MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9674cfd1a6f04f7dc3b21ca60fb7896888d676ac51029586684915f14f12f19c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9674cfd1a6f04f7dc3b21ca60fb7896888d676ac51029586684915f14f12f19c
SHA3-384 hash: e46c3c867caa33c4383de0d5c1bf2cad1c65ccdaf56787f7d8d00e1707b602d7772d21403aad44b4d1ac735963c79c01
SHA1 hash: 99f94e02d30fe0f3d8a67802fcea9883d6f6de9e
MD5 hash: 995bf66e1305d116167f598cffb872a9
humanhash: neptune-montana-shade-william
File name:9674cfd1a6f04f7dc3b21ca60fb7896888d676ac51029.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:940'032 bytes
First seen:2021-06-30 14:01:57 UTC
Last seen:2021-06-30 14:45:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:gjXok/S/2cA7Ke5IipyeO98qx/oMGJ5iNc:gjlU2cE5OO4DGPiNc
Threatray 1'608 similar samples on MalwareBazaar
TLSH F6157DAC325035DEC467C6BACAA8AD74E6613C6A431B8107909709DFAE0DB97DF105F3
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://lizzard.ac.ug/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://lizzard.ac.ug/ https://threatfox.abuse.ch/ioc/156358/

Intelligence

File Origin
# of uploads :
2
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1f07b4740e8435347ad7dbd456838bd3.exe
Verdict:
Malicious activity
Analysis date:
2021-06-30 14:05:04 UTC
Tags:
loader trojan stealer raccoon rat azorult vidar remcos
Link:
https://app.any.run/tasks/ee1cfaff-fd0e-4941-83e3-aed8f92927b3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.897.31417.8543.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8e773c66-31a2-489a-a9fe-5288a6eadeda
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/810014
Signature
.NET source code contains very large strings
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected AntiVM3
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9674cfd1a6f04f7dc3b21ca60fb7896888d676ac51029586684915f14f12f19c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-30 14:02:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sz2m7ung6bhx3q5sdsta7n4jncenm5vmkebjlbtijek7ctys6goa._file
Verdict:
malicious
Similar samples:
033dd7d02172855d2e61e1dcfae24bdeb9136310503e06bf7079ef78db9422ae
ArkeiStealer
0c38c10261c2ae14822b19d1ebc54ad4ab417961b5f324716bb85a2038e3bb15
ArkeiStealer
1553300557f17e7cb62c914616267bc733854b98a0edc5215d901cc4f8e4d0f0
ArkeiStealer
2df27f1a3505dbd0995188d49c253f5bc53c0e994954c4143da6d13efbba126e
ArkeiStealer
682be0853ccd6f60deb69d27941a628758c4e13e7d2e6ee95a95f415f3a9f0c6
ArkeiStealer
c09ced50c5dacaf28676dfaa0abff8f4b53fb4516c93fa5acd000e481841dd7b
ArkeiStealer
d1621aa8dd1273a4b6e4f3e6b83188044af80c6ffe9aba2e7e191f159ce9b1eb
ArkeiStealer
d9c89af034828ce3d6d812fcbddfb90e7fa3180f3fdf1b5673ad808437f80dae
ArkeiStealer
ed9d96725b88ce0a3caee6d98c11369fb84a1d7eca3847db66abe63c49955f73
ArkeiStealer
f09dc0b3275b4c1e3a616911805011c2871af1407599493dc980b6987cb313eb
ArkeiStealer
+ 1'598 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210630-3r6bkwzate/
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Oski
Malware Config
C2 Extraction:
lizzard.ac.ug
Unpacked files
SH256 hash:
2b7792707d40b51f35a93fb6cefc9388737e21a4899e30d2e1e088aebfb39fc1
MD5 hash:
d6081d7d34ef0b6b32376b3721764984
SHA1 hash:
f8b35600572a4b64d8b86fd64b9ebaa69cbbbd31
Link:
https://www.unpac.me/results/0fe1aa98-2126-4384-9b62-6079c9a1732f/
SH256 hash:
5bede9eedf6ae6df5a9d587c116c9583b31474c159c2b53486b000093cb3fde6
MD5 hash:
072eeac61b35d3f09edee4ff4f80f52d
SHA1 hash:
696fd9905a47e526470c2e234fef32f1ec1b74ad
Link:
https://www.unpac.me/results/0fe1aa98-2126-4384-9b62-6079c9a1732f/
SH256 hash:
5d141a7803ec98c06fa6fe60f23b86931c0af0ed0b756e7c7015b4a85c5a2307
MD5 hash:
27e120c1c818f5e36bd7eb083185dbfa
SHA1 hash:
5996544799cf208c85b8da4d6b78b79a8c6eb80c
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/0fe1aa98-2126-4384-9b62-6079c9a1732f/
SH256 hash:
9674cfd1a6f04f7dc3b21ca60fb7896888d676ac51029586684915f14f12f19c
MD5 hash:
995bf66e1305d116167f598cffb872a9
SHA1 hash:
99f94e02d30fe0f3d8a67802fcea9883d6f6de9e
Link:
https://www.unpac.me/results/0fe1aa98-2126-4384-9b62-6079c9a1732f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9674cfd1a6f04f7dc3b21ca60fb7896888d676ac51029586684915f14f12f19c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 9674cfd1a6f04f7dc3b21ca60fb7896888d676ac51029586684915f14f12f19c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1414037/
  
Delivery method
Distributed via web download

Comments