MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a738551436373cba8cfb85daf742426c8374a6c2384035c7c64a71d039308df0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a738551436373cba8cfb85daf742426c8374a6c2384035c7c64a71d039308df0
SHA3-384 hash: afeb3cddf6cdce89a60828fc0a2a030b3f5141aac11e93bb4d2f7805404d7a18effaa8af8fb865ba4c5c0844a5b6877d
SHA1 hash: 6cfd0843ba42da50da70dac89edbe64d23bb39d5
MD5 hash: c6e51e3d376e1938fe99d49ecb9cc323
humanhash: happy-princess-bluebird-happy
File name:request for quotation and new samples #605969785 06984379.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:770'048 bytes
First seen:2020-07-20 07:39:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 18a43731c1a43c753678447dff595c1f (1 x RemcosRAT, 1 x ArkeiStealer)
ssdeep 12288:3Iuaa0wBITmgCbeRW0dXHphyMGhz46yuB1QXpvcWxEn1E3:4A0DmgCQJXjAc2F1E3
Threatray 330 similar samples on MalwareBazaar
TLSH 1AF4B032F2A24837C1A316399C2F5778582ABF513E28698A5BF83D5C9F393813D1D187
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: 195.133.196
Sending IP: 195.133.196.9
From: ChimateK Global <z1@voltacapital.org>
Reply-To: info.chimatek@gmail.com
Subject: REQUEST FOR QUOTATION
Attachment: request for quotation and new samples 605969785 06984379.gz (contains "request for quotation and new samples #605969785 06984379.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28568/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/390977
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247609 Sample: request for quotation and n... Startdate: 20/07/2020 Architecture: WINDOWS Score: 96 75 Multi AV Scanner detection for submitted file 2->75 77 Downloads files with wrong headers with respect to MIME Content-Type 2->77 79 Machine Learning detection for sample 2->79 81 4 other signatures 2->81 9 mshta.exe 19 2->9         started        11 mshta.exe 1 2->11         started        13 request for quotation and new samples #605969785 06984379.exe 1 16 2->13         started        process3 dnsIp4 18 Vhbwfck.exe 13 9->18         started        22 Vhbwfck.exe 11->22         started        73 cdn.discordapp.com 162.159.130.233, 443, 49717, 49725 CLOUDFLARENETUS United States 13->73 51 C:\Users\user\AppData\Local\...\Vhbwfck.exe, PE32 13->51 dropped 95 Injects a PE file into a foreign processes 13->95 24 request for quotation and new samples #605969785 06984379.exe 197 13->24         started        file5 signatures6 process7 dnsIp8 61 162.159.129.233, 443, 49723 CLOUDFLARENETUS United States 18->61 63 cdn.discordapp.com 18->63 83 Multi AV Scanner detection for dropped file 18->83 85 Machine Learning detection for dropped file 18->85 87 Injects a PE file into a foreign processes 18->87 26 Vhbwfck.exe 18->26         started        65 cdn.discordapp.com 22->65 30 Vhbwfck.exe 22->30         started        67 4llion.com 185.130.215.164, 49720, 49726, 49727 NCONNECT-ASRU Russian Federation 24->67 89 Tries to steal Crypto Currency Wallets 24->89 33 cmd.exe 1 24->33         started        signatures9 process10 dnsIp11 69 4llion.com 26->69 35 cmd.exe 26->35         started        71 4llion.com 30->71 53 C:\ProgramData\vcruntime140.dll, PE32 30->53 dropped 55 C:\ProgramData\sqlite3.dll, PE32 30->55 dropped 57 C:\ProgramData\softokn3.dll, PE32 30->57 dropped 59 4 other files (none is malicious) 30->59 dropped 91 Tries to harvest and steal browser information (history, passwords, etc) 30->91 93 Tries to steal Crypto Currency Wallets 30->93 37 cmd.exe 30->37         started        39 taskkill.exe 1 33->39         started        41 conhost.exe 33->41         started        file12 signatures13 process14 process15 43 conhost.exe 35->43         started        45 taskkill.exe 35->45         started        47 conhost.exe 37->47         started        49 taskkill.exe 37->49         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a738551436373cba8cfb85daf742426c8374a6c2384035c7c64a71d039308df0/
Threat name:
Win32.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 00:34:00 UTC
AV detection:
33 of 47 (70.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u44fkfbwg46lvdh3qxnpoqscnsbxjjwchbadlr6gjjy5aojqrxya._file
Verdict:
malicious
Similar samples:
033741ca568e4e71a586be960e503415579b0520d2c9ecd298ed03becf406b9c
ArkeiStealer
308c96557c6be5d4519ba4bac38c23e611c7b61683cfc1063a6009e216c24f5e
ArkeiStealer
3b9f555888df6326a6a0c7dd2c2c1c2d78bbb969c1b7d40ea0d0e9679a06bbc5
ArkeiStealer
3e9f05acde528ea5fd7ca9d0c2af0e82d29e343d2f61420290e6f660630cd25f
ArkeiStealer
69fe5bb4b975f9437b6c3bcf3f07dc807a8f2e848f1e0c5802012295b06a742c
ArkeiStealer
8959562f5a87f40b9c3917a98e10d68e2c459c8df9bdd9664f615af6d5b9959e
ArkeiStealer
8bbb8fe69100550248f4663e911a16bca03432bef9112dd0924d7a9c3dae8464
ArkeiStealer
a6a6ff46eafb272d4a37b1f943adde3e1406540277a0a4f1bc18e00e124922bf
ArkeiStealer
b699a2766f106ff77377780bad431b72ef1748bf989e09f2b82fb73cf30cbde3
ArkeiStealer
f09dc0b3275b4c1e3a616911805011c2871af1407599493dc980b6987cb313eb
ArkeiStealer
+ 320 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
spyware discovery infostealer family:oski persistence
Link:
https://tria.ge/reports/200720-s1tm8s1yrn/
Behaviour
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
Suspicious use of WriteProcessMemory
Checks processor information in registry
Kills process with taskkill
Suspicious use of SetThreadContext
JavaScript code in executable
Adds Run key to start application
Checks installed software on the system
Accesses cryptocurrency wallets, possible credential harvesting
Loads dropped DLL
Reads user/profile data of web browsers
oski
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a738551436373cba8cfb85daf742426c8374a6c2384035c7c64a71d039308df0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ArkeiStealer

zip b9720d70bd7a43597bd67de466fd2144becd27a20124bf193771a181dfd85dc7

ArkeiStealer

Executable exe a738551436373cba8cfb85daf742426c8374a6c2384035c7c64a71d039308df0

(this sample)

  
Dropped by
MD5 36f0d8113997ea2912669ae867822f36
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/28568/
  
Dropped by
SHA256 b9720d70bd7a43597bd67de466fd2144becd27a20124bf193771a181dfd85dc7

Comments