MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3195de7203698e68a7c4bae754b2d70c405e957e403eadd3169af287a36cd5f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	3195de7203698e68a7c4bae754b2d70c405e957e403eadd3169af287a36cd5f3
SHA3-384 hash:	905db91ecdc4c902b35cfb874a5533111b3acf07d1af5834123f36e23abb41930385f1014ac4dfd135ee2ac40ff46ab5
SHA1 hash:	1c902feb1c2172af5042452f532b7785ea8a7f25
MD5 hash:	f08bfabd2cc3caeee9bdfb8afef2eac9
humanhash:	mars-alaska-william-bacon
File name:	f08bfabd2cc3caeee9bdfb8afef2eac9.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	246'784 bytes
First seen:	2022-02-03 08:55:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	26363ee2d97e8f09a6de68bb38d5f316 (2 x ArkeiStealer)
ssdeep	6144:jEqdJLW0rf2pkX8/gg8sxh8kX4X89wk6cuu:I8z7ukXQXQe9h6cu
Threatray	3'844 similar samples on MalwareBazaar
TLSH	T16634DF0477D0C436F85A7431293DCAB06A3A7C32EA71C5877B96276F5E703C09A6273A
File icon (PE):
dhash icon	fcf8b4b4b494d9c1 (17 x Smoke Loader, 8 x RedLineStealer, 6 x Amadey)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

168

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/231822/

Detection(s):

Win.Malware.Generic-9938273-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Changing a file

Creating a file in the %AppData% subdirectories

Creating a window

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Launching a process

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Stealing user critical data

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/5845/overview

Behaviour

MalwareBazaar

SystemUptime

CPUID_Instruction

MeasuringTime

CheckCmdLine

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/61fb98b5a0f6a794b3366c04/reports/deeb5eba-ee81-45e4-9b6f-ea1d6cfddc0a/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0a58a03c-b8b0-4e9c-840e-ac098c5ce512

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/933331

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3195de7203698e68a7c4bae754b2d70c405e957e403eadd3169af287a36cd5f3/

Threat name:

Win32.Trojan.DiskWriter

Status:

Malicious

First seen:

2022-02-03 02:25:49 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ggk544qdnghgrj6exltvjmwxbraf5fl6ia7k3uywtlzipi3m2xzq._file

Verdict:

malicious

ArkeiStealer

5c61d730fd58be005ae3ad11e7a9ae96d549522bfa53ee7c5851107ae386fd67

ArkeiStealer

81046b6948cd3b8ca105c0580b8aecabaff132161125328e49925570b6b22b80

ArkeiStealer

85dd04331f4c472e795d3cd3fbd9f6fd165b05af55aa94d429a2c90d56c46227

ArkeiStealer

8f557991ffb143f5a73379eb4038ca3195ff2600299d4685677b88d0a6015bdd

ArkeiStealer

b97e66178aa10ab5b06531c7fb2fd36d7c94485367f6db3e94c969f40d8e6940

ArkeiStealer

cce1c12199ed819ddcca92619b38e6986942f3e079acdf261ba10a6262dcfe33

ArkeiStealer

+ 3'834 additional samples on MalwareBazaar

Result

Malware family:

arkei

Score:

10/10

Tags:

family:arkei botnet:default discovery spyware stealer

Link:

https://tria.ge/reports/220203-kv3gnsegbp/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Arkei Stealer Payload

Arkei

Malware Config

C2 Extraction:

http://tuntutul.link/gate1.php

Unpacked files

SH256 hash:

eb2bc01f012430a51144205efddcd7e3c4379fd5bc8288045e87c368b6c69942

MD5 hash:

2ec67660b02b142482e86632f446c46c

SHA1 hash:

7e7fcabbe363d1c908706d96bb148ac6f3c73996

Link:

https://www.unpac.me/results/7d5eb6d0-9cb6-4bdc-a108-1e581b0fd36d/

SH256 hash:

3195de7203698e68a7c4bae754b2d70c405e957e403eadd3169af287a36cd5f3

MD5 hash:

f08bfabd2cc3caeee9bdfb8afef2eac9

SHA1 hash:

1c902feb1c2172af5042452f532b7785ea8a7f25

Link:

https://www.unpac.me/results/7d5eb6d0-9cb6-4bdc-a108-1e581b0fd36d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3195de7203698e68a7c4bae754b2d70c405e957e403eadd3169af287a36cd5f3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

exe 3195de7203698e68a7c4bae754b2d70c405e957e403eadd3169af287a36cd5f3

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2024391/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/231822/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample