MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89d15d3703f9b4084dc3dd41693d5337d2a19fa40c3c87e1cb7a0997d021c4e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 89d15d3703f9b4084dc3dd41693d5337d2a19fa40c3c87e1cb7a0997d021c4e1
SHA3-384 hash: 772dfe5438e4a4392cbf5f5cd19147ad4e7798d08660fd99871b31d4832df04081fcb23f7431bdbcedc321a9436dfb40
SHA1 hash: 5e84f9d6df57ad4f16f61351fbb9a84b69af349f
MD5 hash: 92d78c1f25d036b26348b9cb1e1c4101
humanhash: lactose-carpet-california-xray
File name:92d78c1f25d036b26348b9cb1e1c4101.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:8'177'485 bytes
First seen:2021-03-28 02:05:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 196608:itU+7MBr0wCCoxY85JzuXG03mB0ocqshRfyPLbLs+NW5Mms5QowUX:/+7MmdB5JzSwB02aJyDbA+N/1wI
Threatray 733 similar samples on MalwareBazaar
TLSH 4D863306714A41B3D014147D848BB3F6F872BF480136786E99FE0DEE9B333AD2A5569B
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://91.214.124.106/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://91.214.124.106/ https://threatfox.abuse.ch/ioc/5610/

Intelligence

File Origin
# of uploads :
1
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/127318/
Detection(s):
Win.Malware.Fabookie-9797757-0
Create hunting rule

Win.Malware.Rasftuby-9841222-0
Create hunting rule

SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Deleting a recently created file
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file
Searching for the window
Sending a UDP request
DNS request
Sending a custom TCP request
Reading critical registry keys
Sending an HTTP GET request
Launching a process
Enabling the 'hidden' option for recently created files
Replacing files
Delayed writing of the file
Running batch commands
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Sending a TCP request to an infection source
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Forced shutdown of a browser
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/14426c01-b049-4d76-a41e-e40396000fa6
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/656030
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Drops PE files to the document folder of the user
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
Tries to detect debuggers by setting the trap flag for special instructions
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 376949 Sample: ekdCcEl5KV.exe Startdate: 28/03/2021 Architecture: WINDOWS Score: 100 166 Antivirus detection for URL or domain 2->166 168 Antivirus detection for dropped file 2->168 170 Multi AV Scanner detection for dropped file 2->170 172 15 other signatures 2->172 9 ekdCcEl5KV.exe 16 17 2->9         started        12 haleng.exe 2->12         started        process3 dnsIp4 104 C:\Program Files (x86)\...\moSvKMEovuRx.exe, PE32 9->104 dropped 106 C:\Program Files (x86)\VR\...\jg7_7wjg.exe, PE32 9->106 dropped 108 C:\Program Files (x86)\VR\...\hjjgaa.exe, PE32 9->108 dropped 112 7 other files (5 malicious) 9->112 dropped 16 RunWW.exe 87 9->16         started        21 22.exe 9->21         started        23 LabPicV3.exe 9->23         started        29 6 other processes 9->29 164 31.13.92.36 FACEBOOKUS Ireland 12->164 110 C:\Users\user\AppData\...\jfiag3g_gg.exe, PE32 12->110 dropped 196 Tries to detect debuggers by setting the trap flag for special instructions 12->196 198 Tries to detect virtualization through RDTSC time measurements 12->198 25 jfiag3g_gg.exe 12->25         started        27 jfiag3g_gg.exe 12->27         started        file5 signatures6 process7 dnsIp8 130 157.90.227.5 REDIRISRedIRISAutonomousSystemES United States 16->130 132 104.17.62.50 CLOUDFLARENETUS United States 16->132 68 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 16->68 dropped 70 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 16->70 dropped 72 C:\Users\user\AppData\...\softokn3[1].dll, PE32 16->72 dropped 82 9 other files (none is malicious) 16->82 dropped 174 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->174 176 Tries to steal Instant Messenger accounts or passwords 16->176 178 Tries to steal Mail credentials (via file access) 16->178 186 2 other signatures 16->186 31 cmd.exe 16->31         started        74 C:\Program Files\javcse\install.dll, PE32 21->74 dropped 33 wscript.exe 21->33         started        35 conhost.exe 21->35         started        37 LabPicV3.tmp 23->37         started        180 Tries to harvest and steal browser information (history, passwords, etc) 25->180 134 101.36.107.74 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 29->134 136 208.95.112.1 TUT-ASUS United States 29->136 138 4 other IPs or domains 29->138 76 C:\Users\user\Documents\...\jg7_7wjg.exe, PE32 29->76 dropped 78 C:\ProgramData\5285280.exe, PE32 29->78 dropped 80 C:\ProgramData\1243717.exe, PE32 29->80 dropped 84 3 other files (none is malicious) 29->84 dropped 182 Sample uses process hollowing technique 29->182 184 Injects a PE file into a foreign processes 29->184 41 lylal220.tmp 29->41         started        43 main.exe 1 4 29->43         started        45 jfiag3g_gg.exe 29->45         started        47 2 other processes 29->47 file9 signatures10 process11 dnsIp12 49 conhost.exe 31->49         started        51 taskkill.exe 31->51         started        53 timeout.exe 31->53         started        55 rundll32.exe 33->55         started        140 52.95.169.48 AMAZON-02US United States 37->140 86 C:\Users\user\AppData\Local\...\ppppppfy.exe, PE32 37->86 dropped 88 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 37->88 dropped 90 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 37->90 dropped 92 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 37->92 dropped 58 ppppppfy.exe 37->58         started        142 52.218.52.211 AMAZON-02US United States 41->142 144 192.168.2.1 unknown unknown 41->144 94 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 41->94 dropped 96 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 41->96 dropped 98 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 41->98 dropped 100 C:\Users\user\AppData\Local\...\Microsoft.exe, PE32 41->100 dropped 62 Microsoft.exe 41->62         started        146 172.217.23.78 GOOGLEUS United States 43->146 148 35.220.162.170 GOOGLEUS United States 43->148 150 3 other IPs or domains 43->150 102 C:\Users\user\AppData\Local\...\parse.exe, PE32+ 43->102 dropped file13 process14 dnsIp15 188 Writes to foreign memory regions 55->188 190 Allocates memory in foreign processes 55->190 192 Creates a thread in another existing process (thread injection) 55->192 64 svchost.exe 55->64 injected 66 svchost.exe 55->66 injected 152 52.95.169.16 AMAZON-02US United States 58->152 154 2.20.142.210 AKAMAI-ASN1EU European Union 58->154 156 162.0.210.44 ACPCA Canada 58->156 114 C:\Program Files (x86)\...\Deferilyci.exe, PE32 58->114 dropped 116 C:\...\Deferilyci.exe.config, XML 58->116 dropped 118 C:\Users\user\AppData\...\Lisaekuhelo.exe, PE32 58->118 dropped 126 2 other files (none is malicious) 58->126 dropped 194 Detected unpacking (overwrites its own PE header) 58->194 158 52.218.84.3 AMAZON-02US United States 62->158 160 52.95.170.44 AMAZON-02US United States 62->160 162 162.0.220.48 ACPCA Canada 62->162 120 C:\Program Files (x86)\...\Powididylae.exe, PE32 62->120 dropped 122 C:\...\Powididylae.exe.config, XML 62->122 dropped 124 C:\Users\user\AppData\...\ZHevaezhywica.exe, PE32 62->124 dropped 128 2 other files (none is malicious) 62->128 dropped file16 signatures17 process18
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/89d15d3703f9b4084dc3dd41693d5337d2a19fa40c3c87e1cb7a0997d021c4e1/
Threat name:
Win32.Trojan.Rasftuby
Create hunting rule
Status:
Malicious
First seen:
2021-03-28 01:52:59 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rhiv2nyd7g2aqtod3vawspktg7jkdh5ebq6ipyolpiezpubbytqq._file
Verdict:
malicious
Similar samples:
27c3f84dd3101c302afb523ee2c5b728c1fc34cfb8430c314d1f2df5ed79c28c
ArkeiStealer
4e78c94a61e5d4837ce111de401ba3bd31da9d2db758456e57670a6d37b6009a
ArkeiStealer
58813f984233cfb9eef1c9abefa7f58e96989dd9d6ebd903d40dc2cf3d56c5e8
ArkeiStealer
593f9422a79559ab792b98a272ebd5db883b8a85f34de6a6f05f1c900b221dc5
ArkeiStealer
6738bf02f3fa9f972eb4a9e6b8a45bcf1bfc34d9b97e94d0bf37a398a6acd90d
ArkeiStealer
6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787
ArkeiStealer
a759e621f52b7cdfb3a747b20fcdc1235ef909125fbf50526dc4fbd72ffe0b1c
ArkeiStealer
aea1d064fb75706dd261f1097f91574050216410ce840e9c7523c46aca53c5f9
ArkeiStealer
db697e84e331ccd31105ebcf611dd15304dec7037457d70973fe099c41c53bd5
ArkeiStealer
f867450741303e1776e4144cbc93b014251801bfd37d15de95d1992576346ba9
ArkeiStealer
+ 723 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:metasploit family:raccoon family:redline family:smokeloader family:vidar botnet:afefd33a49c7cbd55d417545269920f24c85aa37 backdoor discovery dropper evasion infostealer loader persistence spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/210328-238jcgf8a6/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
GoLang User-Agent
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
VMProtect packed file
Checks for common network interception software
Glupteba
Glupteba Payload
MetaSploit
Raccoon
RedLine
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
http://10022020newfolder1002002131-service1002.space/
http://10022020newfolder1002002231-service1002.space/
http://10022020newfolder3100231-service1002.space/
http://10022020newfolder1002002431-service1002.space/
http://10022020newfolder1002002531-service1002.space/
http://10022020newfolder33417-01242510022020.space/
http://10022020test125831-service1002012510022020.space/
http://10022020test136831-service1002012510022020.space/
http://10022020test147831-service1002012510022020.space/
http://10022020test146831-service1002012510022020.space/
http://10022020test134831-service1002012510022020.space/
http://10022020est213531-service100201242510022020.ru/
http://10022020yes1t3481-service1002012510022020.ru/
http://10022020test13561-service1002012510022020.su/
http://10022020test14781-service1002012510022020.info/
http://10022020test13461-service1002012510022020.net/
http://10022020test15671-service1002012510022020.tech/
http://10022020test12671-service1002012510022020.online/
http://10022020utest1341-service1002012510022020.ru/
http://10022020uest71-service100201dom2510022020.ru/
http://10022020test61-service1002012510022020.website/
http://10022020test51-service1002012510022020.xyz/
http://10022020test41-service100201pro2510022020.ru/
http://10022020yest31-service100201rus2510022020.ru/
http://10022020rest21-service1002012510022020.eu/
http://10022020test11-service1002012510022020.press/
http://10022020newfolder4561-service1002012510022020.ru/
http://10022020rustest213-service1002012510022020.ru/
http://10022020test281-service1002012510022020.ru/
http://10022020test261-service1002012510022020.space/
http://10022020yomtest251-service1002012510022020.ru/
http://10022020yirtest231-service1002012510022020.ru/
http://xsss99.icu/upload/
http://bingooodsg.icu/upload/
http://junntd.xyz/upload/
http://ginessa11.xyz/upload/
http://overplayninsx.xyz/upload/
http://bananinze.com/upload/
http://daunimlas.com/upload/
Unpacked files
SH256 hash:
f938607922a22a572b5412b5407c601cc4eb52feb89cf98a043a6e14297eb988
MD5 hash:
4d9242ae47b6caadfe302730d41a961d
SHA1 hash:
60b7aa827146af8d7d9caf3667a416ba6e614b7c
Link:
https://www.unpac.me/results/fea5277c-d609-42a7-bf36-32fae0f81767/
SH256 hash:
72bd58dc85328dfcebdd62284ad2c1459cadad6b00ccdfc6226af3616c9cfac7
MD5 hash:
a6c9627c162efefaae7b8fe532c041cf
SHA1 hash:
58d74709dfc8c713c8c86810a0d050bb01a8f8e1
Link:
https://www.unpac.me/results/fea5277c-d609-42a7-bf36-32fae0f81767/
SH256 hash:
626ef20cb323457a90536d2c31a02253680594504a89ca41463cb322a861e9cb
MD5 hash:
32adc167e1bea75ea145e82a38318595
SHA1 hash:
cf97464bc755e921af3d892f42d41aae6da108db
Link:
https://www.unpac.me/results/fea5277c-d609-42a7-bf36-32fae0f81767/
SH256 hash:
b1a9e0cb7ec60d52d357198616f113f6b96721eaa50fb205d956c65db4923626
MD5 hash:
c397a30f942172e70ae1d6958e3b7d60
SHA1 hash:
65760b7d140cc09a14dabd25969f324595d92d4a
Link:
https://www.unpac.me/results/fea5277c-d609-42a7-bf36-32fae0f81767/
SH256 hash:
417c9b048550ef2a486c998f39e8d60918de839aa03e60bbdbc2cc6c90ba24be
MD5 hash:
d25a051d566dcdf7cbb81f164cfd2cb3
SHA1 hash:
f70eae9b42d540d1da015be50279ceb73ac9977d
Link:
https://www.unpac.me/results/fea5277c-d609-42a7-bf36-32fae0f81767/
SH256 hash:
95365741fbc15b324acb13b23dcb1e1c0c308c8eaf561b678c3c6e5ab69a4053
MD5 hash:
1fba9f53a233a33c58757aa5d893d3d1
SHA1 hash:
30f5df691de47656637a55dfcf0da5066616fd69
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/fea5277c-d609-42a7-bf36-32fae0f81767/
Parent samples :
216ab21badb89b973736f1ccdc2d2842eac2ce03c437521baf198626c0a14238
50afac7b4711008c37b2dad5c22bf2d87a562b44a691e1958d46f891206cff46
9443d576223c9ca05efaf0a935d8e95a009935ecad02262b22200b19f889c7c4
66cbc28deafec6b425227711a760c8edd51cb84ad00d55118285d8a1990d59e7
1fa03c0a09833c2574dc0b65f1432eb1d66412f44b6a232894f0cb09d6ab6f74
e3e70ccec8e8f20337df337d48bcf6e2ded4a8c3506e604440f70274de05061a
b4f33452f07d0b284df64219b015c331b87faad62c11bfcc246513d06c101f6e
7dd4730533af828fda71b065b01202137953695ad605a82af8bd4049e3bd3013
f8dfe20728fd1cd72cbb4c94b77354ab287a7d3c59021bfdc8e8135e2e19f433
a2f48a2d0520369f3f252dd3b3d3bab83e3fc0bd572fab134b686165667cadd6
4aab4b2fb6223ec40fe0fbf7e03d6a008ff688c61049744f69ba56d6068aa8b5
cc693d1a82022a4cd51053b34035613174eb71b4ba079ac829c90ec5558c3f07
d40aa01b2869b85185f48cfc1f07777effc87400289dd3de6f0fcd107d82e4a5
89d15d3703f9b4084dc3dd41693d5337d2a19fa40c3c87e1cb7a0997d021c4e1
SH256 hash:
6841bbd18c0cf5d8a3714d6577b38ac4db489f665eac2561ce9318bdf858f228
MD5 hash:
1a21fbc4fd3a17ae47105a9788a3cb25
SHA1 hash:
3858564428fbc4d3a43916882e086c6f0d916cfb
Link:
https://www.unpac.me/results/fea5277c-d609-42a7-bf36-32fae0f81767/
SH256 hash:
9d1e8609a8467c67a6282f6a9084a3e6a3eb2e7e5ae76b2680aaab41d22a53d8
MD5 hash:
958e43ec0d40213d2ec02dd5a67a5046
SHA1 hash:
8059f88b442c68342e9f549f1947749b24718dc9
Link:
https://www.unpac.me/results/fea5277c-d609-42a7-bf36-32fae0f81767/
SH256 hash:
0a7e8a8ca5abd7a2598c8a04521b0cb5d006bc1fb212c0d94a9de7d7d579ffb8
MD5 hash:
460742790e2c251afc782a62c30d6f98
SHA1 hash:
a040d68ce94f48fa7b1e57f3d96ad76622fd40b7
Link:
https://www.unpac.me/results/fea5277c-d609-42a7-bf36-32fae0f81767/
SH256 hash:
fc1c76c18adebd91d9d7478f3eb426b506bb5aaea0884e559e220920d3a1ce14
MD5 hash:
1dbf473671f386f8e2c3731ec1fef5c7
SHA1 hash:
00ce8e17678c40ecb5913da6e02842d684012d08
Link:
https://www.unpac.me/results/fea5277c-d609-42a7-bf36-32fae0f81767/
SH256 hash:
5e450adf356019a0ef810b3dde627bc55830a0f1ed0b3aa1db3136923bf99e29
MD5 hash:
09b14afe81897cc549a9dc15f7fa418d
SHA1 hash:
e1b6e7a4506d530ee19c8a0d902f4d35bc8abc7b
Link:
https://www.unpac.me/results/fea5277c-d609-42a7-bf36-32fae0f81767/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/fea5277c-d609-42a7-bf36-32fae0f81767/
SH256 hash:
89d15d3703f9b4084dc3dd41693d5337d2a19fa40c3c87e1cb7a0997d021c4e1
MD5 hash:
92d78c1f25d036b26348b9cb1e1c4101
SHA1 hash:
5e84f9d6df57ad4f16f61351fbb9a84b69af349f
Link:
https://www.unpac.me/results/fea5277c-d609-42a7-bf36-32fae0f81767/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Ransomware
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/89d15d3703f9b4084dc3dd41693d5337d2a19fa40c3c87e1cb7a0997d021c4e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 89d15d3703f9b4084dc3dd41693d5337d2a19fa40c3c87e1cb7a0997d021c4e1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1095787/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/127318/

Comments