MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d45c9f984150cbeafd07b26b269baefdb497d6e5687e8a0633601e9083afed1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d45c9f984150cbeafd07b26b269baefdb497d6e5687e8a0633601e9083afed1
SHA3-384 hash: e8662ad215180794eaab58d716d44593d6be9b10236d2ba4da6fb06015edfad88499157a8847f090f6cbd915cd858c02
SHA1 hash: 537f6e53e2aab77b8d7ff6084b746b032d970664
MD5 hash: a32ab1ff2ec5f835b6456bb20a356e5e
humanhash: lithium-paris-blue-nuts
File name:a32ab1ff2ec5f835b6456bb20a356e5e
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:2'135'028 bytes
First seen:2021-11-16 21:59:40 UTC
Last seen:2021-11-16 23:02:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b68d5313410a9597c5737c0eeeeb4a49 (4 x ArkeiStealer)
ssdeep 49152:wQu/4AuIRxChyElzhZEd+BSHxAxQdALBQBWjopG:wQU4sCHZEIBSHSLB47G
Threatray 7'280 similar samples on MalwareBazaar
TLSH T1EFA52350D1D04473E89585BFC0A99B7A9DF46E3A130C90C7A38E60A54E389F5AF3D91F
Reporter zbetcheckin
Tags:32 ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/206664/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.80003.8124.29448.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
DNS request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/619429e843e8f62b6695f3f5/reports/07220589-48f1-4e70-8c9f-80848e185a4b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Oski Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1c44cf31-f27a-450d-9dc9-290a572579c0
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/890797
Signature
Found malware configuration
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Self deletion via cmd delete
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2d45c9f984150cbeafd07b26b269baefdb497d6e5687e8a0633601e9083afed1/
Threat name:
Win32.Trojan.Vidar
Create hunting rule
Status:
Malicious
First seen:
2021-11-16 19:12:18 UTC
AV detection:
28 of 44 (63.64%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
038152eae96d57cb15d542b84755d9feadee7d2012fc183a1937c448c211671e
ArkeiStealer
14a0d25b4d33216e9110c9588fa3168105efdad28827e772c4798337544eb708
ArkeiStealer
219503ea9a72bfecd77da975355ec88a16e8fea6d9a03ff7cb76c8f573db7a75
ArkeiStealer
5e08ef6445c40ba0c1216c04291b0d9ef48f0983a9aebd25f214e6fc988daa53
ArkeiStealer
90618d3aa5146d27b46476a4c7bfcc2e5323b74dcbcf2c0af6b4f00c4c2d9297
ArkeiStealer
959e3ca2579b6be8a11c06763c5a34ec118abc96d869e25bef06319c92da465e
ArkeiStealer
b817002c69c6315e116f14d6fe64151577999eb773842f052fb17d9a7413a53c
ArkeiStealer
e558134f888d403ba60d7db59978502a9071951528cd4873bd4702921012d69e
ArkeiStealer
f1e4cf5b0fc8658f900febca637c9071fe7396f410015c41284768eac593ffa5
ArkeiStealer
+ 7'270 additional samples on MalwareBazaar
Result
Malware family:
arkei
Create hunting rule
Score:
  10/10
Tags:
family:arkei discovery evasion spyware stealer themida trojan
Link:
https://tria.ge/reports/211116-1wnb5sffe5/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Arkei Stealer Payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Arkei
Unpacked files
SH256 hash:
33cef0fb836fe4456b194f0ad324d11634e7dad020d364a754a9c4fe9f8d37bf
MD5 hash:
30ff6c4dac6fa77545edcc201ef5ec6c
SHA1 hash:
5c21553739200ba2820e77f493affb8cb8caf69b
Link:
https://www.unpac.me/results/e701ac20-e463-4741-98a5-b9ad6b592009/
SH256 hash:
2d45c9f984150cbeafd07b26b269baefdb497d6e5687e8a0633601e9083afed1
MD5 hash:
a32ab1ff2ec5f835b6456bb20a356e5e
SHA1 hash:
537f6e53e2aab77b8d7ff6084b746b032d970664
Link:
https://www.unpac.me/results/e701ac20-e463-4741-98a5-b9ad6b592009/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2d45c9f98415/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/2d45c9f984150cbeafd07b26b269baefdb497d6e5687e8a0633601e9083afed1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 2d45c9f984150cbeafd07b26b269baefdb497d6e5687e8a0633601e9083afed1

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/206664/
  
URLhaus
https://urlhaus.abuse.ch/url/1795842/

Comments


Avatar
zbet commented on 2021-11-16 21:59:42 UTC

url : hxxp://45.95.235.77/srfs.exe