MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0603a89ffbcfd44a535b90ebd1b9303cb896dc83245fa805c7dff8953b1ea2f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b0603a89ffbcfd44a535b90ebd1b9303cb896dc83245fa805c7dff8953b1ea2f
SHA3-384 hash: ce40f22b579a9c11846ec748c6151974acfebcabe9ba91a58062b8feb6f717a658f07d72f387cd97d6abbd9dc16cc960
SHA1 hash: 8ce11a68abce9f9285d3782c211b0eff8bba652a
MD5 hash: 089e70d75a460e3b88a5d58d65ff7216
humanhash: network-bakerloo-vegan-kentucky
File name:089e70d75a460e3b88a5d58d65ff7216
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:491'254 bytes
First seen:2021-11-08 15:35:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:G8LxBUvtB9H1L9ruUCqT/jpO3aiwBz2YLOhCrOVreBGyIFO1Z1xYbo5RD:UB9HlRuUJNwtTRc1S0
TLSH T1E3A44893610A075BE2EECBBBD2E38C7071B69F183FC1F59DB2E685211750BDE412A518
File icon (PE):PE icon
dhash icon 84e492dbc9db920e (1 x ArkeiStealer)
Reporter zbetcheckin
Tags:32 ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/203325/
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/618943e7dec33478259fba1c/reports/ca2d577b-aac7-46d1-a9e0-5383636ba91b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c4c000fd-ebe0-40b9-ba78-87201c018d51
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/885357
Signature
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 517826 Sample: yTyOQGsm21 Startdate: 08/11/2021 Architecture: WINDOWS Score: 76 31 Multi AV Scanner detection for submitted file 2->31 33 Yara detected Vidar stealer 2->33 35 Machine Learning detection for sample 2->35 8 yTyOQGsm21.exe 17 2->8         started        process3 file4 23 C:\Users\user\AppData\Local\Temp\...\lyqg.dll, PE32 8->23 dropped 37 Self deletion via cmd delete 8->37 39 Injects a PE file into a foreign processes 8->39 12 yTyOQGsm21.exe 1 128 8->12         started        signatures5 process6 dnsIp7 29 185.242.104.143, 49748, 80 FISHNET-ASRU Latvia 12->29 25 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 12->25 dropped 27 C:\ProgramData\sqlite3.dll, PE32 12->27 dropped 41 Self deletion via cmd delete 12->41 43 Tries to harvest and steal browser information (history, passwords, etc) 12->43 45 Tries to steal Crypto Currency Wallets 12->45 17 cmd.exe 1 12->17         started        file8 signatures9 process10 process11 19 conhost.exe 17->19         started        21 timeout.exe 1 17->21         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b0603a89ffbcfd44a535b90ebd1b9303cb896dc83245fa805c7dff8953b1ea2f/
Threat name:
Win32.Backdoor.Zapchast
Create hunting rule
Status:
Malicious
First seen:
2021-11-08 15:36:07 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Result
Malware family:
arkei
Create hunting rule
Score:
  10/10
Tags:
family:arkei botnet:default discovery spyware stealer
Link:
https://tria.ge/reports/211108-s1xglshebl/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Arkei Stealer Payload
Arkei
Malware Config
C2 Extraction:
http://185.242.104.143/LBsx06U4hn.php
Unpacked files
SH256 hash:
b0603a89ffbcfd44a535b90ebd1b9303cb896dc83245fa805c7dff8953b1ea2f
MD5 hash:
089e70d75a460e3b88a5d58d65ff7216
SHA1 hash:
8ce11a68abce9f9285d3782c211b0eff8bba652a
Link:
https://www.unpac.me/results/4c9dee20-3f22-4f49-bafb-85f508ef9e82/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b0603a89ffbc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b0603a89ffbcfd44a535b90ebd1b9303cb896dc83245fa805c7dff8953b1ea2f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe b0603a89ffbcfd44a535b90ebd1b9303cb896dc83245fa805c7dff8953b1ea2f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1764572/
Cape
Cape
https://www.capesandbox.com/analysis/203325/

Comments


Avatar
zbet commented on 2021-11-08 15:35:58 UTC

url : hxxp://147.124.212.189/files/mar-signature_request.exe