MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba4fb2a15fa8baf942cdb9bddc882288290dbb6663b701b67e9ae48c85d362cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba4fb2a15fa8baf942cdb9bddc882288290dbb6663b701b67e9ae48c85d362cb
SHA3-384 hash: db308efe77535839c4c7886986d3c9cdc0fd31174755759e019f8d61f0d1ef65e0b42c15f062be90dfd80845fbd18317
SHA1 hash: 4ecb96e13a823ecc175c06f97a69e3d0f8b0c545
MD5 hash: 75970ac7e1dc3e2d3fcac6071cda202e
humanhash: gee-lake-nevada-kitten
File name:file
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'514'312 bytes
First seen:2022-11-16 19:50:23 UTC
Last seen:2022-11-17 11:24:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 310638d36ec921f029e67a7144e7c280 (2 x ArkeiStealer, 2 x Smoke Loader, 2 x LgoogLoader)
ssdeep 24576:Ud7Xgz8pblF63fk0zWMgflIhxj+RrvGIDvBPeBuUcuwf2YT+T1RAovzSjt7nZNn0:UJXNpbj6P5zGfEj8UAzzFxi3iN
Threatray 16'433 similar samples on MalwareBazaar
TLSH T15665BE4995ACBE0BDBD5C7BA84B09380DE93E4564FB8038EFC2B1DD30D506827D26796
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 22968eccc8ccccd5 (1 x ArkeiStealer)
Reporter andretavare5
Tags:ArkeiStealer exe signed

Code Signing Certificate

Organisation:forgiato.com
Issuer:Go Daddy Secure Certificate Authority - G2
Algorithm:sha256WithRSAEncryption
Valid from:2022-07-15T23:39:20Z
Valid to:2023-08-16T23:39:20Z
Serial number: 103ec8d8d08d08a8
Intelligence: 6 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 54ab9f0cb7c9131d310e9b21f334ad9ccb1906ce79104c3076685ff89342f47a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from https://myfileexe.s3.ap-northeast-3.amazonaws.com/PORZulMEjuSt.exe

Intelligence

File Origin
# of uploads :
11
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Suspicious activity
Analysis date:
2022-11-16 19:50:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/044e8796-6170-4f55-a42d-9b36497cb65d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/335039/
Detection(s):
SecuriteInfo.com.Variant.Jaik.104121.5377.583.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Variant.Jaik.104121.4462.2677.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Launching a process
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Creating a file
Reading critical registry keys
Running batch commands
Creating a process with a hidden window
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63753f27f75d59fef0b999f6/reports/725a9fd8-2179-4484-acd6-a5886c911a24/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mustang Panda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ff233410-898e-4a9c-a4c9-e3d43b1d2804
Result
Threat name:
Vidar, lgoogLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1115241
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Drops PE files with benign system names
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected lgoogLoader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 747940 Sample: file.exe Startdate: 16/11/2022 Architecture: WINDOWS Score: 100 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for dropped file 2->47 49 Yara detected lgoogLoader 2->49 51 4 other signatures 2->51 8 file.exe 19 2->8         started        process3 dnsIp4 33 www.imarket-eg.com 8->33 35 4xgz2x1cyfycwtwjvhmkr.nq62oxplbfaxzafxnriy8c3ut 8->35 37 imarket-eg.com 160.153.50.70, 443, 49706, 49707 AS-26496-GO-DADDY-COM-LLCUS United States 8->37 25 C:\Users\user\AppData\Local\...\svchost.exe, PE32 8->25 dropped 27 C:\Users\user\AppData\Local\...\advapi32.dll, PE32 8->27 dropped 29 C:\Users\user\AppData\...\resource[1].bin, PE32 8->29 dropped 31 C:\Users\user\AppData\...\library[1].bin, PE32 8->31 dropped 53 Writes to foreign memory regions 8->53 55 Allocates memory in foreign processes 8->55 57 Drops PE files with benign system names 8->57 59 Injects a PE file into a foreign processes 8->59 13 svchost.exe 17 8->13         started        17 ngentask.exe 8->17         started        file5 signatures6 process7 dnsIp8 39 116.202.3.228, 49709, 80 HETZNER-ASDE Germany 13->39 41 hacexq0nogu8aey7j7mjmuuoez16h9a.pjt6jrec2cva 13->41 43 t.me 149.154.167.99, 443, 49708 TELEGRAMRU United Kingdom 13->43 61 Antivirus detection for dropped file 13->61 63 System process connects to network (likely due to code injection or exploit) 13->63 65 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->65 73 3 other signatures 13->73 19 cmd.exe 1 13->19         started        67 Contains functionality to infect the boot sector 17->67 69 Contain functionality to detect virtual machines 17->69 71 Contains functionality to inject code into remote processes 17->71 signatures9 process10 process11 21 conhost.exe 19->21         started        23 timeout.exe 1 19->23         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ba4fb2a15fa8baf942cdb9bddc882288290dbb6663b701b67e9ae48c85d362cb/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-11-16 19:51:10 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xjh3fik7vc5psqwnxg65zcbcrauq3o3gmo3qdnt6tlsizbotmlfq._file
Verdict:
malicious
Similar samples:
040aa152e739826874a268f4ffb8be80dd256e7817cdb2c25329d25a5264671e
ArkeiStealer
234c1a6aa873bd2e02df3f7e52cad468e0a017b345994cc22e93a44a4748c2e0
ArkeiStealer
2bc35780b427873d03d777f75b112473d6593fdf7eab195dd75a6ba1ec1daec9
ArkeiStealer
3e38c14c9a27966b7768fa6a61a0bc86b79fdf8f554d232c26d0a13cd8dcdc36
ArkeiStealer
4268c628b2cfcf6700dc00f43a474bd0fa720b43008bc3684631453542523bea
ArkeiStealer
9d5670638fac6e9e5670cd6985894e9b2fcf1fb334973e5e3424fb246f835e11
ArkeiStealer
cf9ec473c74f0c8a122612aac898a544259bca56ed65cf13078671b192d2b18e
ArkeiStealer
e61234a0934d7955c0bafda460b8220f7012958415e05635d61d433a6e0c9006
ArkeiStealer
e8075dd2f74391aabe1a85eeb7282620b5be0236d6d0a23e7474cf033dd1628a
ArkeiStealer
+ 16'423 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:lgoogloader family:vidar botnet:1754 discovery downloader spyware stealer
Link:
https://tria.ge/reports/221116-yks25sgf7w/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Detects LgoogLoader payload
LgoogLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Malware Config
C2 Extraction:
https://t.me/deadftx
https://www.ultimate-guitar.com/u/smbfupkuhrgc1
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/97186705-fdb9-40a3-9eb6-2d3227b9cb14
Unpacked files
SH256 hash:
eafda0b2a8eec96c471fff662935fdef490c6335a3139face0dc81fec676dc05
MD5 hash:
d01d2634dbf0a935daef6024b3fe97ea
SHA1 hash:
44f14b81621ece3d7a70f86a683318413950d51e
Link:
https://www.unpac.me/results/905323fe-f861-424f-997b-437ef4ba8674/
SH256 hash:
ba4fb2a15fa8baf942cdb9bddc882288290dbb6663b701b67e9ae48c85d362cb
MD5 hash:
75970ac7e1dc3e2d3fcac6071cda202e
SHA1 hash:
4ecb96e13a823ecc175c06f97a69e3d0f8b0c545
Link:
https://www.unpac.me/results/905323fe-f861-424f-997b-437ef4ba8674/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ba4fb2a15fa8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ba4fb2a15fa8baf942cdb9bddc882288290dbb6663b701b67e9ae48c85d362cb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/335039/
  
URLhaus
https://urlhaus.abuse.ch/url/2417601/

Comments