MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2533988e9f91942374496eff84c8de129d542f8f998fd16807cc0ba34dea62d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	2533988e9f91942374496eff84c8de129d542f8f998fd16807cc0ba34dea62d5
SHA3-384 hash:	bc14ab8e45ce23964d46ba007b25a7f643a85c4737675c7b3568dbaa35a12b9a7b43d9fe420787c6cc050169b86bf7d9
SHA1 hash:	eb89d690cb604b8c828550ed1e216ae02532077a
MD5 hash:	7e15d262ccd214ffe30b5d2a68bf56e4
humanhash:	river-connecticut-single-kitten
File name:	7e15d262ccd214ffe30b5d2a68bf56e4.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	339'968 bytes
First seen:	2022-01-21 14:41:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0152c21ced523378d45e83b1b3a1fdf0 (1 x Loki, 1 x RedLineStealer, 1 x ArkeiStealer)
ssdeep	6144:0Grnr14p/NC6K1N7hPgFzPOvW/BD3iZipltLcWbB+mFC:0GP10RsZhPEPOv6D9ZcWb
Threatray	767 similar samples on MalwareBazaar
TLSH	T1DB747C00BBA0D435F6B311F449B99378B63E7AA15B2490CF52D16AEE9B356E0DC3131B
File icon (PE):
dhash icon	2dec1378399b9b91 (25 x Smoke Loader, 22 x RedLineStealer, 7 x RaccoonStealer)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

259

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/221519/

Detection(s):

Win.Dropper.Mikey-9917324-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Sending a custom TCP request

Changing a file

Creating a file in the %AppData% subdirectories

Creating a window

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Launching a process

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/61eac642f81da814af963240/reports/d1ad361f-9152-4d41-87fb-4b797d8fa869/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Arkei Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4d28b949-e4c2-4bda-90d8-ae141796b0cd

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/925268

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found C&C like URL pattern

Found evasive API chain (may stop execution after checking computer name)

Found evasive API chain (may stop execution after checking locale)

Found evasive API chain (may stop execution after checking mutex)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Self deletion via cmd delete

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2533988e9f91942374496eff84c8de129d542f8f998fd16807cc0ba34dea62d5/

Threat name:

Win32.Trojan.Strab

Status:

Malicious

First seen:

2022-01-21 14:42:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=euzzrdu7sgkcg5cjn37yjsg6ckovil4ptgh5c2ahzqf2gtpkmlkq._file

Verdict:

malicious

ArkeiStealer

4bad031e24ba56c29df3e75647208ff2fd4332d6bbd43e6eae85aee6c169b70e

ArkeiStealer

7adc964978fc6d07051540dce92572970ce1564f239bbefcdf823ae6b00d8624

ArkeiStealer

81bc6e0cf586a808ef3ee9c5ace20622f414853a8606007357104c39f5fa5693

ArkeiStealer

b97e66178aa10ab5b06531c7fb2fd36d7c94485367f6db3e94c969f40d8e6940

ArkeiStealer

c7320285a03a41823dd5e9da28c4533c0f844c4f76b6556cc7e721aca5d0e08e

ArkeiStealer

f767c98dd6218f19d0401ae5dd88c720635871c132f7486481735cab48b46d85

ArkeiStealer

+ 757 additional samples on MalwareBazaar

Result

Malware family:

arkei

Score:

10/10

Tags:

family:arkei botnet:default discovery spyware stealer

Link:

https://tria.ge/reports/220121-r21d8ahgg2/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Arkei Stealer Payload

Arkei

Malware Config

C2 Extraction:

http://homesteadr.link/ggate.php

Unpacked files

SH256 hash:

25398f16eec8efb46307477726f7252600b308a8340b987a7e6f10967bed38a0

MD5 hash:

550ead6fec90abebf97b45d21d60c4d6

SHA1 hash:

81cbaea2089147aa8b687e1e39f0722570357674

Link:

https://www.unpac.me/results/d592549c-0082-4c72-9c75-dc3e3e32939b/

SH256 hash:

2533988e9f91942374496eff84c8de129d542f8f998fd16807cc0ba34dea62d5

MD5 hash:

7e15d262ccd214ffe30b5d2a68bf56e4

SHA1 hash:

eb89d690cb604b8c828550ed1e216ae02532077a

Link:

https://www.unpac.me/results/d592549c-0082-4c72-9c75-dc3e3e32939b/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/2533988e9f91/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2533988e9f91942374496eff84c8de129d542f8f998fd16807cc0ba34dea62d5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

exe 2533988e9f91942374496eff84c8de129d542f8f998fd16807cc0ba34dea62d5

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1983303/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/221519/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample