MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae672a54491d01385af7932cc9524889f6314dd4b4b8b9a846dfa1ffedaa8c61. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae672a54491d01385af7932cc9524889f6314dd4b4b8b9a846dfa1ffedaa8c61
SHA3-384 hash: fd431a155463a0efabb506431719134d8c6d6191ed3f8e6cb4df33e88b10f24e5e1ec70d486d5d0109f50419ad0043ca
SHA1 hash: 247a6817bb354c0784f7a112c953646d509bd120
MD5 hash: f6383fce1ab0d6597440259f9a1e9ddc
humanhash: ten-fix-fifteen-july
File name:payment advice.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:280'406 bytes
First seen:2022-05-13 08:20:47 UTC
Last seen:2022-05-23 11:56:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:LOtIOQv1dtTRqXIa/lSUwGed2hLzEw6O/qX2bwVvRL:LOLI1dtFqFg712pzn6S62bwhRL
Threatray 4'450 similar samples on MalwareBazaar
TLSH T14C54120052A5D497E4D1E2322E3E57124EFB993F20E8870F2704E7493EAA6A6FD5F705
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter pr0xylife
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
279
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/270344/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
DNS request
Creating a file
Reading critical registry keys
Delayed writing of the file
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Stealing user critical data
Launching a tool to kill processes
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/17475/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe formbook overlay packed shell32.dll vobfus
Link:
https://www.filescan.io/uploads/627e14f486897499c6642da0/reports/953fdbb8-cd5e-40aa-a399-610a76152b53/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Oski Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8be4f524-9c24-4758-a321-639382fa85c7
Result
Threat name:
Oski Stealer, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/993421
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Downloads files with wrong headers with respect to MIME Content-Type
Executable has a suspicious name (potential lure to open the executable)
Found evasive API chain (may stop execution after checking locale)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Posts data to a JPG file (protocol mismatch)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Oski Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 625916 Sample: payment advice.exe Startdate: 13/05/2022 Architecture: WINDOWS Score: 100 42 Snort IDS alert for network traffic 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 11 other signatures 2->48 9 payment advice.exe 19 2->9         started        process3 file4 34 C:\Users\user\AppData\Local\Temp\mhxyp.exe, PE32 9->34 dropped 12 mhxyp.exe 9->12         started        process5 signatures6 50 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 12->50 52 Found evasive API chain (may stop execution after checking locale) 12->52 54 Injects a PE file into a foreign processes 12->54 15 mhxyp.exe 196 12->15         started        process7 dnsIp8 36 spetralnet2.com 142.4.0.135, 49773, 49774, 49777 UNIFIEDLAYER-AS-1US United States 15->36 26 C:\ProgramData\vcruntime140.dll, PE32 15->26 dropped 28 C:\ProgramData\sqlite3.dll, PE32 15->28 dropped 30 C:\ProgramData\softokn3.dll, PE32 15->30 dropped 32 4 other files (none is malicious) 15->32 dropped 38 Tries to harvest and steal browser information (history, passwords, etc) 15->38 40 Tries to steal Crypto Currency Wallets 15->40 20 cmd.exe 1 15->20         started        file9 signatures10 process11 process12 22 taskkill.exe 1 20->22         started        24 conhost.exe 20->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ae672a54491d01385af7932cc9524889f6314dd4b4b8b9a846dfa1ffedaa8c61/
Threat name:
Win32.Trojan.Jaik
Create hunting rule
Status:
Malicious
First seen:
2022-05-13 06:43:06 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vztsuvcjduatqwxxsmwmsusirh3dctouws4ltkcg36q773nkrrqq._file
Verdict:
malicious
Similar samples:
14a2149ffb9dc7a2bfa96e92ee4d7052222d5550431ffebc471b31859b397024
ArkeiStealer
191db013c67081442ef5e75edd00c2572f6ec9d7f629ddac9bba8942722c061d
ArkeiStealer
48d338ba06ada3da080eeeddb8a267b1b677dc9c3670f13e333ec8c73ff1b02c
ArkeiStealer
6107e3ec5898ce2f80b04ee16b3a41107a0733339cded01cf8c5ade5fc105472
ArkeiStealer
be52ba286982ecb2bda4033824ce2fb1147300af2c5106cfed27cf3fb6022b1f
ArkeiStealer
fabe67cd06d71d24a03fe0d11e62e975de4c58903bcbc35f48a3a566970c228c
ArkeiStealer
+ 4'440 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski discovery infostealer spyware stealer suricata
Link:
https://tria.ge/reports/220513-j8zghadgb2/
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Oski
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
Malware Config
C2 Extraction:
spetralnet2.com
Unpacked files
SH256 hash:
ae672a54491d01385af7932cc9524889f6314dd4b4b8b9a846dfa1ffedaa8c61
MD5 hash:
f6383fce1ab0d6597440259f9a1e9ddc
SHA1 hash:
247a6817bb354c0784f7a112c953646d509bd120
Link:
https://www.unpac.me/results/d778d05e-c929-4f74-b5ad-66efeb740a60/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ae672a54491d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ae672a54491d01385af7932cc9524889f6314dd4b4b8b9a846dfa1ffedaa8c61

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_oski_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.oski.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/270344/

Comments