MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ecfe375bd64aa9e53b2d439c8ea9974af664aa36d060239ae7ddd1d796e0309. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ecfe375bd64aa9e53b2d439c8ea9974af664aa36d060239ae7ddd1d796e0309
SHA3-384 hash: 6cfa456506c192ea4b4b587b6b930ff9304ce3e6dec7372cba5bb94867d6849b640eb3e5f6d5d3bb3653202da0c39ab6
SHA1 hash: 023292b0b004739fb03cb417a28d8675633a5b2a
MD5 hash: cc41b92339a4d05cf4941a41c1b198d1
humanhash: mike-seventeen-kentucky-autumn
File name:cc41b92339a4d05cf4941a41c1b198d1.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:860'160 bytes
First seen:2020-12-04 07:50:33 UTC
Last seen:2020-12-04 10:05:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 775fa617ccf71b4941270192dca70f1b (1 x ArkeiStealer)
ssdeep 24576:nlrmnlt/GlFGG59zDaMDQrvIsm6kezuiew:lrhPGu3azrvIR6keTH
Threatray 297 similar samples on MalwareBazaar
TLSH 1E052380C8C77174C6DF693E4B18B22EE5FC49AA8458CCEAE35557F6890773D41A8B83
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://onlinemseof.site/

Intelligence

File Origin
# of uploads :
2
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cc41b92339a4d05cf4941a41c1b198d1.exe
Verdict:
Malicious activity
Analysis date:
2020-12-04 08:02:38 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/fb03f964-f678-4d68-a712-7d1a63e7c6d2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
VMProtectStub
Create hunting rule
Link:
https://www.capesandbox.com/analysis/106717/
Detection(s):
SecuriteInfo.com.Trojan.Siggen11.48612.2080.8136.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Creating a file
Deleting a recently created file
Reading critical registry keys
Replacing files
Creating a window
Delayed writing of the file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Connection attempt to an infection source
Stealing user critical data
Launching a tool to kill processes
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/555414
Signature
Antivirus / Scanner detection for submitted sample
Detected VMProtect packer
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sample is protected by VMProtect
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ecfe375bd64aa9e53b2d439c8ea9974af664aa36d060239ae7ddd1d796e0309/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-11-27 05:54:58 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=h3h6g5n5msvj4u5s2q44r2uzosxwmsvdnudaeonopxor26loameq._file
Verdict:
unknown
Similar samples:
033dd7d02172855d2e61e1dcfae24bdeb9136310503e06bf7079ef78db9422ae
ArkeiStealer
32c17a6caeed78f79e06de58d5229927f77bc8c6b4865b41289d4da886a07df4
ArkeiStealer
3e9f05acde528ea5fd7ca9d0c2af0e82d29e343d2f61420290e6f660630cd25f
ArkeiStealer
484ff6267219f9eb4794c1f20aaa9562a459e0d1a787743592b1532eda3be541
ArkeiStealer
61198dcb525d78061585053ddc30e99ca70842899622e333eb64d3b68ee7a167
ArkeiStealer
662df407f177b9d63dc16fe5c1068d65c8e1fbe602d05a7cae1db651179b746e
ArkeiStealer
69fe5bb4b975f9437b6c3bcf3f07dc807a8f2e848f1e0c5802012295b06a742c
ArkeiStealer
7294bdc3333d08ac9c2397b3555c0126928c13600b23de09f21841cfee83f55a
ArkeiStealer
7dd09a71615dc2a60ba9dd906aebcff010f8442f4db392e4feb88baa01f8c999
ArkeiStealer
9c2eb5790e7874950db0e51764ba68bb4a0fa5be68b659717c73363883da0db7
ArkeiStealer
+ 287 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski discovery infostealer spyware vmprotect
Link:
https://tria.ge/reports/201204-ez9jms45sn/
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
JavaScript code in executable
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Oski
Unpacked files
SH256 hash:
3ecfe375bd64aa9e53b2d439c8ea9974af664aa36d060239ae7ddd1d796e0309
MD5 hash:
cc41b92339a4d05cf4941a41c1b198d1
SHA1 hash:
023292b0b004739fb03cb417a28d8675633a5b2a
Link:
https://www.unpac.me/results/5c9e790f-151e-48e1-a75b-0d201afbfbb6/
SH256 hash:
412786aa38066ec8005281c6ffe4df80a57f624c372c65b6ef5df1b67c95a637
MD5 hash:
85522c6936242fa6c7c074152b8c44b6
SHA1 hash:
014e8220044d0725c921d4f8eddabb0e5db17e73
Detections:
win_oski_g0
Create hunting rule
Link:
https://www.unpac.me/results/5c9e790f-151e-48e1-a75b-0d201afbfbb6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3ecfe375bd64aa9e53b2d439c8ea9974af664aa36d060239ae7ddd1d796e0309

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/106717/

Comments