MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f22bf1d09f5ae3c0c2ed9c67c9e78f57bc5d053c1f4fb87c317644f4e419e60b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f22bf1d09f5ae3c0c2ed9c67c9e78f57bc5d053c1f4fb87c317644f4e419e60b
SHA3-384 hash: f6f4f5fcd7c8c2b381ec1014f3d4142eebf4afbe3cf39aceefbf8a20a9f2ad919b7433eefc64e93a1e36b883efe6c91a
SHA1 hash: 75a25eea84621a6968d02dde8caa661152907aa0
MD5 hash: 7f041b63564d7dc0d1dbdbaa9ce26adf
humanhash: california-carpet-four-uniform
File name:7F041B63564D7DC0D1DBDBAA9CE26ADF.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:7'743'056 bytes
First seen:2021-03-26 23:07:16 UTC
Last seen:2021-03-27 00:39:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b9b7f18cca2627142fc712d3c650d26e (1 x ArkeiStealer)
ssdeep 196608:DviZNnrrxFixU471KQobRRxVRg6nVKpe9fMB:DKnnXc7IdVIe9kB
Threatray 78 similar samples on MalwareBazaar
TLSH CB76F203A2D61B45F03128FB8D8155F5DC437F0C352BCAC56F95C7AA79A48A22B6C72B
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://data.parafia-strumiany.pl/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://data.parafia-strumiany.pl/ https://threatfox.abuse.ch/ioc/5527/

Intelligence

File Origin
# of uploads :
2
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://piratesfile.com/cyberlink-powerdirector-crack/
Verdict:
Malicious activity
Analysis date:
2021-03-24 00:39:51 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/e3ce3aef-8f10-4492-b09c-71efba3fdb81

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/127218/
Detection(s):
SecuriteInfo.com.Trojan.DownLoad4.14269.10779.27283.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
DNS request
Creating a file in the %temp% directory
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Creating a service
Launching a service
Sending a TCP request to an infection source
Connection attempt to an infection source
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2d2e971e-c222-481e-bde4-ff9b5bb9318d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/655635
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Hijacks the control flow in another process
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 376748 Sample: P4fr8v14dH.exe Startdate: 27/03/2021 Architecture: WINDOWS Score: 64 32 t1.xofinity.com 2->32 44 Multi AV Scanner detection for domain / URL 2->44 46 Antivirus detection for URL or domain 2->46 48 Antivirus detection for dropped file 2->48 50 6 other signatures 2->50 8 P4fr8v14dH.exe 5 2->8         started        signatures3 process4 dnsIp5 40 t1.xofinity.com 195.181.169.92, 49709, 49717, 49722 CDN77GB United Kingdom 8->40 42 4a490883-a6f1-4d7c-97ca-dca2f297b7b3.certbooster.com 8->42 28 C:\Program Files (x86)\...\prun.exe, PE32 8->28 dropped 30 C:\Program Files (x86)\...\appsetup.exe, PE32 8->30 dropped 54 Detected unpacking (changes PE section rights) 8->54 13 prun.exe 8->13         started        16 appsetup.exe 1 8->16         started        18 WerFault.exe 8->18         started        20 4 other processes 8->20 file6 signatures7 process8 signatures9 56 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->56 58 Hijacks the control flow in another process 13->58 60 Injects a PE file into a foreign processes 13->60 22 rundll32.exe 13->22         started        26 conhost.exe 16->26         started        process10 dnsIp11 34 t1.xofinity.com 22->34 36 127.0.0.1 unknown unknown 22->36 38 192.168.2.1 unknown unknown 22->38 52 System process connects to network (likely due to code injection or exploit) 22->52 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f22bf1d09f5ae3c0c2ed9c67c9e78f57bc5d053c1f4fb87c317644f4e419e60b/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2021-03-24 04:21:37 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6iv7due7llr4bqxntrt4tz4pk66f2bj4d5h3q7brozcpjzaz4yfq._file
Verdict:
malicious
Similar samples:
03420a335457e352e614dd511f8b03a7a8af600ca67970549d4f27543a151bcf
ArkeiStealer
43c222eea7f1e367757e587b13bf17019f29bd61c07d20cbee14c4d66d43a71f
ArkeiStealer
6651e6156af086e120114fb83b10af8b07acac4b73998cf5758bb5fe17677bfc
ArkeiStealer
66dc1cd0bcac37c0ddf8d31accc62cdbbdafbb08893f03e01dcc602ec5690a95
ArkeiStealer
70289206a05f5f5a83afa162b4fdbf5cd5d2ebfc9e8615d6d9e42ac839fd4302
ArkeiStealer
ad28a67a8f31c9cc363e1dd27ea9e226de97ead72ca696a7911b8d65b4e9a8fc
ArkeiStealer
aee048b20edd9abb8eff89b51d3c20e4ae4bfb9df25ca920cb9348f4d98ec3db
ArkeiStealer
c64c3ea2bc5e7a94d67a6cea1abad1b646d9bc43bbee7a62c5980a40c9ea5c9e
ArkeiStealer
da273c6062c7fe4f69998113d6cabb51998f857194f9bd126343a8603d8200ff
ArkeiStealer
db3330f499a07cf449e3e6f4f43428809d57f5b63923342694468cd6a4f4b943
ArkeiStealer
+ 68 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/210326-tnk8g3fycn/
Behaviour
Checks processor information in registry
GoLang User-Agent
Modifies data under HKEY_USERS
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
44e1ee6c3469874b08db1892da55dce32503ca7876a386cac40fbf9def86f0be
MD5 hash:
575dae3efc6d87cc2d4af5ab3e6a4ebd
SHA1 hash:
baed200bd97c89870b0ef0ace181598036ba711d
Link:
https://www.unpac.me/results/7558adbc-e333-45b7-ba0c-e095704131f0/
SH256 hash:
f22bf1d09f5ae3c0c2ed9c67c9e78f57bc5d053c1f4fb87c317644f4e419e60b
MD5 hash:
7f041b63564d7dc0d1dbdbaa9ce26adf
SHA1 hash:
75a25eea84621a6968d02dde8caa661152907aa0
Link:
https://www.unpac.me/results/7558adbc-e333-45b7-ba0c-e095704131f0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Qakbot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f22bf1d09f5ae3c0c2ed9c67c9e78f57bc5d053c1f4fb87c317644f4e419e60b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/127218/

Comments