MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 610ef8befe605dd4ba3277c221c25932ffd6e1b939728da70ebd0d1b96fddaa4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 610ef8befe605dd4ba3277c221c25932ffd6e1b939728da70ebd0d1b96fddaa4
SHA3-384 hash: f6d9b8dc8d5e9229bdd843d4ff32d556769dac81d64632e7a37f6743f3f18765e1f2824c67eda7cb6384440d451a36eb
SHA1 hash: 838189c5a4c664346c946804484b8e84a0be5790
MD5 hash: 79c863ce8e351ac2bb16dfe606fc4937
humanhash: emma-quebec-bacon-pizza
File name:SecuriteInfo.com.Artemis79C863CE8E35.6248
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'921'688 bytes
First seen:2020-06-08 23:37:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 430300c6431de6d32572cb6b4354d70b (5 x ArkeiStealer)
ssdeep 24576:p6RxfNGCKXpB2MeJnQLKUp2Z584+Y8ahfq5uD9sjR3o08NS0pAaGmV:p6RCfpB2MeSLLoFhfbslt8NS0GaGmV
Threatray 290 similar samples on MalwareBazaar
TLSH 9F95223CB7D3E55FE2D24B3C19F0C04D66DDB5154AA24A1B17BABFFEA218544BEA2001
Reporter SecuriteInfoCom
Tags:ArkeiStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Artemis79C863CE8E35.6248.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2020-06-08 20:14:51 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1a3223bf578249a17b6d1f8ee0ed8a5fd49690621f3ea63d0380db03f2c31e50
ArkeiStealer
1d1db9028a99d5ccfd2e898e61dd4c0fbd2b363934f0623aa9503280fa3229a9
ArkeiStealer
33b70dd4266c366a2d80bfacb2b1aafdafc74019b0e8a6aa480bd909e73f3a6e
ArkeiStealer
4100f196d5289b085ea167afbec9aadbb5105bf46e48b5402f583db123878f96
ArkeiStealer
484ff6267219f9eb4794c1f20aaa9562a459e0d1a787743592b1532eda3be541
ArkeiStealer
496b39b696da8c81b7f0d57b3b591a9c948bf88d8ba375618703edcb18f4c27d
ArkeiStealer
7a445143a652f58fa4abc4957269aea8f884f71e7f4654b56385491eb544b0a5
ArkeiStealer
9c2eb5790e7874950db0e51764ba68bb4a0fa5be68b659717c73363883da0db7
ArkeiStealer
c158b8ed8c9a0221bfeb3dea8d026d5bb9bade9ecfd19191ada59c51c8eb4089
ArkeiStealer
d725785ec3970b75ecb17a7e5ac14d93ce7a54d259dffc74e8222ed8cfb8b6b3
ArkeiStealer
+ 280 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski discovery evasion infostealer spyware trojan
Link:
https://tria.ge/reports/201109-38rj3xc8tn/
Behaviour
Checks processor information in registry
Kills process with taskkill
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Deletes itself
Reads user/profile data of web browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Oski
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_oski_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 610ef8befe605dd4ba3277c221c25932ffd6e1b939728da70ebd0d1b96fddaa4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/384157/
  
Delivery method
Distributed via web download

Comments