MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3500abcc8f0c8af8f665b03f8bab9c712fe8b4a073ea1f35618e68c7b7075794. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3500abcc8f0c8af8f665b03f8bab9c712fe8b4a073ea1f35618e68c7b7075794
SHA3-384 hash: 8df28c7fef63141ec21cedaca785111e51d9d0f0c63642d4310f0c5f732eca7bda0a765985955e7e21cd8c9c1b19fa1f
SHA1 hash: afa8b2c2dd1716a99cdc90db1ee7ed697e5d4a44
MD5 hash: c22d118e015bf26774d7d0153236a373
humanhash: oklahoma-speaker-hydrogen-diet
File name:DriverEasy.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:6'442'696 bytes
First seen:2022-12-23 18:52:55 UTC
Last seen:2022-12-23 20:29:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (259 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 196608:uk6O5kHx/kxCSraJRCk78M4dwFyUPAI+l5Qss:N61xMxCSraJRCk7l0dI+XQL
TLSH T12C5601BBB1D8612FC56A0B3D45725E909D7BAA71F41A8C1A07E0443CCB2EC601EFB65D
TrID 61.8% (.EXE) Inno Setup installer (109740/4/30)
23.4% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
5.9% (.EXE) Win64 Executable (generic) (10523/12/4)
2.5% (.EXE) Win32 Executable (generic) (4505/5/1)
1.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon 3378d6d292d671b2 (1 x RecordBreaker, 1 x ArkeiStealer)
Reporter x3ph1
Tags:ArkeiStealer exe Fugrafa signed

Code Signing Certificate

Organisation:www.peer.com.uk
Issuer:www.peer.com.uk
Algorithm:sha256WithRSAEncryption
Valid from:2022-12-21T14:45:55Z
Valid to:2023-12-21T15:05:55Z
Serial number: 1d5bd23fd060e1a5476875bf535c0476
Thumbprint Algorithm:SHA256
Thumbprint: 3195accedfa9b71b50a24ad54ed7949e464d6144612f14159e8eafbd4ede793a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
303
Origin country :
US US
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
DriverEasy.exe
Verdict:
Malicious activity
Analysis date:
2022-12-23 18:53:18 UTC
Tags:
installer loader trojan stealer vidar
Link:
https://app.any.run/tasks/01a75451-3028-4d86-86c4-f4f588144abf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.64467726.25924.28480.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Moving a file to the %temp% subdirectory
Creating a file
Moving a recently created file
Running batch commands
Creating a process with a hidden window
Enabling the 'hidden' option for files in the %temp% directory
Launching a process
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Launching cmd.exe command interpreter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/63a5f910cd05a9f1899db5f2/reports/014cf519-b2eb-4ba9-a7af-6f78a320f5be/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d6c75abe-c0c4-46d2-9be2-a602fc9d9417
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1140174
Signature
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
Suspicious powershell command line found
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 772904 Sample: DriverEasy.exe Startdate: 23/12/2022 Architecture: WINDOWS Score: 48 51 efAWmeBPOVjoF.efAWmeBPOVjoF 2->51 59 Multi AV Scanner detection for domain / URL 2->59 61 Antivirus detection for URL or domain 2->61 63 Multi AV Scanner detection for dropped file 2->63 65 4 other signatures 2->65 9 DriverEasy.exe 2 2->9         started        signatures3 process4 file5 41 C:\Users\user\AppData\...\DriverEasy.tmp, PE32 9->41 dropped 67 Obfuscated command line found 9->67 13 DriverEasy.tmp 5 18 9->13         started        signatures6 process7 file8 43 C:\Users\user\...\DriverEasy.5.7.3.exe (copy), PE32 13->43 dropped 45 C:\Users\user\AppData\Local\...\is-2SOA1.tmp, PE32 13->45 dropped 47 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 13->47 dropped 49 3 other files (none is malicious) 13->49 dropped 16 DriverEasy.5.7.3.exe 2 13->16         started        20 cmd.exe 1 13->20         started        process9 file10 31 C:\Users\user\...\DriverEasy.5.7.3.tmp, PE32 16->31 dropped 53 Obfuscated command line found 16->53 22 DriverEasy.5.7.3.tmp 26 45 16->22         started        55 Suspicious powershell command line found 20->55 57 Encrypted powershell cmdline option found 20->57 25 powershell.exe 22 20->25         started        27 powershell.exe 5 20->27         started        29 conhost.exe 20->29         started        signatures11 process12 file13 33 C:\Users\user\AppData\...\iswin7logo.dll, PE32 22->33 dropped 35 C:\Program Filesaseware\...\is-PA7TR.tmp, PE32 22->35 dropped 37 C:\Program Files\...\DriverEasy.exe (copy), PE32 22->37 dropped 39 31 other files (1 malicious) 22->39 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3500abcc8f0c8af8f665b03f8bab9c712fe8b4a073ea1f35618e68c7b7075794/
Threat name:
Win32.Infostealer.Bandra
Create hunting rule
Status:
Malicious
First seen:
2022-12-22 12:27:34 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=guakxtepbsfpr5tfwa7yxk44oex6rnfaopvb6nlbrzumpnyhk6ka._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer upx
Link:
https://tria.ge/reports/221223-xjmcjagh87/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Drops desktop.ini file(s)
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
c68f53dd27dc25cd2c41fe0e804dba02515b8412ccb9b415fee6c1d2bf50e52e
MD5 hash:
4a6bf797d45bb196d148089e5393050f
SHA1 hash:
de786a67a444dc98beac3684585483edacf942d5
Link:
https://www.unpac.me/results/bb985810-8231-46a0-b827-4cf25dfbc266/
SH256 hash:
dfe25e9c801f828df9fb5e3baee41651ba72c1e00634be4b648d72f1ad8599e7
MD5 hash:
559ec2666c1b2a509aebf1cfd182add8
SHA1 hash:
d9fe1a0fc77eee967de02606f87c5a8c5c6d7729
Link:
https://www.unpac.me/results/bb985810-8231-46a0-b827-4cf25dfbc266/
SH256 hash:
4eff93f229080f4822285fd82427380621608e44026bbc1d62b79e6a6c984633
MD5 hash:
ad3b52fedc4fb152e0d6c3e75e7153f8
SHA1 hash:
c22d1c94565c3b062e9716ed3c0a47fdefa2e6fb
Link:
https://www.unpac.me/results/bb985810-8231-46a0-b827-4cf25dfbc266/
SH256 hash:
55a7b6e88f03528c8cdcc4cfff9a7e5efce3c9d3d21023ef2b37aa228b530ddc
MD5 hash:
850d12295447dbcd9e38a073aef72fb6
SHA1 hash:
bb8e998ed8b2e07d5ffec82509019df134468643
Link:
https://www.unpac.me/results/bb985810-8231-46a0-b827-4cf25dfbc266/
SH256 hash:
4aa76ce51201b2794b046ac8cea1e0c41166674c021cb2fe78c378f15c57ae73
MD5 hash:
907fc67917ccc9d45fa9a8a7d3d20e67
SHA1 hash:
aa4408e8d2eb8b4b87bc9bbf237698698165dd91
Link:
https://www.unpac.me/results/bb985810-8231-46a0-b827-4cf25dfbc266/
SH256 hash:
24f9e01c1dcd1701aed6b73fa70a98aa9da9046304764a9fb2185641a3e3991f
MD5 hash:
1fdbe83871289864400e4ecb25da2319
SHA1 hash:
a2ea53c957d0736e6ca3302d4fab08deb6209722
Link:
https://www.unpac.me/results/bb985810-8231-46a0-b827-4cf25dfbc266/
SH256 hash:
7a497126a5282b8ebb1e2556c18067c99845fda4c81cda9de2958ab6e687a3c2
MD5 hash:
cfebe2584e894bfaaee48fcc6a58f6df
SHA1 hash:
90dc30754f1507ede9ccf1baf3e5be4ec3060160
Link:
https://www.unpac.me/results/bb985810-8231-46a0-b827-4cf25dfbc266/
SH256 hash:
e60d85e3225aad5397513fb3a1247da025c0602e233587c1193258dae92ead68
MD5 hash:
b41745d1c49c1b5327ad465151649793
SHA1 hash:
56035a9c146858082bb52aeb20d44e7e55dc18d1
Link:
https://www.unpac.me/results/bb985810-8231-46a0-b827-4cf25dfbc266/
SH256 hash:
b771683b23d22073b4513748f42a0fd68f04e640b74b20ff10640dff9c8c92bd
MD5 hash:
8b5239641b3180f561d3d3f258a6e47e
SHA1 hash:
3cd208659a191dd9b3aff0619ab42b17423397f5
Link:
https://www.unpac.me/results/bb985810-8231-46a0-b827-4cf25dfbc266/
SH256 hash:
abd6bee2255d53073d6343c6a59b501b987ddc36fcd6540d01d21b06dc0f59a8
MD5 hash:
3328b38cfa2babb0e683077f0f8919d8
SHA1 hash:
2d8c280f8a4548dc08e47644cbac98e617b8e544
Link:
https://www.unpac.me/results/bb985810-8231-46a0-b827-4cf25dfbc266/
SH256 hash:
622faa9b7b8e8ed4f927c83e4a6e9e1a26388aeb324fee8758acd653102d20fa
MD5 hash:
2c5fcdfdb2073799456c6ced6cd23c58
SHA1 hash:
1be97224dde351c41e42b9b051f228380e515c26
Link:
https://www.unpac.me/results/bb985810-8231-46a0-b827-4cf25dfbc266/
SH256 hash:
40656ae28fb81887f0bd4ab68f5660cb3c7091537c1172eff5d05422230cdc20
MD5 hash:
5ac66c1ade560d10c0ab5c3fd391af6b
SHA1 hash:
361954e04a50783d02ba4655b17eb3ed30d7345f
Link:
https://www.unpac.me/results/bb985810-8231-46a0-b827-4cf25dfbc266/
SH256 hash:
829edea1c745dc1a77bcf57e3bf3c14d38c7c007ba8d31a5a14fee859bd95557
MD5 hash:
59a3b576614d53ed6439ffcaff38f8c5
SHA1 hash:
8cd571d0f3c01771ea40108329aade6f3aa10ddd
Link:
https://www.unpac.me/results/bb985810-8231-46a0-b827-4cf25dfbc266/
SH256 hash:
398e81414f13e3e5eb7cdbdc1dafdde59fe7bd44d8f11f5a6877c0d5eab34868
MD5 hash:
c0df10ca86f3e45c1ad4fa9091bbb180
SHA1 hash:
752b9fb915d1a710a602113d5e249ea299bb7941
Link:
https://www.unpac.me/results/bb985810-8231-46a0-b827-4cf25dfbc266/
SH256 hash:
3500abcc8f0c8af8f665b03f8bab9c712fe8b4a073ea1f35618e68c7b7075794
MD5 hash:
c22d118e015bf26774d7d0153236a373
SHA1 hash:
afa8b2c2dd1716a99cdc90db1ee7ed697e5d4a44
Link:
https://www.unpac.me/results/bb985810-8231-46a0-b827-4cf25dfbc266/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3500abcc8f0c8af8f665b03f8bab9c712fe8b4a073ea1f35618e68c7b7075794

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 3500abcc8f0c8af8f665b03f8bab9c712fe8b4a073ea1f35618e68c7b7075794

(this sample)

  
Delivery method
Distributed via web download

Comments