MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01dd09f52d0accfd655731ed746a9c3742dc7ee7684aa5a4002155897147dc20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01dd09f52d0accfd655731ed746a9c3742dc7ee7684aa5a4002155897147dc20
SHA3-384 hash: 365d322d360f07ef31320f6b860467b95e962d872e8d5409cee627b8b0bdacc3354624dcfde9f8c5cfa59dc3ba34f8b9
SHA1 hash: 1f8f8d9c120fe300d1f4123bf3b1725a64374dfd
MD5 hash: fc36426495ee630d0b1b8f01dc716a4a
humanhash: early-hawaii-ceiling-earth
File name:01dd09f52d0accfd655731ed746a9c3742dc7ee7684aa5a4002155897147dc20
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:617'984 bytes
First seen:2022-09-13 06:47:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 46ea01139480de6933ccd8c139a590dd (6 x RedLineStealer, 1 x DCRat, 1 x ArkeiStealer)
ssdeep 12288:WE/uGuw1DPs5P9PTxy9bd46JgqPMQhB6NLKdLhTh3QHQIE:WkueDcVTxy9jgtQKiTgHQIE
Threatray 377 similar samples on MalwareBazaar
TLSH T106D49E077572C0BBD83181701C2F8FFD983A6C2699210DAF97E41D6A59F2B817D17A3A
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter JAMESWT_WT
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
arkei
Create hunting rule
ID:
1
File name:
01dd09f52d0accfd655731ed746a9c3742dc7ee7684aa5a4002155897147dc20
Verdict:
Malicious activity
Analysis date:
2022-09-13 06:47:51 UTC
Tags:
trojan stealer arkei loader
Link:
https://app.any.run/tasks/5a07a91d-582e-4b35-b53d-797bca6caf2a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/309634/
Detection(s):
Win.Malware.Exploitx-9967939-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Searching for synchronization primitives
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a file
Creating a window
Running batch commands
Launching a tool to kill processes
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37516/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware obfuscated
Link:
https://www.filescan.io/uploads/632027dad94ccae410930a05/reports/12cc17a0-d953-4ff4-b813-794c11bd0af3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fb82f988-422b-4929-9270-03420c25d0b5
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1069280
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
DLL side loading technique detected
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 701808 Sample: ig0b2uSjHY.exe Startdate: 13/09/2022 Architecture: WINDOWS Score: 100 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus detection for URL or domain 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 2 other signatures 2->46 8 ig0b2uSjHY.exe 1 2->8         started        process3 signatures4 48 Contains functionality to inject code into remote processes 8->48 50 Writes to foreign memory regions 8->50 52 Allocates memory in foreign processes 8->52 54 Injects a PE file into a foreign processes 8->54 11 AppLaunch.exe 20 8->11         started        16 WerFault.exe 23 9 8->16         started        18 conhost.exe 8->18         started        20 WerFault.exe 8->20         started        process5 dnsIp6 36 t.me 149.154.167.99, 443, 49730 TELEGRAMRU United Kingdom 11->36 38 116.202.179.139, 49731, 80 HETZNER-ASDE Germany 11->38 32 C:\ProgramData\sqlite3.dll, PE32 11->32 dropped 56 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->56 58 Tries to harvest and steal browser information (history, passwords, etc) 11->58 60 DLL side loading technique detected 11->60 62 Tries to steal Crypto Currency Wallets 11->62 22 cmd.exe 11->22         started        24 WerFault.exe 11->24         started        34 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->34 dropped file7 signatures8 process9 process10 26 conhost.exe 22->26         started        28 taskkill.exe 22->28         started        30 timeout.exe 22->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/01dd09f52d0accfd655731ed746a9c3742dc7ee7684aa5a4002155897147dc20/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2022-09-07 17:12:03 UTC
File Type:
PE (Exe)
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ahoqt5jnblgp2zkxghwxi2u4g5bny7xhnbfkljaaefkys4kh3qqa._file
Verdict:
malicious
Similar samples:
13f8728b95a9ca527c725c440726814ffbc88eeaf9323e50958fa3a8df969372
ArkeiStealer
1800a59347a0968cadae0d92bb90c8b0ea3ece7d29b519ef950c5e3c483b85b8
ArkeiStealer
1dd402d450c484140663b57c516ca68b10f31976f324f268ac6e564c6ca177af
ArkeiStealer
3e8cd0eb4715ef2b9f3b9f676b90eb16b0842d289a34fdd41e46c106a845d983
ArkeiStealer
49b1767e5f5c128884604182bab46c5c7aeae9c7d6e5316900d32768a577dcd1
ArkeiStealer
81e0959262728a0870a5fd08f80207d1157bdf2e00dde7d8481450fa17f5d718
ArkeiStealer
bdbd5a0fb6a3ab99f0cfa3cee7e3f7f8f7ec078eeb628aadfb8a32a5df2be3b9
ArkeiStealer
c1b694fc1a8292381f26293bd47a8093c49d48874937be131fa2e8f35e847b58
ArkeiStealer
dd0145067f81bf5aff9a7ee7eb56c11a98a5f69a9bdbc36744919ee49890de5a
ArkeiStealer
+ 367 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/220913-hkr7vaagap/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3a7e67bf-6345-4523-b364-1cb5fa890285
Unpacked files
SH256 hash:
114d5c95987eee1b38866e9b8b7245035ec8b6ff944253e6846b424d81f091cf
MD5 hash:
a95aa286af8650f6d793b9f7c87dc8b3
SHA1 hash:
8f9de7bee5fe1b7f83433809a6e4137d2b2cb3c4
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/8eccc52e-ff09-4e73-9d06-d8d887b7beff/
SH256 hash:
01dd09f52d0accfd655731ed746a9c3742dc7ee7684aa5a4002155897147dc20
MD5 hash:
fc36426495ee630d0b1b8f01dc716a4a
SHA1 hash:
1f8f8d9c120fe300d1f4123bf3b1725a64374dfd
Link:
https://www.unpac.me/results/8eccc52e-ff09-4e73-9d06-d8d887b7beff/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/01dd09f52d0accfd655731ed746a9c3742dc7ee7684aa5a4002155897147dc20

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.vidar.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/309634/

Comments