MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0f04ffd3bcc777fb35f20205e6b8f599a5ac4e9287d321d08190e4cc2dc97c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0f04ffd3bcc777fb35f20205e6b8f599a5ac4e9287d321d08190e4cc2dc97c9
SHA3-384 hash: 2ffa4f43567063223bb6ae4f11b5a206836b21a753503d8fae5ee7ea1028c4288c2aa3a4881989bfc01ddd9f32dfdd15
SHA1 hash: 17b78c92202e34b0687490e3f370fa7eee2d7494
MD5 hash: 4ef73929f7196e4ed07808dc78b1f16f
humanhash: july-avocado-nebraska-beer
File name:d0f04ffd3bcc777fb35f20205e6b8f599a5ac4e9287d321d08190e4cc2dc97c9
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'615'416 bytes
First seen:2022-05-20 06:53:59 UTC
Last seen:2022-05-20 07:59:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b9c3c1592f11f23844ce8b62fe6373ac (7 x RedLineStealer, 1 x Neurevt, 1 x ArkeiStealer)
ssdeep 49152:63C6eYN+R9ftpgs/SIXKx37TUlNeHWgI1:WC6e1vftnSwKxLT4NY2
Threatray 53 similar samples on MalwareBazaar
TLSH T1C57502083DA18D36E4BB92F14E6BD25CA016F9945F38968F06C6B1EC2736A71DC7074B
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0dc96868adcf0f0 (2 x lgoogLoader, 1 x ArkeiStealer)
Reporter JAMESWT_WT
Tags:ArkeiStealer exe exxon-com signed

Code Signing Certificate

Organisation:exxon.com
Issuer:GeoTrust RSA CA 2018
Algorithm:sha256WithRSAEncryption
Valid from:2021-12-30T00:00:00Z
Valid to:2022-09-02T23:59:59Z
Serial number: 0a2787fbb4627c91611573e323584113
Intelligence: 18 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: d3bcf5c9d777561902c2ba7fefddb93b2ef516b6ca3519bdfac78ae689dfe494
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
263
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d0f04ffd3bcc777fb35f20205e6b8f599a5ac4e9287d321d08190e4cc2dc97c9
Verdict:
Malicious activity
Analysis date:
2022-05-20 07:16:49 UTC
Tags:
trojan stealer
Link:
https://app.any.run/tasks/98b1c951-f8e3-4159-8c13-232add38a58f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/272869/
Detection(s):
SecuriteInfo.com.Adware.Plugin.1671.10200.1165.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/19128/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/62873b51945ebb7eb170e5d6/reports/e4e5a441-8b22-48e7-bf5d-6208d67bf788/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ce625538-3318-40f0-bfa3-50a709e560fe
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/998309
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d0f04ffd3bcc777fb35f20205e6b8f599a5ac4e9287d321d08190e4cc2dc97c9/
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2022-05-16 18:41:01 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
19 of 41 (46.34%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2dye77j3zr3x7m27eaqf424plgnfvrhjfb6tehiidehezqw4s7eq._file
Verdict:
malicious
Similar samples:
166fc895202cb031cba4e9c512b306e72fc1ab046df0fac6222a1724d2029562
ArkeiStealer
1d368cab5447757738b62e47b109e05df74e206884c14572ff5179be1b02d4ef
ArkeiStealer
2b460be5f1a90e3646a9dd03e95752f824adcfe2e2e15a746aa8d4844398f454
ArkeiStealer
4acab2cb128ba9c8a9f91d1f677ec1b6770b265b9d04e9efe3bf979a2327ce1a
ArkeiStealer
74dbb920497b47d6ad0e96b5375723d9bc9534ace5f2260a2d2aaf0411e8894a
ArkeiStealer
7685986b1e5d757916fbb0e878a8668d6ebae4b869e62770307c1bfb07eafdcc
ArkeiStealer
988177454fe3a5ba8fcdf7f3124e2c56f312b776542d3763540c254df6fe6f76
ArkeiStealer
b0a8c058c8b913e2f67b40e4606c5dd913c858854f3dd77f7e82a4066ecc293d
ArkeiStealer
+ 43 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220520-hn8c8sefe2/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Unpacked files
SH256 hash:
adc7c8229003164d315f494b97af92e0cc1fe7da3fb29938fcd9613454ea4925
MD5 hash:
b5ba8360fe589718d63cc107b22da5be
SHA1 hash:
4b3489be10f0021c4b4b6b028e615938956ba052
Link:
https://www.unpac.me/results/11c31e43-1103-4865-81e0-f550dc9b5f16/
SH256 hash:
d0f04ffd3bcc777fb35f20205e6b8f599a5ac4e9287d321d08190e4cc2dc97c9
MD5 hash:
4ef73929f7196e4ed07808dc78b1f16f
SHA1 hash:
17b78c92202e34b0687490e3f370fa7eee2d7494
Link:
https://www.unpac.me/results/11c31e43-1103-4865-81e0-f550dc9b5f16/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d0f04ffd3bcc777fb35f20205e6b8f599a5ac4e9287d321d08190e4cc2dc97c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/272869/

Comments