MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 139cb9080845e4430473e3ad1e6f27c7c03be615c36afa86d58d69b7d9a5c0ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 139cb9080845e4430473e3ad1e6f27c7c03be615c36afa86d58d69b7d9a5c0ef
SHA3-384 hash: a67b6ee26a4f31ac83f3976172d95b197789f617eab0ee3a8fe8470d200f34addc179828a2f0707cf4b366a08207e1d9
SHA1 hash: f60418c38060ac133e395c00022fb665c5035ef7
MD5 hash: 4dc97030fbbff2dcccb126c7fe5e9c86
humanhash: steak-oscar-texas-stream
File name:139cb9080845e4430473e3ad1e6f27c7c03be615c36afa86d58d69b7d9a5c0ef
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:382'976 bytes
First seen:2022-06-14 15:26:47 UTC
Last seen:2022-06-14 15:27:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b88da3f1e73518bb3e8d17092b704138 (3 x Loki, 3 x Amadey, 2 x Smoke Loader)
ssdeep 6144:7uFzQKoa58+Ciwit5bKfUEFYrluaCoZnbrUOhMCVV3GMGVamTm+E:7uF8KX++CiwibaDFEluaCo9gwMCV6d
Threatray 5'211 similar samples on MalwareBazaar
TLSH T1A084CF10BBA0D035F5F712F049B99368B93EBAF15B2464CB62E426EE56346D4EC3134B
TrID 40.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
17.0% (.SCR) Windows screen saver (13101/52/3)
13.6% (.EXE) Win64 Executable (generic) (10523/12/4)
8.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 25ec1370399b9b91 (21 x Smoke Loader, 18 x RedLineStealer, 10 x Amadey)
Reporter crep1x
Tags:ArkeiStealer exe vidar

Intelligence

File Origin
# of uploads :
2
# of downloads :
369
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
139cb9080845e4430473e3ad1e6f27c7c03be615c36afa86d58d69b7d9a5c0ef
Verdict:
Malicious activity
Analysis date:
2022-06-14 20:50:07 UTC
Tags:
trojan stealer
Link:
https://app.any.run/tasks/9d903144-9aca-4795-a6e9-6da01a0140de

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/279870/
Detection(s):
Win.Ransomware.Ransomx-9943921-0
Create hunting rule

Win.Packed.Pwsx-9948390-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Creating a window
Stealing user critical data
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/21213/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
azorult greyware packed ransomware
Link:
https://www.filescan.io/uploads/62a8a8c84d1ff31e31be6717/reports/83d8d023-fb64-436c-8eb2-4b0980fcc503/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Arkei Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/49e0a299-e732-4c81-bf65-e8c11a5c9760
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1013075
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/139cb9080845e4430473e3ad1e6f27c7c03be615c36afa86d58d69b7d9a5c0ef/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2022-06-14 08:56:30 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=coolscaiixsegbdt4owr43zhy7adxzqvynvpvbwvrvu3pwnfydxq._file
Verdict:
malicious
Similar samples:
12011e7abf1ae84f14c158817f7c8b888ccf45a3103eed8367463c97d9fc8d46
ArkeiStealer
369f11b11b8dd54abb0833b3fd0b6a470687f45b7af473ad812efd52d7aaed2f
ArkeiStealer
3722aebc144a3383cf564e2627b13492a705a1d25019812ff77460fbb699f048
ArkeiStealer
82a108c44defd4e43bf5bdee2bbadbf7f62870683557276b698d15845267c722
ArkeiStealer
84752137ce55ddc79cf2cd02069fb6c68f55901453609024bc6ed508dfc026a6
ArkeiStealer
ab37a574af8ab7ece7b24d9c6bca61e2c08ac73928269473946f8476a9eac661
ArkeiStealer
+ 5'201 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1415 discovery spyware stealer suricata
Link:
https://tria.ge/reports/220614-svqrwabbh6/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Vidar Stealer
Vidar
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
Malware Config
C2 Extraction:
https://t.me/tg_dailylessons
https://busshi.moe/@olegf9844xx
Unpacked files
SH256 hash:
294acdccd11f824c0b69a2894e24c98b8a91b42ee204e2594a8c20b034e1cb4e
MD5 hash:
ebe9747b97a07e3b561ad4f5d5246a35
SHA1 hash:
da759fcf16684190af0e480550e2375aae457535
Link:
https://www.unpac.me/results/ea0ab8c2-4b83-4553-89f3-f377c0ae61dc/
SH256 hash:
139cb9080845e4430473e3ad1e6f27c7c03be615c36afa86d58d69b7d9a5c0ef
MD5 hash:
4dc97030fbbff2dcccb126c7fe5e9c86
SHA1 hash:
f60418c38060ac133e395c00022fb665c5035ef7
Link:
https://www.unpac.me/results/ea0ab8c2-4b83-4553-89f3-f377c0ae61dc/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/139cb9080845/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/139cb9080845e4430473e3ad1e6f27c7c03be615c36afa86d58d69b7d9a5c0ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/279870/

Comments