MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b613c9686eea10258065a525f14e4483b8625aa16e52b9ccc93767204c32ed54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b613c9686eea10258065a525f14e4483b8625aa16e52b9ccc93767204c32ed54
SHA3-384 hash: 863e46537f226380a7a3ba83bad3cfcbc049722ee630ecd5636a8f8fce7a42d511be912556cf2a9d0be9a285dd82d442
SHA1 hash: b5da07255e0a2ce5efbf75e6e32f8ef913089b40
MD5 hash: 03fd9b58f2ef13e396d782cd746c9a0b
humanhash: quebec-butter-item-low
File name:b613c9686eea10258065a525f14e4483b8625aa16e52b.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:791'040 bytes
First seen:2021-03-30 11:35:48 UTC
Last seen:2021-03-30 13:09:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:KP0OYgc6Npkj1TNNQXVMk2BZVmdVaWw1LK0gLLz4r1YQNT0X715hk4Yeh:WVvDaDxpbiVa3LpgLLzASQN0NY4
Threatray 885 similar samples on MalwareBazaar
TLSH 63F402E13988DF99E6685BFB5051140087F8E7E21153CB4C8DC9F8DB246AF8C4ED2A97
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://nmorbertomo.ac.ug/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://nmorbertomo.ac.ug/ https://threatfox.abuse.ch/ioc/6038/

Intelligence

File Origin
# of uploads :
2
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b57244a20b1130978e1f49045ae571a6.exe
Verdict:
Malicious activity
Analysis date:
2021-03-30 11:24:30 UTC
Tags:
loader trojan stealer raccoon rat azorult remcos vidar
Link:
https://app.any.run/tasks/a3a62146-bb14-4537-b38f-a21f617922fb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/127977/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.601.11423.14502.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
DNS request
Deleting a recently created file
Reading critical registry keys
Replacing files
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Connection attempt to an infection source
Stealing user critical data
Launching a tool to kill processes
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/658284
Signature
.NET source code contains potential unpacker
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected AntiVM3
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b613c9686eea10258065a525f14e4483b8625aa16e52b9ccc93767204c32ed54/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-03-30 11:36:12 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wyj4s2do5iicladfuus7ctseqo4gewvbnzjlttgjg5tsatbs5vka._file
Verdict:
unknown
Similar samples:
033dd7d02172855d2e61e1dcfae24bdeb9136310503e06bf7079ef78db9422ae
ArkeiStealer
16e587a78c6af7a68db2eee80ac40ccec784aeb261cfa7bab04c54608dc96324
ArkeiStealer
1d117728ec260d80f6c6a347c4c32c965c69ff10bd4f08444fc70e82eebb1094
ArkeiStealer
7a7f8f5b41981d22a64654a713d5dfdfbe6cb5e0778364a594fbaee25efc5425
ArkeiStealer
7dd09a71615dc2a60ba9dd906aebcff010f8442f4db392e4feb88baa01f8c999
ArkeiStealer
b7b5a82b1c9b3c2ffeedcc57b2bef35f61c7e93ec2d5ae784f667e4d8d534009
ArkeiStealer
cb581d356a20e0845006197aed2cc99463a9759f3f8c6a6d0783a553c88fda1b
ArkeiStealer
ce4c9d123144cb01aaa09ecfc34a21b6808c8d891fdd777e3bc8736fc3d877ca
ArkeiStealer
d2c1530870532abdf2123652c9f97dc9de79dc8aabbb8cfd185b1011d6cdbb01
ArkeiStealer
ff22d13021f2bd9af9ec6f70782562460c5ea710e1fbbaa50ba997294c506a7e
ArkeiStealer
+ 875 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210330-xyex5wqvhe/
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Oski
Unpacked files
SH256 hash:
73c12ffb929d97b7dc246a422ffd125a1a9a9e6a0f605660803fb8d75c927bdc
MD5 hash:
fd3bdc5d77f08f19efb6e1af507611e1
SHA1 hash:
c6745c40fc35cb36d2c70ca90a098bd7d62d91aa
Link:
https://www.unpac.me/results/c7f96087-588b-48be-9308-b26c21a33af6/
SH256 hash:
1c09153f479de8beee65749951208779634bb52dccadabd7842f2f8709d1cf2c
MD5 hash:
2ae222d174ffee5fdbf32e44aa41adb7
SHA1 hash:
5af1ced696f87be9e28f96102ceb4ddcfd8fc4e4
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/c7f96087-588b-48be-9308-b26c21a33af6/
SH256 hash:
fdccaed76f7279e6b8cc1579dadeed03fa1b8d1adcdfbcac585a68da168366d5
MD5 hash:
8b603b23caf00139206f293eb741a9f0
SHA1 hash:
1cc90aec7ce07b13930fe0c088fe3cd155b3ea07
Link:
https://www.unpac.me/results/c7f96087-588b-48be-9308-b26c21a33af6/
SH256 hash:
b613c9686eea10258065a525f14e4483b8625aa16e52b9ccc93767204c32ed54
MD5 hash:
03fd9b58f2ef13e396d782cd746c9a0b
SHA1 hash:
b5da07255e0a2ce5efbf75e6e32f8ef913089b40
Link:
https://www.unpac.me/results/c7f96087-588b-48be-9308-b26c21a33af6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b613c9686eea10258065a525f14e4483b8625aa16e52b9ccc93767204c32ed54

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar infostealer variants
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_oski_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_oski_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe b613c9686eea10258065a525f14e4483b8625aa16e52b9ccc93767204c32ed54

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/127977/
  
URLhaus
https://urlhaus.abuse.ch/url/1099282/
  
Delivery method
Distributed via web download

Comments