MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aaa77ce4b5341185c016e9cc4f28c16b5e3f8e544f3dff6a66e33718c2775088. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aaa77ce4b5341185c016e9cc4f28c16b5e3f8e544f3dff6a66e33718c2775088
SHA3-384 hash: ff362b7cb81da7d58e40da109aa2daa2af9c6cf99720acc7ff58d7374fa9f1d0f6b6e97d6716f3e11032172c9dc98d33
SHA1 hash: 2a44cf9be75066de3053fa8fa7003c49a3d88afa
MD5 hash: fd959a8b07081ca2b2724265399e6479
humanhash: magnesium-emma-helium-sink
File name:fd959a8b07081ca2b2724265399e6479
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:557'568 bytes
First seen:2022-03-16 17:33:10 UTC
Last seen:2022-03-16 19:55:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a31761b5a590c4c499d5f4a347d75c12 (23 x Formbook, 17 x AgentTesla, 6 x RedLineStealer)
ssdeep 12288:Ln/zjvGHAykHJRLW/4+8bzbBSreM3yqZGDx:Dz7GHAzH7jX1BFx
Threatray 100 similar samples on MalwareBazaar
TLSH T14FC48E57F7CBF6F0E6BE827A86B1891D52B774520270A78F664072896D23382453DB0F
Reporter zbetcheckin
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
zSPECIFICATION_16_03_202264.xll
Verdict:
Malicious activity
Analysis date:
2022-03-16 15:11:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/eba548a5-bff6-49c2-aab7-05f8dacc7834

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/251528/
Detection(s):
SecuriteInfo.com.Trojan.DownloaderNET.350.28163.2272.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/9481/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed packed
Link:
https://www.filescan.io/uploads/62321f91dfdfa8501caad837/reports/28dc384f-470c-4fc9-889f-f60c486af146/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0e6cac05-c184-41a1-bdf6-5b97126e46f4
Result
Threat name:
Quasar Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/958204
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
DLL side loading technique detected
Document exploit detected (process start blacklist hit)
Found evasive API chain (may stop execution after checking computer name)
Found evasive API chain (may stop execution after checking locale)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Quasar RAT
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 590685 Sample: S2n6ZOXcrS Startdate: 16/03/2022 Architecture: WINDOWS Score: 100 46 transfer.sh 2->46 48 tools.keycdn.com 2->48 50 2 other IPs or domains 2->50 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Antivirus / Scanner detection for submitted sample 2->66 68 9 other signatures 2->68 10 cmd.exe 4 2 2->10         started        signatures3 process4 process5 12 EXCEL.EXE 237 56 10->12         started        16 conhost.exe 10->16         started        dnsIp6 54 transfer.sh 144.76.136.153, 443, 49724, 49737 HETZNER-ASDE Germany 12->54 82 Writes to foreign memory regions 12->82 84 Injects a PE file into a foreign processes 12->84 18 aspnet_regbrowsers.exe 94 12->18         started        signatures7 process8 dnsIp9 52 93.174.93.178, 49739, 49743, 80 INT-NETWORKSC Netherlands 18->52 38 C:\Users\user\AppData\Roaming\Winquas.exe, PE32 18->38 dropped 40 C:\ProgramData\nss3.dll, PE32 18->40 dropped 42 C:\ProgramData\mozglue.dll, PE32 18->42 dropped 44 7 other files (2 malicious) 18->44 dropped 70 Found evasive API chain (may stop execution after checking mutex) 18->70 72 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 18->72 74 Found evasive API chain (may stop execution after checking computer name) 18->74 76 5 other signatures 18->76 23 Winquas.exe 15 4 18->23         started        26 cmd.exe 1 18->26         started        file10 signatures11 process12 signatures13 78 Writes to foreign memory regions 23->78 80 Injects a PE file into a foreign processes 23->80 28 aspnet_regbrowsers.exe 14 8 23->28         started        32 conhost.exe 23->32         started        34 conhost.exe 26->34         started        36 timeout.exe 1 26->36         started        process14 dnsIp15 56 212.192.241.35, 3360, 49760 RAPMSB-ASRU Russian Federation 28->56 58 tools.keycdn.com 185.172.148.96, 443, 49763 PROINITYPROINITYDE Germany 28->58 60 2 other IPs or domains 28->60 86 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->86 88 Installs a global keyboard hook 28->88 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aaa77ce4b5341185c016e9cc4f28c16b5e3f8e544f3dff6a66e33718c2775088/
Threat name:
ByteCode-MSIL.Trojan.ExcelAddin
Create hunting rule
Status:
Malicious
First seen:
2022-03-16 17:34:13 UTC
File Type:
PE+ (Dll)
Extracted files:
3
AV detection:
15 of 27 (55.56%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0826127414e576d46c0accdc05df229fc1109b5b88e49e899fa4aee289dc4556
ArkeiStealer
0838b673be73014ff6e29d784247ad3b44a794dd2134301bb25c8dd0a3f5b0ae
ArkeiStealer
68315f9b95450e287e19be6f014114f36aa6fd98eef733e839efe670f302fced
ArkeiStealer
93eaa02e5c7c465410e6981da4b4ea3ebd730b8016932d328022da0e8091e763
ArkeiStealer
ade73b7033e024443c9ebffc25a424d3a1fc4e67c674fcd585e9d5d5d2c774a0
ArkeiStealer
b1b5046988f030694c9e4a29e8b61990ac1e4da7a98f0c1fdb3906a60bcbcba0
ArkeiStealer
b73f062242ecaf86430950a2990dd69bc5080cfea2a1012efc7436d4a7a3a346
ArkeiStealer
c7ecbd646727c85760706a61c2283909c13cb5cd80f51f3ce5af83ed438d293d
ArkeiStealer
c939ce949377b0bda7de743d59d8495fe403f35dac0bce0cf4972bf1c42484a3
ArkeiStealer
cdac614b0ddd13a7de4b73ae76b8d351b63114677c1d40c70bf0d921ff1f6861
ArkeiStealer
+ 90 additional samples on MalwareBazaar
Result
Malware family:
arkei
Create hunting rule
Score:
  10/10
Tags:
family:arkei botnet:default stealer
Link:
https://tria.ge/reports/220316-v5fe1adfhn/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Arkei
Process spawned unexpected child process
Unpacked files
SH256 hash:
aaa77ce4b5341185c016e9cc4f28c16b5e3f8e544f3dff6a66e33718c2775088
MD5 hash:
fd959a8b07081ca2b2724265399e6479
SHA1 hash:
2a44cf9be75066de3053fa8fa7003c49a3d88afa
Link:
https://www.unpac.me/results/f0b70d10-8873-45b6-b7dd-b90789c132b0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aaa77ce4b5341185c016e9cc4f28c16b5e3f8e544f3dff6a66e33718c2775088

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe aaa77ce4b5341185c016e9cc4f28c16b5e3f8e544f3dff6a66e33718c2775088

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2100457/
Cape
Cape
https://www.capesandbox.com/analysis/251528/

Comments


Avatar
zbet commented on 2022-03-16 17:33:12 UTC

url : hxxps://educaplus-zg.com/file-share/zSPECIFICATION_16_03_202264.xll