MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 170872babd88df2e2ab45b85d2a140711bed972625e8d826d508f81f811283ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	170872babd88df2e2ab45b85d2a140711bed972625e8d826d508f81f811283ec
SHA3-384 hash:	d2dd95b0ebcd26a6ba2cd603adb4094482d0ac229f8c7df0f79a4449ddc71b056fd34d1d61af1d8f7f7ddab13174d43a
SHA1 hash:	c24d5d5e6f41e46f3db91ce85a860a7f84bee64c
MD5 hash:	620fc1145a4b49a0e2972539e51f2940
humanhash:	beer-alanine-lactose-single
File name:	620fc1145a4b49a0e2972539e51f2940.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	304'128 bytes
First seen:	2022-05-04 13:50:37 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	25d71a22c38efe20ec3ceb6773ac4899 (1 x Loki, 1 x ArkeiStealer)
ssdeep	6144:aIVl+sHAPaZ0V04rIgOuYoYisacccccDs:tv+sYaWrI/uIiVcccccA
Threatray	4'170 similar samples on MalwareBazaar
TLSH	T13A54D011B6A0C431D1A74A348874D6612F7EBC636A744A8F37A4273E1F713D12BB639B
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	5c599a3ce0c3c850 (43 x Stop, 37 x RedLineStealer, 36 x Smoke Loader)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

247

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

arkei

ID:

File name:

620fc1145a4b49a0e2972539e51f2940.exe

Verdict:

Malicious activity

Analysis date:

2022-05-04 16:17:20 UTC

Tags:

arkei trojan stealer vidar

Link:

https://app.any.run/tasks/dac931b7-6a7e-4c46-911b-1230ed4ededd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/268637/

Detection(s):

Win.Malware.Filerepmalware-9941437-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

DNS request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Changing a file

Creating a file in the %AppData% subdirectories

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Launching a process

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/16292/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionGetTickCount

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/627284ce62b1ae4451d655d3/reports/30404dcb-8714-48c0-9bdd-eb3242eaa2e6/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Oski Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/21541dc4-3446-4ede-a2d0-5f145dec51d9

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/987799

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Contains functionality to inject code into remote processes

Detected unpacking (creates a PE file in dynamic memory)

Found evasive API chain (may stop execution after checking computer name)

Found evasive API chain (may stop execution after checking locale)

Found evasive API chain (may stop execution after checking mutex)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Self deletion via cmd delete

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/170872babd88df2e2ab45b85d2a140711bed972625e8d826d508f81f811283ec/

Threat name:

Win32.Trojan.CrypterX

Status:

Malicious

First seen:

2022-05-04 13:51:13 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 42 (47.62%)

Threat level:

5/5

Verdict:

malicious

ArkeiStealer

0b4c35d12d6472f69dd06ccdba38802fceba972c397f7eca17b16e0aabab60db

ArkeiStealer

2a13b3b4e815d3856fb26b89dbcfb06a5b025db7f4c0e398ccdbc4477e3d2f58

ArkeiStealer

2ba0f24b947a266b0cc27837455123e7321619f2bbe7f18c1affad896e86f445

ArkeiStealer

3a2a1eff040a79d603b1ac2609a423ad8beb46d2876aa959f60dc98477707c0f

ArkeiStealer

499656d285442a548d0f0356a414b5c50b7bd7815db52e845cf8729cd4bcc9bc

ArkeiStealer

63fed261af5fb2e1eb439256eba9b6f96bbb9e2ee97c7f8211c5f60992f5a7e0

ArkeiStealer

7f19bc8eb8f0555986de478bc9a17a8e052f4a9262b0a19b924d8e9c66a01ca7

ArkeiStealer

aedd3ab9ebad560ccd8f02129fd585ddeac9a9e921c9dbcb42beefb724bba10e

ArkeiStealer

de147d635d7404111032d34845dd05eddc00ae6ecf0814d89eed3c6a81c06629

ArkeiStealer

+ 4'160 additional samples on MalwareBazaar

Result

Malware family:

arkei

Score:

10/10

Tags:

family:arkei botnet:default discovery spyware stealer suricata

Link:

https://tria.ge/reports/220504-q5tkeagfhr/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Arkei

suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil

Malware Config

C2 Extraction:

http://jsdkcs.link/518855.php

Unpacked files

SH256 hash:

36fc8d5c6056a140df715d3488bdc5154e83a6b4d6755776b65786f166fb5570

MD5 hash:

249fa542023ca6430e834cd8a802a05b

SHA1 hash:

9197c863f632b85c7034712bb931e18bf6310dff

Link:

https://www.unpac.me/results/b3e71bd0-d290-4a68-b143-230b3b01ca24/

SH256 hash:

170872babd88df2e2ab45b85d2a140711bed972625e8d826d508f81f811283ec

MD5 hash:

620fc1145a4b49a0e2972539e51f2940

SHA1 hash:

c24d5d5e6f41e46f3db91ce85a860a7f84bee64c

Link:

https://www.unpac.me/results/b3e71bd0-d290-4a68-b143-230b3b01ca24/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/170872babd88/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/170872babd88df2e2ab45b85d2a140711bed972625e8d826d508f81f811283ec

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/268637/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample