif

ID:

File name:

4987a7297078ad273f19351af8f535e9.exe

Verdict:

Malicious activity

Analysis date:

2022-09-18 16:15:46 UTC

Tags:

trojan floxif stealer

Link:

https://app.any.run/tasks/f8a3de86-3bfa-4eb9-907d-97a1bcd97794

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/311104/

Detection(s):

Win.Virus.Pioneer-9111434-0

Win.Ransomware.Tofsee-9968430-0

Win.Ransomware.Tofsee-9968431-0

Win.Virus.Pioneer-6804573-0

MiscreantPunch.SingleXOR.EXE.197.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file

Enabling the libraries to load when starting the app (AppInit_DLLs)

Creating a file in the Program Files subdirectories

DNS request

Sending an HTTP GET request

Replacing executable files

Creating a file in the mass storage device

Enabling autorun

Infecting executable files

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/38036/overview

Behaviour

MalwareBazaar

GetTempPath

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

floxif greyware obfuscated overlay packed

Link:

https://www.filescan.io/uploads/6327446166ac3265124735d2/reports/d9fde3b6-e73e-49e1-a4e5-686cf63607af/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Floxif

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e0dadfd6-03cc-4fb3-a702-68060d7cd8ea

Result

Threat name:

FloodFix, Vidar

Detection:

malicious

Classification:

troj.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1072514

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Binary is likely a compiled AutoIt script file

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Overwrites code with function prologues

Self deletion via cmd or bat file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected FloodFix

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/12935ca1073fff08eb4fbd5d4cd1707b0fce7dd92a2106cac5af92de0451ffaf/

Threat name:

Win32.Virus.Floxif

Status:

Malicious

First seen:

2022-09-14 06:33:52 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 26 (96.15%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ckjvziihh77qr22pxvouzulqpmh447ozfiqqnswfv6jn4bcr76xq._file

Verdict:

malicious

ArkeiStealer

048775019adc05c1978f5be85341eb95fb8c9c15611ee13a1fbbffaef3f4f1dc

ArkeiStealer

0a696cdecabbeb02700dfec14eaa5b165d17267f311ef7ddbb7264caddc551a3

ArkeiStealer

4c41b180f87e9fce98f2da11d11ad01b228d900c8130e6d5c59ff1b3e2184f4e

ArkeiStealer

a1f9821ea237c4d2b3090849a13307d3f4c5ec7c88c8430cac54bd718a6eafb4

ArkeiStealer

dfd29461b16401b73544be8cdc5f594e6eb33e98f33c2809e62163aaf6ae72ec

ArkeiStealer

+ 433 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

discovery persistence spyware stealer upx

Link:

https://tria.ge/reports/220918-tqs7wafdbm/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Program Files directory

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Enumerates connected drives

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Modifies AppInit DLL entries

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/a02c240b-8be9-4be3-9bed-867c5504d09a

Unpacked files

SH256 hash:

fb0e7187a1bf81bf8f1fb9e3eec42ac19e7d431146afb4b4d5557d176ff3eeed

MD5 hash:

a9e2779e27d5a855935805415239785c

SHA1 hash:

feb1f86f58dd1f26f612aa75e1d8970c168e35d1

Detections:

win_vidar_auto

Link:

https://www.unpac.me/results/008023f0-a0f3-4f1c-b78f-d5b35ff46bc4/

Parent samples :

7fda9416cf43006f02c64ff317b1066f74ffc58658f6097adc18ed5af7ee5cfc
549a966a1d755c4b455b57a866179431e775ea4777af0a42d06481967ba5c922
12935ca1073fff08eb4fbd5d4cd1707b0fce7dd92a2106cac5af92de0451ffaf

SH256 hash:

12935ca1073fff08eb4fbd5d4cd1707b0fce7dd92a2106cac5af92de0451ffaf

MD5 hash:

4987a7297078ad273f19351af8f535e9

SHA1 hash:

9f5f827b33da653ab0db0d13302de2827366bd48

Link:

https://www.unpac.me/results/008023f0-a0f3-4f1c-b78f-d5b35ff46bc4/

Malware family:

Floxif

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/12935ca1073f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/12935ca1073fff08eb4fbd5d4cd1707b0fce7dd92a2106cac5af92de0451ffaf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	Malware_Floxif_mpsvc_dll Create hunting rule
Author:	Florian Roth
Description:	Malware - Floxif
Reference:	Internal Research

Rule name:	Malware_Floxif_mpsvc_dll_RID30C4 Create hunting rule
Author:	Florian Roth
Description:	Malware - Floxif
Reference:	Internal Research

Rule name:	MALWARE_Win_FloodFix Create hunting rule
Author:	ditekSHen
Description:	Detects FloodFix

Rule name:	MAL_Floxif_Generic Create hunting rule
Author:	Florian Roth
Description:	Detects Floxif Malware
Reference:	Internal Research

Rule name:	MAL_Floxif_Generic_RID2DCE Create hunting rule
Author:	Florian Roth
Description:	Detects Floxif Malware
Reference:	Internal Research

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	RansomwareTest3 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	RansomwareTest4 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	RansomwareTest6 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	SUSP_Microsoft_Copyright_String_Anomaly_2 Create hunting rule
Author:	Florian Roth
Description:	Detects Floxif Malware
Reference:	Internal Research

Rule name:	SUSP_Microsoft_Copyright_String_Anomaly_2_RID3720 Create hunting rule
Author:	Florian Roth
Description:	Detects Floxif Malware
Reference:	Internal Research

Rule name:	win_vidar_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.vidar.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/311104/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample