MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4340bc1e1ddb5d268a010401be96435063de733a2601d158d13f56da9f20df5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



ArkeiStealer


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments

SHA256 hash: 4340bc1e1ddb5d268a010401be96435063de733a2601d158d13f56da9f20df5d
SHA3-384 hash: c3250a0d0eaa21459fa1f5eb01227564ae6dad70fee166690f5427c0b19fe16cdde26af23f62b610785c1ede4e29b227
SHA1 hash: 74b4d4a19500d3644a6a4f523ad7d4adcb1ace6f
MD5 hash: ec72a93f6279b16006f2196f330166ee
humanhash: burger-quebec-harry-hotel
File name:ec72a93f6279b16006f2196f330166ee.exe
Download: download sample
Signature ArkeiStealer
File size:5'124'457 bytes
First seen:2021-09-28 06:27:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (13 x ParallaxRAT, 11 x NetSupport, 5 x RedLineStealer)
ssdeep 98304:8SiwHhbbp/qa7irrDRcLAs6EOZ354tnteHOBQNnPcMa:Np/qRv9qAzEPttRmcd
Threatray 1 similar samples on MalwareBazaar
TLSH T15636123FF268A53EC46E1B3245B38250897B7A60A81A8C1F57FC384DCF765601E3B656
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (10 x ParallaxRAT, 1 x FickerStealer, 1 x NetSupport)
Reporter @abuse_ch
Tags:ArkeiStealer exe

Intelligence


File Origin
# of uploads :
1
# of downloads :
79
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
ID:
1
File name:
zukuluti.pdf
Verdict:
Malicious activity
Analysis date:
2021-09-28 00:16:50 UTC
Tags:
evasion trojan opendir loader rat redline stealer vidar autoit 1xxbot

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:
Result
Threat name:
Detection:
malicious
Classification:
troj.spyw.evad
Score:
76 / 100
Signature
.NET source code contains in memory code execution
Found many strings related to Crypto-Wallets (likely being stolen)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Yara detected Vidar stealer
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 492023 Sample: br4Cu3BycW.exe Startdate: 28/09/2021 Architecture: WINDOWS Score: 76 40 Multi AV Scanner detection for dropped file 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected Vidar stealer 2->44 46 3 other signatures 2->46 9 br4Cu3BycW.exe 2 2->9         started        process3 file4 32 C:\Users\user\AppData\...\br4Cu3BycW.tmp, PE32 9->32 dropped 12 br4Cu3BycW.tmp 3 13 9->12         started        process5 file6 34 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 12->34 dropped 15 br4Cu3BycW.exe 2 12->15         started        process7 file8 36 C:\Users\user\AppData\...\br4Cu3BycW.tmp, PE32 15->36 dropped 18 br4Cu3BycW.tmp 5 127 15->18         started        process9 file10 24 C:\Users\user\AppData\...\is-7MTO8.tmp, PE32 18->24 dropped 26 C:\Users\user\...\CrystalReports.exe (copy), PE32 18->26 dropped 28 C:\Users\user\...\tsharkdecode.dll (copy), PE32+ 18->28 dropped 30 38 other files (none is malicious) 18->30 dropped 21 CrystalReports.exe 13 18->21         started        process11 dnsIp12 38 147.135.170.166, 80 OVHFR France 21->38
Threat name:
Win32.Trojan.Sabsik
Status:
Malicious
First seen:
2021-09-28 03:27:55 UTC
AV detection:
8 of 28 (28.57%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
5a3ccc92f7966f8a3f8d0fbc50cef8452560341f4e23c769247b3cdd0818af11
MD5 hash:
eeb69f7b86959ae72b9d37443fb7f3d0
SHA1 hash:
ea687885ff8711724639134819bfffe3934e0cc1
SH256 hash:
74a7390843cb3376c714cabd6fa5ff973ddd4cc70f7c6bdfc808ebf0b542831d
MD5 hash:
0d934f0d296e6269ded43e6c9dc2aacf
SHA1 hash:
cdf64fca97814684e4383c4ed2e719d0b245269b
SH256 hash:
012a9e626e14509f02c588dd0677232f131fccdb4f993c60d6db6ed0d6cde218
MD5 hash:
e1044ae751df4d00ca0ee946bced3cca
SHA1 hash:
9f466b27c5257f1800dfab4e5f1d90453ddb286c
SH256 hash:
4340bc1e1ddb5d268a010401be96435063de733a2601d158d13f56da9f20df5d
MD5 hash:
ec72a93f6279b16006f2196f330166ee
SHA1 hash:
74b4d4a19500d3644a6a4f523ad7d4adcb1ace6f

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 4340bc1e1ddb5d268a010401be96435063de733a2601d158d13f56da9f20df5d

(this sample)

  
Delivery method
Distributed via web download

Comments