MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb581d356a20e0845006197aed2cc99463a9759f3f8c6a6d0783a553c88fda1b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb581d356a20e0845006197aed2cc99463a9759f3f8c6a6d0783a553c88fda1b
SHA3-384 hash: 331bbb68749205bea841bbcda4fdc2fe12e86cd159c73d3c59e0f6f338d86637443aed5d73f50ae596c482376c87be33
SHA1 hash: 286cac8b2e883239ae1515dc4ab1e35b9ac38d31
MD5 hash: 0c0166dba45d03d2b7907707fa7dcdaa
humanhash: muppet-oven-mountain-white
File name:SecuriteInfo.com.Trojan.InjectNET.14.28056.21207
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:694'272 bytes
First seen:2020-12-23 22:33:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:eLoyoO3m4icjNNdb+mkd+/pa+c6OcM+05ZyqEYEzHNgE5peoX2L:XkaKVKmk2w+c6VMTZyvj1peoX2
Threatray 559 similar samples on MalwareBazaar
TLSH E8E47C5491E0475AC0FF9FFD8BC62A02DFA0590A8D21DE9A285543DF4AA5B83FD31B07
Reporter SecuriteInfoCom
Tags:ArkeiStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
869
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.InjectNET.14.28056.21207
Verdict:
Malicious activity
Analysis date:
2020-12-23 22:35:20 UTC
Tags:
trojan stealer vidar loader
Link:
https://app.any.run/tasks/2b49c831-e009-4799-92f5-a3c0b847b891

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/109245/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.28056.21207.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Searching for the window
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
DNS request
Connection attempt
Deleting a recently created file
Reading critical registry keys
Replacing files
Running batch commands
Creating a process with a hidden window
Stealing user critical data
Launching a tool to kill processes
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/569473
Signature
.NET source code contains potential unpacker
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected AntiVM_3
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb581d356a20e0845006197aed2cc99463a9759f3f8c6a6d0783a553c88fda1b/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2020-12-23 19:41:55 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=znmb2nlkedqiiuagdf5o2lgjsrr2s5m7h6ggu3ihqosvhsep3inq._file
Verdict:
malicious
Similar samples:
033dd7d02172855d2e61e1dcfae24bdeb9136310503e06bf7079ef78db9422ae
ArkeiStealer
344626f3e7a485750075e885b65757b02b336698cb35a31cda60e3ffac22f523
ArkeiStealer
3e9f05acde528ea5fd7ca9d0c2af0e82d29e343d2f61420290e6f660630cd25f
ArkeiStealer
50cae11649a917039a3fadf933dcf5d724ce0db6fbe4d29cb0aa590896849ca6
ArkeiStealer
61198dcb525d78061585053ddc30e99ca70842899622e333eb64d3b68ee7a167
ArkeiStealer
7294bdc3333d08ac9c2397b3555c0126928c13600b23de09f21841cfee83f55a
ArkeiStealer
7dd09a71615dc2a60ba9dd906aebcff010f8442f4db392e4feb88baa01f8c999
ArkeiStealer
ac8a0b325adca9cc88fc6ee32c912024adfe5228024712e1c757183c51260d16
ArkeiStealer
bad1feef0055835db4f894b4885b48d596788458bc9095d4c0af9ec36a97077d
ArkeiStealer
ce4c9d123144cb01aaa09ecfc34a21b6808c8d891fdd777e3bc8736fc3d877ca
ArkeiStealer
+ 549 additional samples on MalwareBazaar
Result
Malware family:
oski
Create hunting rule
Score:
  10/10
Tags:
family:oski discovery infostealer spyware
Link:
https://tria.ge/reports/201223-s7qzgcrgfx/
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
JavaScript code in executable
Loads dropped DLL
Reads user/profile data of web browsers
Oski
Unpacked files
SH256 hash:
cb581d356a20e0845006197aed2cc99463a9759f3f8c6a6d0783a553c88fda1b
MD5 hash:
0c0166dba45d03d2b7907707fa7dcdaa
SHA1 hash:
286cac8b2e883239ae1515dc4ab1e35b9ac38d31
Link:
https://www.unpac.me/results/b5860714-7d3f-41b5-be8a-374a914a470e/
SH256 hash:
938a1bea667530de24c2bd02e4a9abc15af43f88c3bd943550d9eb1a7cfac848
MD5 hash:
b1a17c95114bdb8c18cb0a291ee1b332
SHA1 hash:
9024e3d7cd027db6053a633d21f7ad106327f8c1
Link:
https://www.unpac.me/results/b5860714-7d3f-41b5-be8a-374a914a470e/
SH256 hash:
e83cef9cfa4e2ea30e28843e43c60ebf8f6590fb753ad0aa5ed1123c01280527
MD5 hash:
bf99ee5fbf42797bd1ade95b109d634c
SHA1 hash:
e02abfdbca94a24a36b47d49a28360b79aabd294
Link:
https://www.unpac.me/results/b5860714-7d3f-41b5-be8a-374a914a470e/
SH256 hash:
68c831b57dea0849efdf289fa12887d24fde83893c9e7c7bb49b675226da9ec1
MD5 hash:
9ad9e846c87433cf8f76f62ef8629b26
SHA1 hash:
ec0e34ebc7f3a7a7874dbcd88ad699f85d7404b5
Detections:
win_oski_g0
Create hunting rule
win_oski_auto
Create hunting rule
Link:
https://www.unpac.me/results/b5860714-7d3f-41b5-be8a-374a914a470e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cb581d356a20e0845006197aed2cc99463a9759f3f8c6a6d0783a553c88fda1b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_oski_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_oski_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe cb581d356a20e0845006197aed2cc99463a9759f3f8c6a6d0783a553c88fda1b

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/109245/
  
URLhaus
https://urlhaus.abuse.ch/url/941180/
  
Delivery method
Distributed via web download

Comments