MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b5300266e95949b62a1e5292abc8567619ea2e7914533401e1e1089ae438e55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	1b5300266e95949b62a1e5292abc8567619ea2e7914533401e1e1089ae438e55
SHA3-384 hash:	f2eae37671dc414fe509780750ad7498873593b61360f7edff2344a23171d2437d9de1807263bb94f7c185b7cb6e88cd
SHA1 hash:	e81891e07c5f6e18b2a0baacbd87c829405584f2
MD5 hash:	a8deee5ea1710445de341ba1a8e4a653
humanhash:	nevada-lithium-butter-pip
File name:	a8deee5ea1710445de341ba1a8e4a653.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	208'384 bytes
First seen:	2021-11-22 13:37:17 UTC
Last seen:	2021-11-22 15:49:16 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	13efcea70e0fb08d4f5ba0d5ad2ab09a (5 x RedLineStealer, 2 x DanaBot, 1 x ArkeiStealer)
ssdeep	3072:O7V2e+8tMFUMZBRUzSZoKRwfEmeMV9qI0zc3idbVJHA8SvM0cAVoOa:sX+eMFUMZBvhRpmOMSdbVJAE0VVTa
Threatray	160 similar samples on MalwareBazaar
TLSH	T12E14CF1133A1B072E8B3357469B28AB21E7BBC7327B5B14B2768173E6E313D04A65753
File icon (PE):
dhash icon	fcfcd4d4d4d4d8c0 (75 x RedLineStealer, 56 x RaccoonStealer, 23 x Smoke Loader)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

124

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a8deee5ea1710445de341ba1a8e4a653.exe

Verdict:

Suspicious activity

Analysis date:

2021-11-22 13:52:24 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f9d1e234-1743-424c-960b-97ab615e3499

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Detection(s):

SecuriteInfo.com.Trojan.Siggen15.49672.23693.18937.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Launching the default Windows debugger (dwwin.exe)

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/619b9d3c94a88037d2fe6c05/reports/43d3d795-5194-457c-9c36-5680d58ba5db/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/334928f4-8771-419f-a365-8adc742f082e

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/893866

Signature

Contains functionality to detect sleep reduction / modifications

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1b5300266e95949b62a1e5292abc8567619ea2e7914533401e1e1089ae438e55/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2021-11-22 13:38:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Verdict:

malicious

ArkeiStealer

2d162f57aec42d53839923f8f3f98cb381bd9f406b57475d9cd9716d24ab6fcd

ArkeiStealer

2dec3828b327d7b5cbba0ccbac40194c24e79ae96a20fb3e1f160a51e53a3bc4

ArkeiStealer

3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82

ArkeiStealer

55bea97718d10ad6dde683d1316015e4ed475558d725ee34858b15ce8b434afb

ArkeiStealer

b0e9f6ede4c6442ffed1ae5c650474ae10582945c9ec689d5ac4650f81ee0fdf

ArkeiStealer

bb1944681aa2fcfd5f372fd44e041a63569b46130540225afc1560a1650d4e37

ArkeiStealer

dcf4ecc6d3b70a3e11077862b9e3830806191f0718eecb525a3e7d24246c0287

ArkeiStealer

f91702c0d02ebd73ea1077788f0ab7e964e518c7114bae31932671167819f960

ArkeiStealer

fe3ae99417e0d632995ad5ceeccc4c0b308b8a30d2c93031f15837b607b8552b

ArkeiStealer

+ 150 additional samples on MalwareBazaar

Result

Malware family:

arkei

Score:

10/10

Tags:

family:arkei botnet:default spyware stealer

Link:

https://tria.ge/reports/211122-qxefhsaeh6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Reads user/profile data of web browsers

Arkei Stealer Payload

Arkei

Malware Config

C2 Extraction:

http://188.212.124.183/5VW4HcqENA.php

Unpacked files

SH256 hash:

49b84e4826120e4db5ff68c1d8afe3286eff25b202fd40fd1141098acf2f5922

MD5 hash:

c11c3ce343d1ed2cdcd9d1bae4b19532

SHA1 hash:

9987281d9962d94d7bb57a474669d35b852f503b

Link:

https://www.unpac.me/results/d754f80f-d18a-4f03-b7d5-3eb7009adf27/

SH256 hash:

1b5300266e95949b62a1e5292abc8567619ea2e7914533401e1e1089ae438e55

MD5 hash:

a8deee5ea1710445de341ba1a8e4a653

SHA1 hash:

e81891e07c5f6e18b2a0baacbd87c829405584f2

Link:

https://www.unpac.me/results/d754f80f-d18a-4f03-b7d5-3eb7009adf27/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/1b5300266e95/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1b5300266e95949b62a1e5292abc8567619ea2e7914533401e1e1089ae438e55

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

exe 1b5300266e95949b62a1e5292abc8567619ea2e7914533401e1e1089ae438e55

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1804010/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/208187/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample