MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 341f4423ac740db2802efecb3e85430970a636052d7f366ea99abd7f1b39f037. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	341f4423ac740db2802efecb3e85430970a636052d7f366ea99abd7f1b39f037
SHA3-384 hash:	29114709854b79944ad0c3d7cac1fa4178c188967c3426da76b197766020cbba1cf8afab530680d12acec05c4c00b267
SHA1 hash:	4b2d29bfc4945bd68acb3ee7a3c940cc9d0f838f
MD5 hash:	e918cd88c25cd815064d4a56e278cb6f
humanhash:	comet-jig-violet-berlin
File name:	Build.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	93'184 bytes
First seen:	2021-06-23 17:31:14 UTC
Last seen:	2021-06-23 18:46:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	0fcd645249cc4835b17090186b2e4330 (1 x ArkeiStealer)
ssdeep	1536:SeBVil+lDzb0VDPdnVM39JuTkGNA0agvHs7CaMSClPJAZSe7HcJTwWhJ:SeBVil+hcl6tJure0aSMBWPJbe7HY
Threatray	76 similar samples on MalwareBazaar
TLSH	13930600D9808406E091587BD1FB53B5F76C9E78934A94C3EB817DBA0EB45F62AB18DF
Reporter	James_inthe_box
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

103

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Build.exe

Verdict:

Malicious activity

Analysis date:

2021-06-23 17:35:35 UTC

Tags:

stealer

Link:

https://app.any.run/tasks/f7e7d65a-e8c0-404a-b95a-2d0178f2fb7b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Heur.Trickbot.3.14637.24821.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Oski Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4978b702-2b45-40ac-ae81-2e3f34575755

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/806746

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Contains functionality to detect sleep reduction / modifications

Contains functionality to inject code into remote processes

Detected unpacking (changes PE section rights)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Sigma detected: System File Execution Location Anomaly

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade analysis by execution special instruction which cause usermode exception

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/341f4423ac740db2802efecb3e85430970a636052d7f366ea99abd7f1b39f037/

Threat name:

Win32.Trojan.TrickBot

Status:

Malicious

First seen:

2021-06-23 17:31:07 UTC

File Type:

PE (Exe)

AV detection:

16 of 29 (55.17%)

Threat level:

5/5

Verdict:

malicious

ArkeiStealer

36192aaa605b98f67d88d3712e5eb7ddd8e229766bbae3b2efebdb98f19662ea

ArkeiStealer

4d9b89978e6ca9cf14cb1f04859e01e66c1e0dbefedd1663617647535c0b3fa0

ArkeiStealer

6369b1ed4ab77dfaea18de4beb22c0ca26bd91eae120261c3657f079f88c1790

ArkeiStealer

7c3c41d8da242f6ae707daaf842c0c0afb4ff541e3b009c62e51bc7d93eca86b

ArkeiStealer

8795bb17e6a0ce6dc06236d4042c625f2154bd1d8e5df494c23ffa3e58124395

ArkeiStealer

8b60f75253c0ccf9d616ab1f1920d4b9baf1fe140e1f4eff7cb74d270c6d42fc

ArkeiStealer

aaa3af0c4ffbb7bd8c5941dbf22c9ab92e83cbc6b680696d6ac208ad4d8e63ab

ArkeiStealer

b52960b7ce7ae8c007c59626859816296471b7810036baaa7b7b86c2cd6d6218

ArkeiStealer

b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3

ArkeiStealer

+ 66 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

discovery evasion spyware stealer

Link:

https://tria.ge/reports/210623-wq3m5xblj2/

Behaviour

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks BIOS information in registry

Identifies Wine through registry keys

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Unpacked files

SH256 hash:

341f4423ac740db2802efecb3e85430970a636052d7f366ea99abd7f1b39f037

MD5 hash:

e918cd88c25cd815064d4a56e278cb6f

SHA1 hash:

4b2d29bfc4945bd68acb3ee7a3c940cc9d0f838f

Link:

https://www.unpac.me/results/0fc385cf-1dbc-48c8-ae39-b57a1f298765/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/341f4423ac740db2802efecb3e85430970a636052d7f366ea99abd7f1b39f037

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICOIUS_WindDefender_AntiEmaulation Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing potential Windows Defender anti-emulation checks

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample