MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68652defc71770065997b7d60a64a3959446a114a2ee17a443a15ae8b767f150. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 15

Intelligence 15 IOCs 7 YARA 1 File information Comments

SHA256 hash:	68652defc71770065997b7d60a64a3959446a114a2ee17a443a15ae8b767f150
SHA3-384 hash:	eae96105c5f5e7a2bbf8a96022a3d14a4a46d921c37a38378557d42d031122cdcff822044197e3785d52f54b7a0fe791
SHA1 hash:	54b29a0a0d05e9deb1b28ea08e72545774dee65a
MD5 hash:	a03e9d78a3f0a89f5e9f98872635b6d8
humanhash:	jersey-winter-neptune-carolina
File name:	a03e9d78a3f0a89f5e9f98872635b6d8.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	4'205'568 bytes
First seen:	2022-08-06 12:15:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f4d09fd7bd56cf3e73816aaffeb34212 (1 x ArkeiStealer)
ssdeep	98304:e7GTF0hs4JkUQBIsWFIwuV3c+rFzB7TOqFfjle3uuCOR:evqjzBPOgfjleio
TLSH	T143166DE27605F2CFD48E2A789497DE47985C83F58621D802DC6DF87E7E63C8911C6E28
TrID	29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 22.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 20.3% (.EXE) Win32 Executable (generic) (4505/5/1) 9.1% (.EXE) OS/2 Executable (generic) (2029/13) 9.0% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

abuse_ch

ArkeiStealer C2:
http://rgjeweller.mu/oski//6.jpg

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://rgjeweller.mu/oski//6.jpg	https://threatfox.abuse.ch/ioc/841631/
http://rgjeweller.mu/oski//1.jpg	https://threatfox.abuse.ch/ioc/841632/
http://rgjeweller.mu/oski//2.jpg	https://threatfox.abuse.ch/ioc/841633/
http://rgjeweller.mu/oski//3.jpg	https://threatfox.abuse.ch/ioc/841634/
http://rgjeweller.mu/oski//4.jpg	https://threatfox.abuse.ch/ioc/841635/
http://rgjeweller.mu/oski//5.jpg	https://threatfox.abuse.ch/ioc/841636/
http://rgjeweller.mu/oski//7.jpg	https://threatfox.abuse.ch/ioc/841637/

Intelligence

File Origin

# of uploads :

# of downloads :

359

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

vidar

ID:

File name:

a03e9d78a3f0a89f5e9f98872635b6d8.exe

Verdict:

Malicious activity

Analysis date:

2022-08-06 12:20:44 UTC

Tags:

trojan stealer vidar loader

Link:

https://app.any.run/tasks/88e89d79-589c-46a9-b159-095d2a967555

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/296867/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Сreating synchronization primitives

Creating a file in the Windows directory

Modifying an executable file

DNS request

Creating a file

Reading critical registry keys

Creating a window

Delayed writing of the file

Creating a file in the Program Files subdirectories

Running batch commands

Searching for the window

Using the Windows Management Instrumentation requests

Enabling autorun with the shell\open\command registry branches

Stealing user critical data

Launching a tool to kill processes

Infecting executable files

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed virus vobfus wacatac

Link:

https://www.filescan.io/uploads/62ee5bfcbcf76fcb6cec9c5e/reports/02106996-a23e-4b14-8d28-563273ce150c/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Oski Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/375fb222-3c32-441a-89c4-eaaccf4d1e2a

Result

Threat name:

Neshta, Oski Stealer

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1047279

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Creates an undocumented autostart registry key

Downloads files with wrong headers with respect to MIME Content-Type

Drops executable to a common third party application directory

Drops executables to the windows directory (C:\Windows) and starts them

Drops PE files with a suspicious file extension

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Posts data to a JPG file (protocol mismatch)

Query firmware table information (likely to detect VMs)

Sample is not signed and drops a device driver

Snort IDS alert for network traffic

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Neshta

Yara detected Oski Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/68652defc71770065997b7d60a64a3959446a114a2ee17a443a15ae8b767f150/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2022-07-18 19:26:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=nbss336hc5yamwmxw7lauzfdswkeniiuulxbpjcdufnorn3h6fia._file

Verdict:

malicious

Result

Malware family:

oski

Score:

10/10

Tags:

family:neshta family:oski discovery evasion infostealer persistence spyware stealer themida trojan

Link:

https://tria.ge/reports/220806-pffrkshaa3/

Behaviour

Checks processor information in registry

Kills process with taskkill

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Drops file in Windows directory

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Checks whether UAC is enabled

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Themida packer

Downloads MZ/PE file

Executes dropped EXE

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Detect Neshta payload

Modifies system executable filetype association

Neshta

Oski

Malware Config

C2 Extraction:

rgjeweller.mu/oski/

Unpacked files

SH256 hash:

d5ece52a71f0de749b31eb99c506c8b9147f2b690b1f85a88c1ad0357540a6a9

MD5 hash:

b01db2780c5a1bbeb3b76e97eb5ea754

SHA1 hash:

c75b2d4e0c81fb42ccf8b6d7da6e3134b480c7dc

Detections:

win_neshta_g0

Link:

https://www.unpac.me/results/f1f5e62c-6ea9-4f59-ad3d-43e2dcb6adf1/

Parent samples :

811d169ec93c76795798353e6fdf509271d61d3424acb7d709c34cc83511b0f9
cb15585aac621fef5710d7c2b6cc714d7d3283576717cd7738a0898d5b63a470
4dcd84003dc7b4d627193ce18034c71a3ee35980495d755d9bcf80a672eb544e
2e5b9ebfb2b81c5e512248e2e9224d1054defc4b027c0108fc10d268312ce290
68652defc71770065997b7d60a64a3959446a114a2ee17a443a15ae8b767f150
640315d3ee04d383d4b8702b0d29a11846139cb9505078440f2e67b2d9bc3cce
4608c3c211744ce283dac6c36cb7a2c0fd584ee440fa4f671bc270f1bc737ff0
c8bb8271adc398661a408fc99b14a7d3797bd546b0b836f68a059c2f72948937
cd23680ab97a8fa8c459690061e90ea0d48d19975900f1a0ee41ffcd76bbb311
313cabf464e7edf69744f94c3ea234fbb5d7b99daf2aff5492131a4ca9d08e00
60292e6be9d0d5e5f82a3382e4b69fcd19362b4c30a1829787dfc6ea5462a117
ec2ec99d719ccde3972abb4db0ef83eae6462f4697861529ead23d304c527d29
a8df709495ab9ea938880b1ebe744b33bc163b2fe576ce7e585caef7c846b718
a6077288d1353daaab0bf9092c357cd7f0712537def3ff3be60fa68da4e436ac

SH256 hash:

7515f266015f8d2861b2437340260ea94e99add4870edcc02faa6d12d6f0b678

MD5 hash:

c997eba88f1f99cc816d2141bc557f7a

SHA1 hash:

9d35a68c290745890208a46d0e29b93956ec831a

Detections:

win_oski_g0

win_oski_auto

OskiStealer

Link:

https://www.unpac.me/results/f1f5e62c-6ea9-4f59-ad3d-43e2dcb6adf1/

SH256 hash:

68652defc71770065997b7d60a64a3959446a114a2ee17a443a15ae8b767f150

MD5 hash:

a03e9d78a3f0a89f5e9f98872635b6d8

SHA1 hash:

54b29a0a0d05e9deb1b28ea08e72545774dee65a

Link:

https://www.unpac.me/results/f1f5e62c-6ea9-4f59-ad3d-43e2dcb6adf1/

Malware family:

OskiStealer

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/68652defc717/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/68652defc71770065997b7d60a64a3959446a114a2ee17a443a15ae8b767f150

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/296867/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample