MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe69416ea50c8316791d7de7da893f9189c3d5f34cb9c64026206d19325ef5c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe69416ea50c8316791d7de7da893f9189c3d5f34cb9c64026206d19325ef5c5
SHA3-384 hash: c65d09983998296ba82d53660dd2c632b2a9624f1918e132c7ad460773a3f2633a0b9b12fbc4d3631a3efa63fbc93439
SHA1 hash: 7cfed1e8bed52f4f376e5702dc303b6235b8a19d
MD5 hash: eb6c0ff23c01dd3528789c8142890547
humanhash: mars-alaska-carbon-cup
File name:SecuriteInfo.com.Trojan.Inject4.11083.19609.1028
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:601'600 bytes
First seen:2021-04-30 21:11:41 UTC
Last seen:2021-04-30 21:50:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:ihcZoLLoS60/K7yh0eN8B8J7+NiOgc/TWu/OsC8Q7BWQ6P7FU:ihcZoLAtB8RKhf/TWu/OsC8Qh6
Threatray 1'097 similar samples on MalwareBazaar
TLSH 8BD43AAC765469F0E35B5D23A3CF0C0643251274B93BE90E8B6017BE1A67E173E3998D
Reporter SecuriteInfoCom
Tags:ArkeiStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
232
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/147786/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.11083.19609.1028.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Sending an HTTP GET request to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Azorult Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/705788
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: BlueMashroom DLL Load
Sigma detected: EvilNum Golden Chickens Deployment via OCX Files
Sigma detected: Koadic Execution
Sigma detected: Mustang Panda Dropper
Sigma detected: NotPetya Ransomware Activity
Sigma detected: Raccine Uninstall
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected AntiVM3
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 401819 Sample: SecuriteInfo.com.Trojan.Inj... Startdate: 30/04/2021 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 14 other signatures 2->57 9 SecuriteInfo.com.Trojan.Inject4.11083.19609.exe 15 5 2->9         started        process3 dnsIp4 49 malcacnba.ac.ug 185.215.113.77, 49745, 49770, 49771 WHOLESALECONNECTIONSNL Portugal 9->49 39 C:\Users\user\AppData\...\ozflkjgfkldsad.exe, PE32 9->39 dropped 41 SecuriteInfo.com.T...11083.19609.exe.log, ASCII 9->41 dropped 63 Injects a PE file into a foreign processes 9->63 14 ozflkjgfkldsad.exe 3 9->14         started        17 SecuriteInfo.com.Trojan.Inject4.11083.19609.exe 12 9->17         started        file5 signatures6 process7 dnsIp8 65 Injects a PE file into a foreign processes 14->65 20 ozflkjgfkldsad.exe 188 14->20         started        43 macakslcaq.ug 17->43 signatures9 process10 dnsIp11 45 malcacnba.ac.ug 20->45 47 192.168.2.1 unknown unknown 20->47 31 C:\ProgramData\vcruntime140.dll, PE32 20->31 dropped 33 C:\ProgramData\sqlite3.dll, PE32 20->33 dropped 35 C:\ProgramData\softokn3.dll, PE32 20->35 dropped 37 4 other files (none is malicious) 20->37 dropped 59 Tries to harvest and steal browser information (history, passwords, etc) 20->59 61 Tries to steal Crypto Currency Wallets 20->61 25 cmd.exe 1 20->25         started        file12 signatures13 process14 process15 27 taskkill.exe 1 25->27         started        29 conhost.exe 25->29         started       
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fe69416ea50c8316791d7de7da893f9189c3d5f34cb9c64026206d19325ef5c5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-30 19:22:31 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7zuuc3vfbsbrm6i5pxt5vcj7sge4hvptjs44mqbgebwrsms66xcq._file
Verdict:
malicious
Similar samples:
2df27f1a3505dbd0995188d49c253f5bc53c0e994954c4143da6d13efbba126e
ArkeiStealer
308c96557c6be5d4519ba4bac38c23e611c7b61683cfc1063a6009e216c24f5e
ArkeiStealer
344626f3e7a485750075e885b65757b02b336698cb35a31cda60e3ffac22f523
ArkeiStealer
4be1e912f4b6f65dd938f0a6fa1f1d9b8d4c20fc25ac3c3189e10013c29e4dea
ArkeiStealer
682be0853ccd6f60deb69d27941a628758c4e13e7d2e6ee95a95f415f3a9f0c6
ArkeiStealer
7294bdc3333d08ac9c2397b3555c0126928c13600b23de09f21841cfee83f55a
ArkeiStealer
a9b0a14beac57ba149a978c8f0996a4f4e70e003b80c67e631947c9dc3590154
ArkeiStealer
ac8a0b325adca9cc88fc6ee32c912024adfe5228024712e1c757183c51260d16
ArkeiStealer
c09ced50c5dacaf28676dfaa0abff8f4b53fb4516c93fa5acd000e481841dd7b
ArkeiStealer
ed9d96725b88ce0a3caee6d98c11369fb84a1d7eca3847db66abe63c49955f73
ArkeiStealer
+ 1'087 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult infostealer trojan
Link:
https://tria.ge/reports/210430-btptvwkmps/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Azorult
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
Unpacked files
SH256 hash:
f3c393191e4628d233d9585858da24b3b94be01335a26b486992e776fe423310
MD5 hash:
556b0cb7c8aba34e9c51b13c91cafddd
SHA1 hash:
19d6f073e36c7e781dfea838c23fa45990f292e9
Link:
https://www.unpac.me/results/8266c118-e332-47b1-b8fa-9d857feda4de/
SH256 hash:
45be2ec5f71671c0863ab3604cbc02f02afb1715327c9b55c15f265c25f3d98a
MD5 hash:
f91d6e71fe7e35eecaedd22bca021e86
SHA1 hash:
33d55995807762a7dee8dd2552ce0fdcf901b4d6
Detections:
win_azorult_g1
Create hunting rule
win_azorult_auto
Create hunting rule
Link:
https://www.unpac.me/results/8266c118-e332-47b1-b8fa-9d857feda4de/
SH256 hash:
74b2935b9dfe4ba397fd0507ae3c36abb77193041f2e7c43c55dc4e7b33de61c
MD5 hash:
b5c218f30fecc9cb8513ff6a46737b01
SHA1 hash:
f0416867c2b114789620b318051f1fa390b07eae
Link:
https://www.unpac.me/results/8266c118-e332-47b1-b8fa-9d857feda4de/
SH256 hash:
fe69416ea50c8316791d7de7da893f9189c3d5f34cb9c64026206d19325ef5c5
MD5 hash:
eb6c0ff23c01dd3528789c8142890547
SHA1 hash:
7cfed1e8bed52f4f376e5702dc303b6235b8a19d
Link:
https://www.unpac.me/results/8266c118-e332-47b1-b8fa-9d857feda4de/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fe69416ea50c8316791d7de7da893f9189c3d5f34cb9c64026206d19325ef5c5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_oski_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe fe69416ea50c8316791d7de7da893f9189c3d5f34cb9c64026206d19325ef5c5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1185391/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/147786/

Comments