MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 496b39b696da8c81b7f0d57b3b591a9c948bf88d8ba375618703edcb18f4c27d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 3

Intelligence 3 IOCs YARA 2 File information Comments

SHA256 hash:	496b39b696da8c81b7f0d57b3b591a9c948bf88d8ba375618703edcb18f4c27d
SHA3-384 hash:	68b2e6d52569843e7db550f87e904eba2f306b47631d1fba221f5f2f4145258591b02a3bb921a99a5c3813ac10b26c6b
SHA1 hash:	6b605eb4d8e71e62554bb9902ea90cd3ce09fce2
MD5 hash:	fbfb97b2fcf659c8de6ccb8fe091294b
humanhash:	vermont-august-green-washington
File name:	SecuriteInfo.com.Win32.Packed.Themida.HKO.4455
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	5'160'448 bytes
First seen:	2020-06-17 05:49:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	430300c6431de6d32572cb6b4354d70b (5 x ArkeiStealer)
ssdeep	98304:vqOVyJC4K7XsWkkj95TjZKHNR97DDyAO6UScifl1R:iOVwC4C8WL5KT97XOul1R
Threatray	178 similar samples on MalwareBazaar
TLSH	CF36BEF23E5C604AD1924674C4F74747A23AA2994728CA48F55CB4BC3F61CA619CFB3E
Reporter	SecuriteInfoCom

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/19057/

Detection(s):

SecuriteInfo.com.Win32.Packed.Themida.HKO.4455.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Chapak

Status:

Malicious

First seen:

2020-06-17 04:53:38 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Verdict:

suspicious

ArkeiStealer

32c17a6caeed78f79e06de58d5229927f77bc8c6b4865b41289d4da886a07df4

ArkeiStealer

484ff6267219f9eb4794c1f20aaa9562a459e0d1a787743592b1532eda3be541

ArkeiStealer

610ef8befe605dd4ba3277c221c25932ffd6e1b939728da70ebd0d1b96fddaa4

ArkeiStealer

6fa66f7851bea577cc6adfda11d3225a69b7c6554f028851eddd4d23ea074a59

ArkeiStealer

7a445143a652f58fa4abc4957269aea8f884f71e7f4654b56385491eb544b0a5

ArkeiStealer

7dd09a71615dc2a60ba9dd906aebcff010f8442f4db392e4feb88baa01f8c999

ArkeiStealer

8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464

ArkeiStealer

c158b8ed8c9a0221bfeb3dea8d026d5bb9bade9ecfd19191ada59c51c8eb4089

ArkeiStealer

f09dc0b3275b4c1e3a616911805011c2871af1407599493dc980b6987cb313eb

ArkeiStealer

+ 168 additional samples on MalwareBazaar

Result

Malware family:

oski

Score:

10/10

Tags:

evasion trojan discovery infostealer family:oski spyware

Link:

https://tria.ge/reports/200624-ns9at99jbs/

Behaviour

Suspicious use of WriteProcessMemory

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks whether UAC is enabled

Accesses cryptocurrency wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Checks for installed software on the system

Modifies system certificate store

Loads dropped DLL

Checks BIOS information in registry

Reads user/profile data of web browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

oski

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/