MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 053d6600cee7a1f232c00c0cd399dc55894cfee75c15a2ba5ac71ba9c8ac266b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 053d6600cee7a1f232c00c0cd399dc55894cfee75c15a2ba5ac71ba9c8ac266b
SHA3-384 hash: 11dcb16a7e048bfdfb3da8990af9e780c765554d6e5a8462d48f81025bd09628cb1af5516404bd9e183725fa0e23ebb1
SHA1 hash: 720f1f306b81074c443cea9baba8f6f13a648766
MD5 hash: 8c5d47cfa9cd9b894b280350240d638d
humanhash: ceiling-delaware-mississippi-apart
File name:Setup.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:574'976 bytes
First seen:2022-11-05 11:31:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash af3ba50176106610c92938df7272dd1f (5 x RedLineStealer, 1 x ArkeiStealer)
ssdeep 12288:v71YgJcbMueyaGfoEukaivk4T0C/XPCVYLile/kmCf:v71Y1FeccnisSPPKZBmU
Threatray 925 similar samples on MalwareBazaar
TLSH T112C4E0A035A0C576D8711930ECF9E0B9CA2DBD1147218EDF1FA41A5A4F747F0B9327AA
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter Anonymous
Tags:ArkeiStealer exe vidar


Avatar
Anonymous
Extracted from archive c1a0afd475840243c6cf41c91ec97d13d2041fcc286d9a7b330c59d453fc2048
zero padding removed
original sha256: 98ef6ddc644c14cf9e33784fc7197bcd9b329dcd9cd14eb530a06bfab4937033

Intelligence

File Origin
# of uploads :
1
# of downloads :
184
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2022-11-05 11:33:49 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/9e6def62-645b-42c1-b4e3-b7f9b65ecb52

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/329041/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.24045.17733.25956.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a file
Creating a window
Running batch commands
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/636649b2775605b3a4f3ace2/reports/76c06af3-539e-4c42-87a1-822f090b476b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8ac2c926-1fe6-47b1-ba4f-c1cdb15f7641
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1106109
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
DLL side loading technique detected
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 738773 Sample: Setup.exe Startdate: 05/11/2022 Architecture: WINDOWS Score: 100 34 Multi AV Scanner detection for domain / URL 2->34 36 Antivirus detection for URL or domain 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Machine Learning detection for sample 2->40 8 Setup.exe 1 2->8         started        process3 signatures4 42 Contains functionality to inject code into remote processes 8->42 44 Writes to foreign memory regions 8->44 46 Allocates memory in foreign processes 8->46 48 Injects a PE file into a foreign processes 8->48 11 AppLaunch.exe 20 8->11         started        16 WerFault.exe 23 9 8->16         started        18 conhost.exe 8->18         started        process5 dnsIp6 30 t.me 149.154.167.99, 443, 49696 TELEGRAMRU United Kingdom 11->30 32 95.217.245.254, 49697, 80 HETZNER-ASDE Germany 11->32 26 C:\ProgramData\sqlite3.dll, PE32 11->26 dropped 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->50 52 Tries to harvest and steal browser information (history, passwords, etc) 11->52 54 DLL side loading technique detected 11->54 56 Tries to steal Crypto Currency Wallets 11->56 20 cmd.exe 11->20         started        28 C:\ProgramData\Microsoft\...\Report.wer, Unicode 16->28 dropped file7 signatures8 process9 process10 22 conhost.exe 20->22         started        24 timeout.exe 20->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/053d6600cee7a1f232c00c0cd399dc55894cfee75c15a2ba5ac71ba9c8ac266b/
Threat name:
Win32.Trojan.Mikey
Create hunting rule
Status:
Malicious
First seen:
2022-11-05 11:32:33 UTC
File Type:
PE (Exe)
AV detection:
19 of 41 (46.34%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=au6wmago46q7emwabqgnhgo4kweuz7xhlqk2fos2y4n2tsfmezvq._file
Verdict:
malicious
Similar samples:
17543eb954b4bf4b1d3cb313b69bb1680268cdd1e8d37b6ebefd4445039c4c56
ArkeiStealer
31e06c795a7897e1d633a6c4790253669a4a6d3eb11a593e71502fc6b27fbda5
ArkeiStealer
586f92b511c1691e53d4175bc7d03b70387079b261d962eb7da18813857c4e7e
ArkeiStealer
88e5393ec1c21914ee6ab9580ad2b6cdbd1617a2148b70ac7f1295fe07d582fe
ArkeiStealer
95f3f918b006d20da00352fd115e4e00f1a8f1197e528b342989694ab8551adc
ArkeiStealer
e19f2e360811718cc910c124bbeb7d6c02a0719f05b1d9fdb7ffcab2c462c727
ArkeiStealer
+ 915 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/221105-nnad4ahfhr/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/72719eb6-f653-45a9-a3a1-4b2dabd55d6a
Unpacked files
SH256 hash:
a97ac23c5f4ab60ce1d4905f8fdacb64a827670add765eb519151544659bd0ef
MD5 hash:
739600f86b442aa448c52132b02ad9e9
SHA1 hash:
455459a29d500be0d0aaf6e3bdfe0e12764967c6
Link:
https://www.unpac.me/results/7f8026e3-6c43-40f8-87e3-b4ca1d21fab7/
SH256 hash:
053d6600cee7a1f232c00c0cd399dc55894cfee75c15a2ba5ac71ba9c8ac266b
MD5 hash:
8c5d47cfa9cd9b894b280350240d638d
SHA1 hash:
720f1f306b81074c443cea9baba8f6f13a648766
Link:
https://www.unpac.me/results/7f8026e3-6c43-40f8-87e3-b4ca1d21fab7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/053d6600cee7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/053d6600cee7a1f232c00c0cd399dc55894cfee75c15a2ba5ac71ba9c8ac266b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

rar c1a0afd475840243c6cf41c91ec97d13d2041fcc286d9a7b330c59d453fc2048

ArkeiStealer

Executable exe 053d6600cee7a1f232c00c0cd399dc55894cfee75c15a2ba5ac71ba9c8ac266b

(this sample)

zip ca5837c6b4cdde0e3ef9942ba308ca19e9b51439048bd0c2fcf5753e1403a517

  
Dropped by
SHA256 c1a0afd475840243c6cf41c91ec97d13d2041fcc286d9a7b330c59d453fc2048
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/329041/
  
Dropping
SHA256 ca5837c6b4cdde0e3ef9942ba308ca19e9b51439048bd0c2fcf5753e1403a517
  
Dropping
MD5 783597870319e8fc1c818c5f13e28a0d
  
Dropped by
MD5 310502d41f42f1af2bcb6812aecbe643

Comments