MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca5837c6b4cdde0e3ef9942ba308ca19e9b51439048bd0c2fcf5753e1403a517. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 31 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca5837c6b4cdde0e3ef9942ba308ca19e9b51439048bd0c2fcf5753e1403a517
SHA3-384 hash: b128443076e7a705d39c6fbb33e37594e3d25302ff624e4a778650ff26cad533ecd882e2ff588946c3581b19f772ac7d
SHA1 hash: b71f9a2ad0bd245ab4d4666f005cd5050f7f2770
MD5 hash: 783597870319e8fc1c818c5f13e28a0d
humanhash: skylark-ack-vermont-uniform
File name:175397281826.zip
Download: download sample
File size:2'685'679 bytes
First seen:2022-11-05 11:40:50 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 49152:gCkbPBzS7ULCbGyDboE8wrupidLNDNVeC1T5nY5tHfswXNWoUr3EHDMYCpsmiP7:gpDBzS7UL+G3q5V7y5JB9WBUHIYCpsT7
TLSH T1F9C533A81E5D82E3A9660F3FD9823E732A89186B92532D4D457131C8048BFBD7D674F3
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter Anonymous
Tags:zip


Avatar
Anonymous
Retrieved from hxxp://95[.]217[.]245[.]254/175397281826.zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
65
Origin country :
HU HU
File Archive Information

This file archive contains 10 file(s), sorted by their relevance:

File name:mozglue.dll
File size:608'080 bytes
SHA256 hash: ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
MD5 hash: c8fd9be83bc728cc04beffafc2907fe9
MIME type:application/x-dosexec
File name:freebl3.dll
File size:685'392 bytes
SHA256 hash: edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa
MD5 hash: 550686c0ee48c386dfcb40199bd076ac
MIME type:application/x-dosexec
File name:vcruntime140.dll
File size:80'880 bytes
SHA256 hash: 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
MD5 hash: a37ee36b536409056a86f50e67777dd7
MIME type:application/x-dosexec
File name:nss3.dll
File size:2'046'288 bytes
SHA256 hash: ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
MD5 hash: 1cc453cdf74f31e4d913ff9c10acdde2
MIME type:application/x-dosexec
File name:sqlite3.dll
File size:1'106'998 bytes
SHA256 hash: 4841020c8bd06b08fde6e44cbe2e2ab33439e1c8368e936ec5b00dc0584f7260
MD5 hash: 1f44d4d3087c2b202cf9c90ee9d04b0f
MIME type:application/x-dosexec
File name:msvcp140.dll
File size:450'024 bytes
SHA256 hash: 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
MD5 hash: 5ff1fca37c466d6723ec67be93b51442
MIME type:application/x-dosexec
File name:softokn3.dll
File size:257'872 bytes
SHA256 hash: 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
MD5 hash: 4e52d739c324db8225bd9ab2695f262f
MIME type:application/x-dosexec
File name:32
File size:488 bytes
SHA256 hash: fc86b4c01b7de0f81348f47113c710b32bb53053097b9c0b09dd32b57aeff746
MD5 hash: cb588801d051eb8cf137d9e6403f289c
MIME type:text/xml
File name:64
File size:435 bytes
SHA256 hash: 0675103f0fb7508d4ac8ce2af2e94924012a4129278270ab6a785790c61ccfc9
MD5 hash: 385e807f870cd0eb6f78b168e9604ed4
MIME type:text/xml
File name:2
File size:248 bytes
SHA256 hash: 85b4d563f7bd63022c0ac0d853ddefcaea477797a36f5ed894d3dc4cb97595fd
MD5 hash: aa35bf7a95701647e02ce851116c1de2
MIME type:text/xml
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.63078750.20570.5640.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug anti-vm overlay spyeye
Link:
https://www.filescan.io/uploads/63664bcf775605b3a4f3ad19/reports/0ff63527-1b8b-48e0-b31d-bb540a11220a/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/ca5837c6b4cdde0e3ef9942ba308ca19e9b51439048bd0c2fcf5753e1403a517
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ca5837c6b4cdde0e3ef9942ba308ca19e9b51439048bd0c2fcf5753e1403a517/
Threat name:
Binary.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-09-12 12:44:11 UTC
File Type:
Binary (Archive)
Extracted files:
10
AV detection:
3 of 42 (7.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zjmdprvuzxpa4pxzsqv2gcgkdhu3kfbzasf5bqx46v2t4faduulq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221105-pb2hgshhcm/
Behaviour
Suspicious use of WriteProcessMemory
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ca5837c6b4cdde0e3ef9942ba308ca19e9b51439048bd0c2fcf5753e1403a517

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

rar c1a0afd475840243c6cf41c91ec97d13d2041fcc286d9a7b330c59d453fc2048

ArkeiStealer

Executable exe 053d6600cee7a1f232c00c0cd399dc55894cfee75c15a2ba5ac71ba9c8ac266b

zip ca5837c6b4cdde0e3ef9942ba308ca19e9b51439048bd0c2fcf5753e1403a517

(this sample)

  
Dropped by
SHA256 053d6600cee7a1f232c00c0cd399dc55894cfee75c15a2ba5ac71ba9c8ac266b
  
Delivery method
Multiple
  
URLhaus
https://urlhaus.abuse.ch/url/2382120/
  
URLhaus
https://urlhaus.abuse.ch/url/2382121/
  
URLhaus
https://urlhaus.abuse.ch/url/2383960/
  
URLhaus
https://urlhaus.abuse.ch/url/2385803/
  
URLhaus
https://urlhaus.abuse.ch/url/2385956/
  
Dropped by
SHA256 08f18ffa2ec7c1ed84ff42d116ce6fcead4239778ed6d4bb948b01b7bff76d57
  
Dropped by
MD5 d18f13dfdf4e2e2a3219341c513ba39f
  
Dropped by
SHA256 27253651170386863b148afb2a0fdda7780ae65cbc31405acbd99fa06b44b79f
  
Dropped by
MD5 b76483ad8355f386bbed8dc9a6726368
  
Dropped by
SHA256 2eabd0638c8ecdfc5c19c1523c72536c4697916e54236f55c2fe8197a850bd62
  
Dropped by
MD5 c6468dd91c2fceeba8e0f2cd784739c3
  
Dropped by
SHA256 c12e490c818469384c4317e24281d2233d561663a17a74ba79365b4c74f4d673
  
Dropped by
MD5 71842b9abd318f78fba2f8375acc6b68
  
Dropped by
SHA256 ecc995d54218cfe6d2c3d060e92911381db65b4083394d223a3b49f3fa90aa45
  
Dropped by
MD5 7e0d2b33530ef7e41063f867137f4d7c
  
Dropped by
MD5 8c5d47cfa9cd9b894b280350240d638d

Comments