MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b23e0fa0852d359938e58bf1a2a62e636df526b2a95418cbf65d9351045f89cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 6

Intelligence 6 IOCs YARA 4 File information Comments

SHA256 hash:	b23e0fa0852d359938e58bf1a2a62e636df526b2a95418cbf65d9351045f89cf
SHA3-384 hash:	b9cb577308cef6549423a245f3dc798b540da446f669ee2917d4ab65e8a3b3d10ec44df1021258d55e28a570f57434cd
SHA1 hash:	ca1649e5adf3370ac20eaeb6ab5b84a8fd52bc4d
MD5 hash:	dca059c7fea13d73c9f090faad08f0ce
humanhash:	coffee-video-carpet-lactose
File name:	b23e0fa0852d359938e58bf1a2a62e636df526b2a95418cbf65d9351045f89cf
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	724'992 bytes
First seen:	2020-11-07 17:39:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	44313cdcb31bfa16addfe622cc2cde15 (8 x ArkeiStealer, 2 x RedLineStealer)
ssdeep	12288:kjbMuRxj/xGl1ZKOT/hVbGk6p9K6jr6T:kjbMuRNqjGJ9VCT
Threatray	63 similar samples on MalwareBazaar
TLSH	BEF4F01076A9E5F6C06BC43D0025CA605B7A7C21FB74C98B77902F6E7EB52D02762F4A
Reporter	seifreed
Tags:	ArkeiStealer

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Malware.Generic-9784683-0

Win.Packed.Generickdz-9784859-0

Win.Dropper.Tofsee-9785157-0

Win.Packed.Generickdz-9785340-0

Win.Packed.Generickdz-9785864-0

Win.Malware.Generic-9786159-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching the default Windows debugger (dwwin.exe)

Sending a UDP request

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Connection attempt

Deleting a recently created file

Delayed writing of the file

Running batch commands

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Searching for the window

Launching a tool to kill processes

Forced shutdown of a browser

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b23e0fa0852d359938e58bf1a2a62e636df526b2a95418cbf65d9351045f89cf/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2020-11-07 17:45:35 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wi7a7ieffu2zsohfrpy2fjromnw7kjvsvfkbrs7wlwjvcbc7rhhq._file

Verdict:

malicious

ArkeiStealer

273555200dbae170a7fc4f0cd5f7d3c9261c39f24e2d51d123534475d16c0e94

ArkeiStealer

2c9538aaf6058783ac6e7c6676769ba3904a584b0bbc8c475852b11096c3c368

ArkeiStealer

399712e038d1abc2f9df1c4786f75f3778549068262a8e149837338b25779e82

ArkeiStealer

4b96e7d6b0214530843cb34525de5cbeee5bf2abb971f6a268d2c355cdfcc0cd

ArkeiStealer

7dddeb51f2dea719a6c6e70bf30db96e3333713d998b4f8acb31ee5cecfbb912

ArkeiStealer

b912cef6a6c9d7e8f49a06d9178cc7c6d8b68a0e7f8948c3d6892f8e5fd11c74

ArkeiStealer

c9dec8504b18f5b1e418d6a19f757b030391d949d76d6b744144b107b5beddd8

ArkeiStealer

f4221efa93b3ce5d8c92ba911661c246111653dd178bc239349cdfde8b39f7f0

ArkeiStealer

fcac1c6c86cda94817da16feb772744ab591e3d1192955b32b074034ea122bf1

ArkeiStealer

+ 53 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/201108-t83rjxaapn/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Accesses 2FA software files, possible credential harvesting

Checks installed software on the system

Looks up external IP address via web service

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Embedded_PE Create hunting rule

Rule name:	win_vidar_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_vidar_g0 Create hunting rule
Author:	Slavo Greminger, SWITCH-CERT

Rule name:	with_sqlite Create hunting rule
Author:	Julian J. Gonzalez <info@seguridadparatodos.es>
Description:	Rule to detect the presence of SQLite data in raw image
Reference:	http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample