MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26d62525d904a1739ff73041a2dc0522a31225fc0c696e061bde265c98027e9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26d62525d904a1739ff73041a2dc0522a31225fc0c696e061bde265c98027e9c
SHA3-384 hash: 97b33c2f33fb18459a6330c1f37de0059b77160fa56d236a2ad1bb424d72601e4540a33b7497a774d9255cda92c5ed08
SHA1 hash: af7967d31612a2be2ab68478d766f9511d6b8159
MD5 hash: 48f783f1d88bc90a10874a98056f46bb
humanhash: zulu-equal-ink-sink
File name:48f783f1d88bc90a10874a98056f46bb.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:313'344 bytes
First seen:2021-11-23 20:10:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 57fcd4b73bdcb72ae43e8e838f842fae (4 x RedLineStealer, 1 x Smoke Loader, 1 x ArkeiStealer)
ssdeep 3072:301pY7y6tkZp6GrZaWCTPUS5lXrhX5GleAene0bvmKH58DUrauTMv+5n65ix:JAzN4t3rhXgPB0b+KHu4+uQ8a
Threatray 648 similar samples on MalwareBazaar
TLSH T1DA649E0077A0C839F1B713F899B693B97A3E79A1AB25D0CB52D117EA4635AD0EC70347
File icon (PE):PE icon
dhash icon 60e8e8e8aa62a499 (7 x RaccoonStealer, 3 x Smoke Loader, 1 x Stop)
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
222
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
48f783f1d88bc90a10874a98056f46bb.exe
Verdict:
Malicious activity
Analysis date:
2021-11-23 20:40:44 UTC
Tags:
loader stealer trojan
Link:
https://app.any.run/tasks/aa659b45-a0c1-42e8-8040-122a9e3c8cf1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/619d4ae002c80febc2a76a44/reports/0cf8e8a8-63e9-43ca-86e5-5f5033ba7184/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8ddc4930-d832-41ad-9f53-509073399262
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/895032
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/26d62525d904a1739ff73041a2dc0522a31225fc0c696e061bde265c98027e9c/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-11-23 18:04:00 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
31da72c02b00f8802c354ab3a6983f0456dd88ef7fccf7a8dc28d16c56a68ec7
ArkeiStealer
3566d28df861bb64f0043fbe5c1a96a07d64908579228d612a730d990c4fe0f9
ArkeiStealer
39a1abb4c73aa504755ac605a4b2de275c550dafb5fe8d8637f0257ce3030075
ArkeiStealer
55a2ca622ba64868fdc97aa1cc4ff5c84f56949341721e2c393e235dc6fda9bb
ArkeiStealer
8fb96e8afa9860305c821d8f4c516f90263c6353286cfa0707e1dbca1cc61930
ArkeiStealer
90fba76a6aa18dabe691bf76697a6160fce021d3e4a468868308053260184861
ArkeiStealer
b0e9f6ede4c6442ffed1ae5c650474ae10582945c9ec689d5ac4650f81ee0fdf
ArkeiStealer
cef4988a84b4bbc30960dfb652e3a41fc2f63fc599ae0ce916358c9550ab432b
ArkeiStealer
d7cdfb895940efd584c78b7e56f9ed720491234df489ee9eb9aa98c24714d530
ArkeiStealer
ffd10221005211f090f34086ba86a046bf7e44410e6f0163dd5bb82ecdadecb1
ArkeiStealer
+ 638 additional samples on MalwareBazaar
Result
Malware family:
arkei
Create hunting rule
Score:
  10/10
Tags:
family:arkei botnet:default discovery spyware stealer
Link:
https://tria.ge/reports/211123-yx967aedb4/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Arkei Stealer Payload
Arkei
Malware Config
C2 Extraction:
http://advanceddiplomaaviation.com/processings.php
Unpacked files
SH256 hash:
db073014cc201844eab3b6e326b7c2d0012a1fe298deb3d6b446e8f9a09f25bd
MD5 hash:
0116c6eae725fbd1d03538350db4092a
SHA1 hash:
7e3e6c37f886bd2150e40e4f2d64dfe5cb55095e
Link:
https://www.unpac.me/results/ad44c52b-fe1c-4ba2-bf07-ff7e03522f78/
SH256 hash:
26d62525d904a1739ff73041a2dc0522a31225fc0c696e061bde265c98027e9c
MD5 hash:
48f783f1d88bc90a10874a98056f46bb
SHA1 hash:
af7967d31612a2be2ab68478d766f9511d6b8159
Link:
https://www.unpac.me/results/ad44c52b-fe1c-4ba2-bf07-ff7e03522f78/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/26d62525d904/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/26d62525d904a1739ff73041a2dc0522a31225fc0c696e061bde265c98027e9c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 26d62525d904a1739ff73041a2dc0522a31225fc0c696e061bde265c98027e9c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1808350/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/208822/

Comments