MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 ca40854f746db83bc3afa025914f633178fdef47a8036c75db9d4e770fa7c72d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
ArkeiStealer
Vendor detections: 7
| SHA256 hash: | ca40854f746db83bc3afa025914f633178fdef47a8036c75db9d4e770fa7c72d |
|---|---|
| SHA3-384 hash: | fb648f49e5493dad214bc082417f31cf69147af857324c219ed945bf3cdb8b3fc75f727fecbdd50df094497fc47219c7 |
| SHA1 hash: | 05ce346036d812118fb810f7673c087d09d523f0 |
| MD5 hash: | a975c3b6aab1cc64d124098db4729d75 |
| humanhash: | ten-ink-november-eleven |
| File name: | POZ1809027.bit.gz.zip |
| Download: | download sample |
| Signature | ArkeiStealer |
| File size: | 561'773 bytes |
| First seen: | 2022-05-13 06:31:27 UTC |
| Last seen: | 2022-05-13 10:35:04 UTC |
| File type: | zip |
| MIME type: | application/zip |
| ssdeep | 12288:n8tUrOR5YyldqWkK4vSufu/6a7SqX/Yago63zhfS5AuVtn5vHmBNkzYFm3:n8+U5YylDkh/u/6aZvAo6jhfSKuX5vWs |
| TLSH | T1E0C4232E2CFCB154019F1EE948E37A24801C36AD502DD994D21E2D57A228797EDFBBF0 |
| TrID | 80.0% (.ZIP) ZIP compressed archive (4000/1) 20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1) |
| Reporter |  cocaman |
| Tags: | ArkeiStealer zip |
cocaman
Malicious email (T1566.001)From: "Sudakan Thanapakjittanan <Sudakan.Thanapakjittanan@honghuat.co.vu>" (likely spoofed)
Received: "from 142-4-0-135.unifiedlayer.com (142-4-0-135.unifiedlayer.com [142.4.0.135]) "
Date: "13 May 2022 08:57:56 +0200"
Subject: "PO#1809027"
Attachment: "POZ1809027.bit.gz.zip"
Intelligence
File Origin
# of uploads :
2
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Suspicious
Threat level:
5/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe
Result
Verdict:
MALICIOUS
Link:
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Threat name:
ByteCode-MSIL.Trojan.ArkeiStealer
Status:
Malicious
First seen:
2022-05-13 06:32:12 UTC
File Type:
Binary (Archive)
Extracted files:
10
AV detection:
19 of 41 (46.34%)
Threat level:
5/5
Detection(s):
Suspicious file
Result
Malware family:
oski
Score:
10/10
Tags:
family:oski discovery infostealer spyware stealer suricata
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Oski
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
Malware Config
C2 Extraction:
lettingos.co.vu
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
exe Delivery method
Distributed via e-mail attachment
Dropping
ArkeiStealer
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.