MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87b3c14719911288aeee859ae75fc2e186ab5907435f80390ccba14440490bfc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87b3c14719911288aeee859ae75fc2e186ab5907435f80390ccba14440490bfc
SHA3-384 hash: a354b102be1b5f3edc785138e49f6b273d3746d9c91778fe322bf53439af13abe9d532a87a1bdeaace8731992f42b157
SHA1 hash: d322c51010c1b747ff833aa054c45f42cbf0b15e
MD5 hash: 50ce896f88bc2c74b2cee1eaf1c02352
humanhash: nuts-shade-summer-tennis
File name:50ce896f88bc2c74b2cee1eaf1c02352.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:260'096 bytes
First seen:2022-09-18 20:45:32 UTC
Last seen:2022-09-18 21:47:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 53eb2105444e04a395bf2ae448c29c30 (1 x ArkeiStealer)
ssdeep 6144:fjCOADm4mig5vszRFT+7oK2SgDmw2FU084cAOiJw:fjCpDm4mig5viRFTsp7cKw
TLSH T103448D107491C432E47110365874EBB6893EFC354B259AEBB7C45F7EDE303C2AA35A6A
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://5.253.18.213/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://5.253.18.213/ https://threatfox.abuse.ch/ioc/850369/

Intelligence

File Origin
# of uploads :
2
# of downloads :
441
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
50ce896f88bc2c74b2cee1eaf1c02352.exe
Verdict:
Malicious activity
Analysis date:
2022-09-18 20:46:17 UTC
Tags:
loader
Link:
https://app.any.run/tasks/b93f78b6-f34c-4a28-bfbc-e418ff4b246f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/311140/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader45.17547.28290.26977.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending an HTTP GET request
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Launching a tool to kill processes
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/38054/overview
Behaviour
MalwareBazaar
CallSleep
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware shell32.dll
Link:
https://www.filescan.io/uploads/63278461d5ed531416e0339d/reports/15f21e25-39ff-4c61-befd-07a56c9c1977/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Raccoon Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5c478194-b765-46e9-9af7-9f2481bb591f
Result
Threat name:
Nymaim
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1072582
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected Nymaim
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 705122 Sample: 3VLeMnf8LA.exe Startdate: 18/09/2022 Architecture: WINDOWS Score: 88 19 Antivirus detection for URL or domain 2->19 21 Antivirus / Scanner detection for submitted sample 2->21 23 Multi AV Scanner detection for submitted file 2->23 25 3 other signatures 2->25 7 3VLeMnf8LA.exe 15 2->7         started        process3 dnsIp4 17 208.67.104.97, 49707, 80 GRAYSON-COLLIN-COMMUNICATIONSUS United States 7->17 27 Detected unpacking (overwrites its own PE header) 7->27 11 cmd.exe 1 7->11         started        signatures5 process6 process7 13 taskkill.exe 1 11->13         started        15 conhost.exe 11->15         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/87b3c14719911288aeee859ae75fc2e186ab5907435f80390ccba14440490bfc/
Threat name:
Win32.Infostealer.Tepfer
Create hunting rule
Status:
Malicious
First seen:
2022-09-16 02:53:53 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 40 (57.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=q6z4cryzsejirlxoqwnoox6c4gdkwwihinpyaoimzoquiqcjbp6a._file
Verdict:
malicious
Result
Malware family:
nymaim
Create hunting rule
Score:
  10/10
Tags:
family:nymaim
Link:
https://tria.ge/reports/220918-zka21abga8/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Deletes itself
Malware Config
C2 Extraction:
208.67.104.97
85.31.46.167
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/89cd4713-d1fa-4095-90f4-c516fb5211cb
Unpacked files
SH256 hash:
87b3c14719911288aeee859ae75fc2e186ab5907435f80390ccba14440490bfc
MD5 hash:
50ce896f88bc2c74b2cee1eaf1c02352
SHA1 hash:
d322c51010c1b747ff833aa054c45f42cbf0b15e
Detections:
win_nymaim_g0
Create hunting rule
Link:
https://www.unpac.me/results/809cb0f2-ace1-4e2a-ab33-b5ec0627d14a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/87b3c14719911288aeee859ae75fc2e186ab5907435f80390ccba14440490bfc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest5
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest6
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:Record_Breaker_Similarities
Create hunting rule
Author:DigitalPanda
Rule name:win_gcleaner_de41
Create hunting rule
Author:Johannes Bader
Description:detects GCleaner

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/311140/

Comments