MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 255838ffda0bd0d6c2565eed99d9497ffff2b7822b1a23c993251dfbf8a4a646. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 255838ffda0bd0d6c2565eed99d9497ffff2b7822b1a23c993251dfbf8a4a646
SHA3-384 hash: bbdbcab8149ba58d0dd826312fb7e0f5df5b6172e5339470272a1fc3ae192530876539382ab92ff4b546bccc74d56657
SHA1 hash: bdbc817efc196fd7cdbcb392e24375e03ed91b11
MD5 hash: 719710579599927fa9d972472e8a66b1
humanhash: july-fruit-twenty-vermont
File name:719710579599927fa9d972472e8a66b1
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'631'104 bytes
First seen:2021-12-23 15:24:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 766e01ca2fb630c90d0dbb371f35eb29 (1 x ArkeiStealer)
ssdeep 49152:Q4xUpFr0+X9IeOfUI1ZpZoGCdq2KyXDT0:ar082ZXqGv2KIDo
Threatray 62 similar samples on MalwareBazaar
TLSH T11B7523959B50791AD4A4083E0DB36C5F429CA6704DEFB2DBC84DBBCB787078AEC47216
File icon (PE):PE icon
dhash icon 9671e0f0f0f07192 (2 x RedLineStealer, 1 x ArkeiStealer)
Reporter zbetcheckin
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
719710579599927fa9d972472e8a66b1
Verdict:
Malicious activity
Analysis date:
2021-12-23 15:25:56 UTC
Tags:
loader stealer trojan
Link:
https://app.any.run/tasks/ef53ec80-d257-4272-81d6-e36c7db812de

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/215994/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.11938.7056.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Stealing user critical data
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3027/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/61c494d14ab5c44cbf4e268c/reports/4731e791-1334-442a-91cd-9ed00a78ce82/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ryuk
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/df65ce41-5689-4acb-aaea-5d859e5d77b2
Result
Threat name:
MicroClip Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/912087
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides threads from debuggers
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Self deletion via cmd delete
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected MicroClip
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 544561 Sample: qs7lBHR1xu Startdate: 23/12/2021 Architecture: WINDOWS Score: 100 46 Multi AV Scanner detection for domain / URL 2->46 48 Found malware configuration 2->48 50 Antivirus detection for URL or domain 2->50 52 7 other signatures 2->52 7 qs7lBHR1xu.exe 143 2->7         started        process3 dnsIp4 42 185.7.214.239, 49743, 80 DELUNETDE France 7->42 44 data-file-data-7.com 47.243.113.187, 49744, 49745, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 7->44 28 C:\Users\user\...\8060_1640015139_2229[1].exe, PE32 7->28 dropped 30 C:\ProgramData\windowsdefender.exe, PE32 7->30 dropped 32 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 7->32 dropped 34 3 other files (none is malicious) 7->34 dropped 54 Query firmware table information (likely to detect VMs) 7->54 56 Tries to detect sandboxes and other dynamic analysis tools (window names) 7->56 58 Self deletion via cmd delete 7->58 60 6 other signatures 7->60 12 windowsdefender.exe 3 7->12         started        16 wiwsnder.exe 14 2 7->16         started        19 cmd.exe 1 7->19         started        file5 signatures6 process7 dnsIp8 36 C:\Users\user\AppData\...\RuntimeBroker.exe, PE32 12->36 dropped 62 Multi AV Scanner detection for dropped file 12->62 38 162.159.129.233 CLOUDFLARENETUS United States 16->38 21 WerFault.exe 20 9 16->21         started        24 conhost.exe 19->24         started        26 timeout.exe 1 19->26         started        file9 signatures10 process11 dnsIp12 40 20.189.173.21 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 21->40
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/255838ffda0bd0d6c2565eed99d9497ffff2b7822b1a23c993251dfbf8a4a646/
Threat name:
Win32.Trojan.Tasker
Create hunting rule
Status:
Malicious
First seen:
2021-12-23 14:12:20 UTC
AV detection:
12 of 43 (27.91%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
00427344e070941ca266d725e67a57688ae7676b6bf3f71b98bf13292f1c8ae5
ArkeiStealer
0061dbb13881789f22f53c30fd894b0cf797e705752fa58cbcab7dba270f4fe1
ArkeiStealer
0c73474ceb5c96ff4c0231b9d542d65c1d78b82de926bbfd4413d81684d78e58
ArkeiStealer
28f5fa7118d4f1866643d781c3fee5cb4507f3d268c263ef40551d527da2c330
ArkeiStealer
9a1f36511ec56cbf0cf30080cdc11d8f261823079838cedd5ce0e6391ec815ef
ArkeiStealer
9ce97b2a248555831866151f6c4d9c682dc792f6df3e3e8f8142bdc717f34876
ArkeiStealer
9debd5d7a5f7cf87a37d1f1432878baa0ac7cf6ecca5b4bfdcfa1163f07a6953
ArkeiStealer
bff3d8677d0c866b3fa47a2176ba05c9ae03cc215794896f2ef922a1aa037097
ArkeiStealer
dd75325c7035eee20647ca9d5a101167165d2dba88f6bf54a7afc50c276aba90
ArkeiStealer
+ 52 additional samples on MalwareBazaar
Result
Malware family:
arkei
Create hunting rule
Score:
  10/10
Tags:
family:arkei discovery evasion spyware stealer trojan
Link:
https://tria.ge/reports/211223-stl3asaah5/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Arkei Stealer Payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Arkei
Unpacked files
SH256 hash:
dc3d1cb9d9916d9ae1c9262d60b5c1d1b7ce05611bbc1391ad0bfed2120eba85
MD5 hash:
4931943016a429433999e880d781fb9e
SHA1 hash:
9558935cd067043661dd8e6660c3a27f3f814b4b
Link:
https://www.unpac.me/results/de73b789-61fa-4a3e-8be0-25a42bba3074/
SH256 hash:
255838ffda0bd0d6c2565eed99d9497ffff2b7822b1a23c993251dfbf8a4a646
MD5 hash:
719710579599927fa9d972472e8a66b1
SHA1 hash:
bdbc817efc196fd7cdbcb392e24375e03ed91b11
Link:
https://www.unpac.me/results/de73b789-61fa-4a3e-8be0-25a42bba3074/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.83
Link:
https://yomi.yoroi.company/submissions/255838ffda0bd0d6c2565eed99d9497ffff2b7822b1a23c993251dfbf8a4a646

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 255838ffda0bd0d6c2565eed99d9497ffff2b7822b1a23c993251dfbf8a4a646

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/215994/
  
URLhaus
https://urlhaus.abuse.ch/url/1914370/

Comments


Avatar
zbet commented on 2021-12-23 15:24:11 UTC

url : hxxp://data-file-data-7.com/files/5724_1640264626_3269.exe