MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a39b341e2d5fd5085d7ca2ee6a11d144a8dbc559d7e5c371947d9bfa98e87f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 7

Intelligence 7 IOCs 1 YARA File information Comments

SHA256 hash:	4a39b341e2d5fd5085d7ca2ee6a11d144a8dbc559d7e5c371947d9bfa98e87f2
SHA3-384 hash:	36bb40f1c1668eb80ad6e4a51e3579ed79dfcbbb329455df4151c98ee5982de063e47801d13ef62ff79097622fec060d
SHA1 hash:	0d56c63f4afd00d7bd67fe561a2b7de0a08ff365
MD5 hash:	a282da0cf8b4a35a1fec2a5751682acf
humanhash:	bulldog-wisconsin-oranges-jig
File name:	4a39b341e2d5fd5085d7ca2ee6a11d144a8dbc559d7e5c371947d9bfa98e87f2
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	2'949'344 bytes
First seen:	2021-03-29 07:08:34 UTC
Last seen:	2021-03-29 07:48:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ba4cc0afb12afe0a3f885ae6696404ed (1 x ArkeiStealer)
ssdeep	49152:VgprPO37fzH4A6hanqNmZBb9TcAY8bsTLtWfWT:WprPO37fzH4A6h0PtcAYbmW
Threatray	584 similar samples on MalwareBazaar
TLSH	AED59D29B1B34CB6F36A5E3658164160673EFD843E28ACD635D6FA3E0BF518335261C2
Reporter	JAMESWT_WT
Tags:	ArkeiStealer LTD SERVICES LIMITED signed

Code Signing Certificate

Organisation:	LTD SERVICES LIMITED
Issuer:	Sectigo RSA Code Signing CA
Algorithm:	sha256WithRSAEncryption
Valid from:	2021-03-18T00:00:00Z
Valid to:	2022-03-18T23:59:59Z
Serial number:	7d36cbb64bc9add17ba71737d3ecceca
Intelligence:	9 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:	SHA256
Thumbprint:	05be3171ca7272803d139ca13b16c24a3dd22917b1b8d6d0fd5401e63a79dd27
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://104.244.76.207/	https://threatfox.abuse.ch/ioc/5736/

Intelligence

File Origin

# of uploads :

# of downloads :

124

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Main-Installer.exe

Verdict:

Malicious activity

Analysis date:

2021-03-28 23:17:08 UTC

Tags:

trojan

Link:

https://app.any.run/tasks/efe605d3-1521-437b-ae3d-530a8a5fffa1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/127474/

Detection(s):

PUA.Win.Packer.PrivateEXEProtector4-6192998-2

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Sending a custom TCP request

DNS request

Sending a UDP request

Sending an HTTP GET request to an infection source

Sending an HTTP POST request to an infection source

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/a73407af-bf69-46ea-bad0-74f41768f0fa

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/656516

Signature

Detected unpacking (changes PE section rights)

Hijacks the control flow in another process

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file has nameless sections

Tries to detect virtualization through RDTSC time measurements

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4a39b341e2d5fd5085d7ca2ee6a11d144a8dbc559d7e5c371947d9bfa98e87f2/

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2021-03-29 07:09:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 48 (33.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ji43gqpc2x6vbboxzixonii5crfi3pcvtv7fynyzi7m37kmoq7za._file

Verdict:

suspicious

ArkeiStealer

0953e54968ca9407a172c0a35a00d8b30ec603770809bbd2901a070e1b83b7f8

ArkeiStealer

3d3095586bf72d6b631e44681654c68707a6f07987b02e367e7d88ac9ddab77c

ArkeiStealer

411e56b415d4c23a741958c3f1ada72b3e958c078d27c339678bb690b7a895c3

ArkeiStealer

4ce173da12efcf686dd4a7fec6678fc6c0e2cae352a3dd327bdfa478c18589e4

ArkeiStealer

7e88f1c425154e6fff6d031aaaa4d8bb4c8ff131e429f44310fd936bfc08b357

ArkeiStealer

92ddc88d7c1bde849c18747f4fcd526c240a81efe9c74ee1dcaa4a72ecc9ac3a

ArkeiStealer

aa9692c1769e25297176b847f4274570c56c4d74f4577608bd036e72d82d5bdb

ArkeiStealer

d0b2bc00645de803a4e9df303539995ee8f781631684b04fe67ee7e01bcf9c21

ArkeiStealer

e3670bfc1db6fb7223bb6b231ef4c3afd9d34de1d8f87b7a8e7a4cb27cfaa37d

ArkeiStealer

+ 574 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery persistence spyware stealer upx

Link:

https://tria.ge/reports/210329-vdnz2kc2z6/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Runs ping.exe

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Drops startup file

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

UPX packed file

Unpacked files

SH256 hash:

7b0b8db231d411d10f45ed54779fcfa8f3e442e04a31733ee2598b0dd3f63229

MD5 hash:

e769e747bb0fb0c1893e27af747094df

SHA1 hash:

af49f0054f201ba4a4b2d010d661e3d1f78e2a72

Link:

https://www.unpac.me/results/ce1a96a5-a330-4f18-8763-75d1cd6ea255/

SH256 hash:

4a39b341e2d5fd5085d7ca2ee6a11d144a8dbc559d7e5c371947d9bfa98e87f2

MD5 hash:

a282da0cf8b4a35a1fec2a5751682acf

SHA1 hash:

0d56c63f4afd00d7bd67fe561a2b7de0a08ff365

Link:

https://www.unpac.me/results/ce1a96a5-a330-4f18-8763-75d1cd6ea255/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Gamarue

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4a39b341e2d5fd5085d7ca2ee6a11d144a8dbc559d7e5c371947d9bfa98e87f2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/127474/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample