MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec855bf0f35b2f38db047587591d3963f2836dfb73c4894590df75378ed7ebfa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec855bf0f35b2f38db047587591d3963f2836dfb73c4894590df75378ed7ebfa
SHA3-384 hash: 4bb2cb95d2e4282f8731a9fff72098a585064237ae41d06adfaad1e8e25525de0c2834ff08a52b33d21e82d6d6ab25ce
SHA1 hash: ca4934b430604832fbcd9e3e8c63195ba617eff5
MD5 hash: fc8524499f41643040871881b13b0ef0
humanhash: louisiana-diet-nineteen-finch
File name:ec855bf0f35b2f38db047587591d3963f2836dfb73c4894590df75378ed7ebfa
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'448'032 bytes
First seen:2020-10-19 09:54:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 94245201e5cc00b98dade674c50dde7b (1 x ArkeiStealer, 1 x ModiLoader)
ssdeep 24576:WlrqrC+mzbCITax5oVgB9cRgA8cysAGVeoXHjB43+yliR3tI8X90vCzn2lcoV80H:AoCB2F06GRgA8cywVecDd+8XHSCoGZE3
Threatray 248 similar samples on MalwareBazaar
TLSH 5B652301F2E08576E0F3093548966F548B719F935394C1EBBB2C3B4A8B73AE15E3D2A1
Reporter JAMESWT_WT
Tags:ArkeiStealer Incar LLC

Code Signing Certificate

Organisation:AAA Certificate Services
Issuer:AAA Certificate Services
Algorithm:sha1WithRSAEncryption
Valid from:Jan 1 00:00:00 2004 GMT
Valid to:Dec 31 23:59:59 2028 GMT
Serial number: 01
Intelligence: 370 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: D7A7A0FB5D7E2731D771E9484EBCDEF71D5F0C3E0A2948782BC83EE0EA699EF4
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/72841/
Detection(s):
PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
DNS request
Delayed writing of the file
Creating a process from a recently created file
Deleting a recently created file
Creating a file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
51 / 100
Link:
https://www.joesandbox.com/analysis/495168
Signature
Contains functionality to register a low level keyboard hook
Drops PE files with a suspicious file extension
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Certutil Command
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 300038 Sample: lu4v9KhB5l Startdate: 19/10/2020 Architecture: WINDOWS Score: 51 49 Multi AV Scanner detection for submitted file 2->49 51 Uses ping.exe to sleep 2->51 53 Uses ping.exe to check the status of other devices and networks 2->53 55 Sigma detected: Suspicious Certutil Command 2->55 9 lu4v9KhB5l.exe 8 2->9         started        process3 signatures4 59 Contains functionality to register a low level keyboard hook 9->59 12 cmd.exe 1 9->12         started        14 cmd.exe 1 9->14         started        17 cmd.exe 1 9->17         started        process5 signatures6 19 cmd.exe 2 12->19         started        23 conhost.exe 12->23         started        61 Drops PE files with a suspicious file extension 14->61 25 conhost.exe 14->25         started        27 conhost.exe 17->27         started        process7 file8 41 C:\Users\user\AppData\Local\...\explorer.com, PE32 19->41 dropped 57 Uses ping.exe to sleep 19->57 29 explorer.com 19->29         started        31 PING.EXE 1 19->31         started        34 PING.EXE 1 19->34         started        36 certutil.exe 2 19->36         started        signatures9 process10 dnsIp11 38 explorer.com 29->38         started        45 127.0.0.1 unknown unknown 31->45 47 hdrPZ.aDoWd 34->47 process12 dnsIp13 43 LzFSJwCCNVbKPmIOxE.LzFSJwCCNVbKPmIOxE 38->43
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ec855bf0f35b2f38db047587591d3963f2836dfb73c4894590df75378ed7ebfa/
Threat name:
Win32.Trojan.Alien
Create hunting rule
Status:
Malicious
First seen:
2020-10-15 17:20:13 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5scvx4htlmxtrwyeowdvshjzmpzig3p3opcisrmq352tpdwx5p5a._file
Verdict:
malicious
Similar samples:
2c9538aaf6058783ac6e7c6676769ba3904a584b0bbc8c475852b11096c3c368
ArkeiStealer
4b3bed149062abeddef6fe68cbb439f5ae3d3044a4870a125f83dfd37c34ca6c
ArkeiStealer
6fae048e4ff41fdf6b3183d0a6f3fbe5b07d42544694c4b6ff5b76be292a1615
ArkeiStealer
8673fb0671f6ae27bcc17743f4cff730b374ac61f6542117a5b6b34d44e17809
ArkeiStealer
9617dc1938ef945ab37282b04d7d083412485c144dd60c96d68f508da8a1a7c1
ArkeiStealer
b912cef6a6c9d7e8f49a06d9178cc7c6d8b68a0e7f8948c3d6892f8e5fd11c74
ArkeiStealer
bc442d325a19719ed3271820fdec5e641d1ae4f2af2c9adf75b68f779d4cc1cb
ArkeiStealer
db8d3e1f805b2f6219f99004258e23b3dd379a2dcc76338e3fb368ad23112a3b
ArkeiStealer
f1a10725589836a8b8959f7ceb298f84b1e5a9736fe97f32a816028aaff55001
ArkeiStealer
f4221efa93b3ce5d8c92ba911661c246111653dd178bc239349cdfde8b39f7f0
ArkeiStealer
+ 238 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
spyware stealer discovery
Link:
https://tria.ge/reports/201019-etna6nc95j/
Behaviour
Checks processor information in registry
Kills process with taskkill
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
JavaScript code in executable
Looks up external IP address via web service
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
ServiceHost packer
Unpacked files
SH256 hash:
ec855bf0f35b2f38db047587591d3963f2836dfb73c4894590df75378ed7ebfa
MD5 hash:
fc8524499f41643040871881b13b0ef0
SHA1 hash:
ca4934b430604832fbcd9e3e8c63195ba617eff5
Link:
https://www.unpac.me/results/cd82fec8-784e-4048-b6ea-49618725de61/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ec855bf0f35b2f38db047587591d3963f2836dfb73c4894590df75378ed7ebfa

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/72841/

Comments