MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5275eb92b2b285585e26a85d14c9415e42fc4eac7c8b482e22910effb85536c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 5

Intelligence 5 IOCs YARA 3 File information Comments

SHA256 hash:	5275eb92b2b285585e26a85d14c9415e42fc4eac7c8b482e22910effb85536c5
SHA3-384 hash:	bdb48a97f60c04e9eb766a340af2eb04507d66c54d1eb73b6b171c8ec60155715dadd059242ad142e48c99b48b1af1d4
SHA1 hash:	623e746ea70afd4cbed10e335effb34fd4291c6b
MD5 hash:	1d5ffeb1da527fbfd44702f9c14df678
humanhash:	march-freddie-sodium-helium
File name:	1d5ffeb1da527fbfd44702f9c14df678.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	451'584 bytes
First seen:	2020-07-12 17:40:37 UTC
Last seen:	2020-07-12 18:54:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	686219106e6654ddadec61aba7a85109 (1 x ArkeiStealer)
ssdeep	6144:l2W8o1pjB7hwVzBVqfSsivdMCtdUT8Ynl0fXD1ePjc0LG4Pp/j5E+BB89lfWMDkD:lDD7mIAxTUT8Al0PW+4PvdBO9/1SJ
TLSH	06A4121279E1C0B2D75746B108A8D7411AABB83227B0DA773B501BAD1F65EF01B3736B
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/24904/

Detection(s):

PUA.Win.Downloader.Aiis-6803892-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Connection attempt

Sending an HTTP GET request

Creating a file

Deleting a recently created file

Reading critical registry keys

Launching a service

Stealing user critical data

Forced shutdown of a browser

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5275eb92b2b285585e26a85d14c9415e42fc4eac7c8b482e22910effb85536c5/

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2020-07-12 17:42:06 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=kj26xevswkcvqxrgvborjskblzbpytvmpsfuqlrcsehp7ocvg3cq._file

Verdict:

unknown

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery spyware

Link:

https://tria.ge/reports/200712-cylv7239r6/

Behaviour

Kills process with taskkill

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks processor information in registry

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks for installed software on the system

Looks up external IP address via web service

Checks for installed software on the system

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Loads dropped DLL

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_vidar_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_vidar_g0 Create hunting rule
Author:	Slavo Greminger, SWITCH-CERT

Rule name:	with_sqlite Create hunting rule
Author:	Julian J. Gonzalez <info@seguridadparatodos.es>
Description:	Rule to detect the presence of SQLite data in raw image
Reference:	http://www.st2labs.com