MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d91e376152618dd6a130215eb8db5c438eafa6738d62266e3edec027a58e88e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d91e376152618dd6a130215eb8db5c438eafa6738d62266e3edec027a58e88e
SHA3-384 hash: 69a8e4fdcc7c661a9f580343e971b6b0b3e7cbc235c67298e0acd20580d98240db1eef950a14070b6a58b032f0ba5953
SHA1 hash: 98c33fb3a48130f8082051c0c834bf865de709a1
MD5 hash: f6d536f3d6c49ca7da650f972fbcdd00
humanhash: three-lima-uncle-one
File name:f6d536f3d6c49ca7da650f972fbcdd00.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:859'648 bytes
First seen:2021-09-19 16:03:55 UTC
Last seen:2021-09-19 16:57:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 33b96b25a561ce662403f8f66fbbfde5 (1 x ArkeiStealer)
ssdeep 3072:GU2LrHQLZTF1aI2LsEBsabgMArKjXGI3UbSLctvkn7aOKzXgVg3Zeu2GBlF0EfY/:l2L4TF1aI2LsYsGsrKD03vplFL
Threatray 458 similar samples on MalwareBazaar
TLSH T13505C8E5A91D4C77FCD8253816D31D6C68253FC7B02D358F71AABD28A9BBE81A847D00
File icon (PE):PE icon
dhash icon 88a8a08c8c8ea8a8 (5 x Squirrelwaffle, 4 x Formbook, 3 x ArkeiStealer)
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f6d536f3d6c49ca7da650f972fbcdd00.exe
Verdict:
Malicious activity
Analysis date:
2021-09-19 16:06:28 UTC
Tags:
opendir stealer loader trojan
Link:
https://app.any.run/tasks/27a78346-fb74-4d53-802d-ac92fadd32c8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/189092/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.22519.17977.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Connection attempt
Sending an HTTP GET request
Modifying an executable file
Creating a file
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fd577547-5cb8-4eeb-861a-e106b7d02a8e
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853544
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has nameless sections
Self deletion via cmd delete
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2d91e376152618dd6a130215eb8db5c438eafa6738d62266e3edec027a58e88e/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-09-19 16:04:14 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
111dd17966a5f7058eb1cfc468c1d062602437a69694aa05eff97d121d611408
ArkeiStealer
120a50bdd5effe67ea0270aa7f938039e7a5e6a589a13e9371e381f4d1518dcd
ArkeiStealer
341970fa08050ae3de11bf7d13c9f76f818298c1f8af73e285fc56a0bb12b77b
ArkeiStealer
3d59ac598ad756cfa7d56ea28d85071266ccfbcec2bc952600ff82fec99d633c
ArkeiStealer
3e46c3912ced6d4821bb215ad4feb1711e3f0becaae258899ce77037c648048a
ArkeiStealer
7173381414ec85250c6bd3c9b803f2d49b98a7826c8aeea37d9328d5e74d7fb6
ArkeiStealer
7fb3e8a0c4b50a519c283a7b7702ccd23c38e78dc251d32b120d8e8a89f87b49
ArkeiStealer
90b9d553b4883ed20e3273a86351f103d10b012dab0c82179bb6b5bfcc188b88
ArkeiStealer
+ 448 additional samples on MalwareBazaar
Result
Malware family:
arkei
Create hunting rule
Score:
  10/10
Tags:
family:arkei discovery spyware stealer
Link:
https://tria.ge/reports/210919-thygmacbe7/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Arkei Stealer Payload
Arkei
Unpacked files
SH256 hash:
276dc4052ac7191a71ee5a5ccce551d75ae883960f90c487401d91da8e916960
MD5 hash:
3885bf96e6e7e954bdbbcf5afcf9de8a
SHA1 hash:
c9ccbad0ea1ebb75653c7295db8b73bdcb5b6129
Link:
https://www.unpac.me/results/f701a240-68a4-47f9-b2f4-bb5df5fb91a8/
SH256 hash:
2d91e376152618dd6a130215eb8db5c438eafa6738d62266e3edec027a58e88e
MD5 hash:
f6d536f3d6c49ca7da650f972fbcdd00
SHA1 hash:
98c33fb3a48130f8082051c0c834bf865de709a1
Link:
https://www.unpac.me/results/f701a240-68a4-47f9-b2f4-bb5df5fb91a8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2d91e376152618dd6a130215eb8db5c438eafa6738d62266e3edec027a58e88e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 2d91e376152618dd6a130215eb8db5c438eafa6738d62266e3edec027a58e88e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1549207/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/189092/

Comments