MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 303ca1ef12fe63d0110a587290fe896e4d49d34b2cb9ae547a3ff71d0facd39b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 4

Intelligence 4 IOCs YARA 2 File information Comments

SHA256 hash:	303ca1ef12fe63d0110a587290fe896e4d49d34b2cb9ae547a3ff71d0facd39b
SHA3-384 hash:	8c352a2fcaa9f8b57a754825dbae76ba7cccf46dc956b5bc0901b36b5b6a5a27f53b97cc37a2e54c1ffc9d77b44e7eac
SHA1 hash:	8850736d5c1881e6dac690d6fec762b1127b6a35
MD5 hash:	aa53dee2a07584775a1c528761f7b83e
humanhash:	butter-red-whiskey-fillet
File name:	passports scan and etc.zip
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	1'037'542 bytes
First seen:	2023-10-24 15:28:49 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	6144:eGbxdKhuRdk4/ximKBuy4755ENvWCGR2vp:L6uRdbximl6OCBh
TLSH	T16B25AB24F4853B61FC4DCAB405B01DA803F57EB8236B57C42274B15FD623EAEAE68935
TrID	80.0% (.ZIP) ZIP compressed archive (4000/1) 20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	JAMESWT_WT
Tags:	78-47-66-147 ArkeiStealer bookinggoogledrive file-pumped zip

Intelligence

File Origin

# of uploads :

# of downloads :

144

Origin country :

File Archive Information

This file archive contains 6 file(s), sorted by their relevance:

File name:	string.txt
File size:	1'984 bytes
SHA256 hash:	8eac9f55b19f296692c431e24f2d8263a2a497b8e7613f15d60f8d02c195b098
MD5 hash:	acc087901b3e95c306a9315c80d607ea
MIME type:	application/octet-stream
Signature	ArkeiStealer

File name:	126
File size:	34 bytes
SHA256 hash:	b180e15dfa060b8f8c27e735cb2ec3dbea6a21f49763bb40d3bd8e8cedb3df39
MD5 hash:	ec88a7cc35bc3e7dc9540b0c8cad0f04
MIME type:	application/octet-stream
Signature	ArkeiStealer

File name:	499
File size:	2 bytes
SHA256 hash:	94e706dc7b0e756b561c8c4ad4d31b476077dbf9486f9787d8530fb67f91cff8
MD5 hash:	3e2db737427fd55d8880bf5ae2f08640
MIME type:	application/octet-stream
Signature	ArkeiStealer

File name:	498
File size:	2 bytes
SHA256 hash:	e7dac261e841e53eb65ac8c2a0e56544df49c46d71e8002d7764f92c66c4c868
MD5 hash:	c151c5fa0f424dbf71e349896c45ec16
MIME type:	application/octet-stream
Signature	ArkeiStealer

File name:	458
File size:	2 bytes
SHA256 hash:	918efabff032248eb6a4eac40eefca0c7105419f39c4ffdcd3f3110461cbccf2
MD5 hash:	aca3f634a518a38b519e2055cc55cb02
MIME type:	application/octet-stream
Signature	ArkeiStealer

File name:	passports scan and etc.scr
Pumped file	This file is pumped. MalwareBazaar has de-pumped it.
File size:	681'862'672 bytes
SHA256 hash:	84f57037df270de105acf579f58c974c1507a9be920ff4f454b732a08284fe97
MD5 hash:	64b5b7127472d645b5842c4cb98e8217
De-pumped file size:	280'064 bytes (Vs. original size of 681'862'672 bytes)
De-pumped SHA256 hash:	54208d7d4e9fd98dce643410e5ce10776a21a3864c7d26bea359fe4fa657f208
De-pumped MD5 hash:	6d4f6ca44edc3e5343b61e6d9730f84f
MIME type:	application/x-dosexec
Signature	ArkeiStealer

Vendor Threat Intelligence

Result

Verdict:

Malicious

File Type:

ZIP File - Malicious

Link:

https://app.docguard.net/303ca1ef12fe63d0110a587290fe896e4d49d34b2cb9ae547a3ff71d0facd39b/results/dashboard

Behaviour

SuspiciousEmbeddedObjects detected

Gathering data

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/303ca1ef12fe63d0110a587290fe896e4d49d34b2cb9ae547a3ff71d0facd39b

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/303ca1ef12fe63d0110a587290fe896e4d49d34b2cb9ae547a3ff71d0facd39b

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/303ca1ef12fe63d0110a587290fe896e4d49d34b2cb9ae547a3ff71d0facd39b/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ga6kd3ys7zr5aeiklbzjb7ujnzgutu2lfs424vd2h73r2d5m2onq._file

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/231024-v8xtfsah58/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PK_PUMP_AND_DUMP Create hunting rule
Author:	Will Metcalf @node5
Description:	Walks Zip Central Directory filename entries looking for abused extension then checks for a file that's at least 25M and then check to see how much uncompressed size is vs compressed size

Rule name:	weird_zip_high_compression_ratio Create hunting rule
Author:	Maxime THIEBAUT (@0xThiebaut)
Description:	Detects single-entry ZIP files with a suspiciously high compression ratio (>100:1) and decompressed size above the 500MB AV limit
Reference:	https://twitter.com/Cryptolaemus1/status/1633099154623803394

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample