MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0778e27564421c72d9f098a2650d332146ce58a80b0e8c0a2351788dfaf561b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0778e27564421c72d9f098a2650d332146ce58a80b0e8c0a2351788dfaf561b8
SHA3-384 hash: a7d355c21e43e171cca630d9b8efe3533b16b766fbbc002a89077f98e41e14fee9b31c8dc9a1748bed72ba04b9c50d6a
SHA1 hash: eebde8b23bfc43062300496b289da5ef365601b9
MD5 hash: 2ca1c8768d7e339db9be5906e60f3d41
humanhash: nuts-jersey-xray-fruit
File name:2ca1c8768d7e339db9be5906e60f3d41.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:109'568 bytes
First seen:2021-11-21 10:19:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4c665f81387442ad965e3f4eba69f083 (8 x MarsStealer, 4 x ArkeiStealer)
ssdeep 3072:KYgUr4MNJEcPmpnGPSszM2tUEUPz1Pxj/kYU:lRr4MNJEcu41z1tUfP5V/kY
Threatray 3'517 similar samples on MalwareBazaar
TLSH T1D1B3E08066C0FF29E225BABFE84472219C8D942EF56D502DC4A796DF3D6C65009ECEC3
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2ca1c8768d7e339db9be5906e60f3d41.exe
Verdict:
Malicious activity
Analysis date:
2021-11-21 10:20:16 UTC
Tags:
stealer loader trojan
Link:
https://app.any.run/tasks/538edf03-c7c5-4142-9906-1cb17e2fd729

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Creating a window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed trickbot vidar virus virut
Link:
https://www.filescan.io/uploads/619a1d56398e2553d2ffac92/reports/42a56615-8acb-4840-a4cf-b77c1d03dd90/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Anubi NotBTCWare
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ae1193ca-34a9-467c-a834-48e517c290b7
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/893258
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Self deletion via cmd delete
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0778e27564421c72d9f098a2650d332146ce58a80b0e8c0a2351788dfaf561b8/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2021-11-21 10:20:07 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a54oe5leiiohfwpqtcrgkdjtefdm4wfibmhiycrdkf4i36xvmg4a._file
Verdict:
malicious
Similar samples:
192f884438809d6fb01ae0c89c4ccd1fdae62d429e78bdbcc4ff4d28a54049af
ArkeiStealer
2e14b592904e292539d9fc9d57a06df31676d5645ebaa49ebe129044d2d3baa3
ArkeiStealer
8104ca049d63de80339bf38af00601a25405fcc84a7a1df39001d21f1c71f8eb
ArkeiStealer
a870249216a9fd48fa38faf197c7cad48a16b1c1f0d17f98b9b5de4c1a1b7cfb
ArkeiStealer
a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a
ArkeiStealer
b944023d535bc8e5980173e203cee0d2fc2df9e865b4a06fc0694436ce5b6541
ArkeiStealer
bb1944681aa2fcfd5f372fd44e041a63569b46130540225afc1560a1650d4e37
ArkeiStealer
d7cdfb895940efd584c78b7e56f9ed720491234df489ee9eb9aa98c24714d530
ArkeiStealer
e255e88af9c588f6131ac8f1380db8e68b421c41d1974e57923c491ea97e9a08
ArkeiStealer
e9abbf811d367cf26f493d72ccd96749e534804ac27d36956dce0484b1440f25
ArkeiStealer
+ 3'507 additional samples on MalwareBazaar
Result
Malware family:
arkei
Create hunting rule
Score:
  10/10
Tags:
family:arkei stealer
Link:
https://tria.ge/reports/211121-mc4ywsggc5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
9983afc315ee2b9f3d1c1dfc01163639a0fb840398374d2e3c542df88db24a1f
MD5 hash:
42a10e92e42a2297a9ceb0ab0db1fc15
SHA1 hash:
8b1cc5a9d42b1247755d0b1fde9eec1a03f411b3
Link:
https://www.unpac.me/results/5505a587-6628-4153-ac23-678ab5c039a1/
SH256 hash:
0778e27564421c72d9f098a2650d332146ce58a80b0e8c0a2351788dfaf561b8
MD5 hash:
2ca1c8768d7e339db9be5906e60f3d41
SHA1 hash:
eebde8b23bfc43062300496b289da5ef365601b9
Link:
https://www.unpac.me/results/5505a587-6628-4153-ac23-678ab5c039a1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0778e2756442/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0778e27564421c72d9f098a2650d332146ce58a80b0e8c0a2351788dfaf561b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 0778e27564421c72d9f098a2650d332146ce58a80b0e8c0a2351788dfaf561b8

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/207862/
  
URLhaus
https://urlhaus.abuse.ch/url/1799813/
  
Delivery method
Distributed via web download

Comments