MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2b8ade9cba417c257159e61f3f191ff210ff129c1e93bfb7deba769c8f0f4fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 7


Intelligence 7 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2b8ade9cba417c257159e61f3f191ff210ff129c1e93bfb7deba769c8f0f4fc
SHA3-384 hash: 796baff263ff0debb0b7d06572e58e458da543dcdbf2f9ef302550c21008d03a3ae98a242a3ca3542bfade318ebb8464
SHA1 hash: 571cd22d13448e39af1bdb4c852d12d131bdcf92
MD5 hash: 4121428aebb6ff2dfa948ecefe6012fd
humanhash: purple-speaker-california-item
File name:P.O23241.msi
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'736'704 bytes
First seen:2022-08-15 14:40:28 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:UpdSDO7JF/4zzPK7Gq+37yzk2ME3kSZM:UpHlSzi7GRLMk0kx
TLSH T1ED8512913B84C436D66A293280FB972A263ABD615F34D5CF7754BA5D0E307C3AE79302
TrID 98.2% (.MSI) Microsoft Windows Installer (454500/1/170)
1.7% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter abuse_ch
Tags:ArkeiStealer msi


Avatar
abuse_ch
ArkeiStealer C2:
http://159.69.101.102/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://159.69.101.102/ https://threatfox.abuse.ch/ioc/842945/

Intelligence

File Origin
# of uploads :
1
# of downloads :
178
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/298693/
Detection(s):
SecuriteInfo.com.Gen.Variant.Barys.318519.17788.21171.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
cmd.exe expand.exe fingerprint packed shell32.dll
Link:
https://www.filescan.io/uploads/62fa5b7ae4e65a67c4ab659b/reports/4fc7d738-5707-4e69-9650-98751982df05/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/f2b8ade9cba417c257159e61f3f191ff210ff129c1e93bfb7deba769c8f0f4fc
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1051618
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 684129 Sample: P.O23241.msi Startdate: 15/08/2022 Architecture: WINDOWS Score: 100 39 Multi AV Scanner detection for domain / URL 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 3 other signatures 2->45 8 msiexec.exe 12 20 2->8         started        11 msiexec.exe 5 2->11         started        process3 file4 33 C:\Windows\Installer\MSIDB8.tmp, PE32 8->33 dropped 13 msiexec.exe 5 8->13         started        process5 process6 15 L0CN7FrZ7qVKconm.exe 13->15         started        18 expand.exe 4 13->18         started        21 cmd.exe 13->21         started        23 2 other processes 13->23 file7 53 Writes to foreign memory regions 15->53 55 Allocates memory in foreign processes 15->55 57 Injects a PE file into a foreign processes 15->57 25 InstallUtil.exe 16 15->25         started        29 C:\Users\user\...\L0CN7FrZ7qVKconm.exe (copy), PE32 18->29 dropped 31 C:\...\b1b5a681eeb9a74f941bdb115c1617ef.tmp, PE32 18->31 dropped signatures8 process9 dnsIp10 35 t.me 149.154.167.99, 443, 49173 TELEGRAMRU United Kingdom 25->35 37 159.69.101.102, 49174, 80 HETZNER-ASDE Germany 25->37 47 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->47 49 Tries to harvest and steal browser information (history, passwords, etc) 25->49 51 Tries to steal Crypto Currency Wallets 25->51 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f2b8ade9cba417c257159e61f3f191ff210ff129c1e93bfb7deba769c8f0f4fc/
Threat name:
Win32.Trojan.Barys
Create hunting rule
Status:
Malicious
First seen:
2022-08-15 14:41:12 UTC
File Type:
Binary (Archive)
Extracted files:
58
AV detection:
6 of 39 (15.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6k4k32oluql4evyvtzq7h4mr74qq74jjyhutx6355otwtshq6t6a._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/220815-r2eshsegd9/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates connected drives
Loads dropped DLL
Modifies file permissions
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f2b8ade9cba417c257159e61f3f191ff210ff129c1e93bfb7deba769c8f0f4fc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/298693/

Comments