MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 365b72e0c1452e528e52d162db90916a924b542cdc8d2a696a0c6883446239d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	365b72e0c1452e528e52d162db90916a924b542cdc8d2a696a0c6883446239d4
SHA3-384 hash:	05f7f6c3b93ff921f3d52d66dee1a5ecea25d917b90efee2977bc6c53a26614ea1773fa8ab6dfbbd29edefb451477d08
SHA1 hash:	269d9d060d70944bb9b2ede9f128f063358d7b88
MD5 hash:	5a7e9c86887d51ef7a1043ef6f242e70
humanhash:	april-three-princess-fish
File name:	file
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	1'048'064 bytes
First seen:	2022-11-04 10:13:16 UTC
Last seen:	2022-11-04 11:17:05 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	78dee4e11b3000b6380c410474a798f4 (13 x RedLineStealer, 1 x ArkeiStealer)
ssdeep	24576:BJ1YYqe97AM+Gj+KLScLoHsZn5Gi9P8TFepazDH4o:Dqe97XtbLScLmsZ4pec5
Threatray	910 similar samples on MalwareBazaar
TLSH	T13425F13AA4ED50F1D671053E48F4E07240F8FBCEC7E1AD9B4B98675D89607C2922366B
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	andretavare5
Tags:	ArkeiStealer exe

andretavare5

Sample downloaded from https://vk.com/doc759438714_648916704?hash=D941qENCsVfsmvaIcPhqJNcsj1wQoGierkTz31hZqZD&dl=G42TSNBTHA3TCNA:1667556402:eQg5ZtWeBFlaHycLe4u28b6LfDxz3EfYbqkeuM6xbzo&api=1&no_preview=1#test300

Intelligence

File Origin

# of uploads :

# of downloads :

197

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-11-04 10:14:00 UTC

Tags:

loader stealer

Link:

https://app.any.run/tasks/ff84dcde-eaaa-4992-8b8a-64a9f04e389b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/328415/

Detection(s):

SecuriteInfo.com.Variant.Lazy.260486.3482.3598.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Launching a process

Launching the default Windows debugger (dwwin.exe)

Creating a window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6364e5ebd998c15a09ab0a31/reports/d228f815-0fd4-407a-a6da-769d52d96360/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

AdFind

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/88a64b33-4119-45c0-a1c7-67260164b72d

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1105301

Signature

Allocates memory in foreign processes

Contains functionality to inject code into remote processes

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/365b72e0c1452e528e52d162db90916a924b542cdc8d2a696a0c6883446239d4/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2022-11-04 10:14:09 UTC

File Type:

PE (Exe)

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gznxfygbiuxffdss2frnxeernkjewvbm3sgsu2lkbruigrdchhka._file

Verdict:

malicious

ArkeiStealer

3af3279ede125805a47682382304f6b76af4e7c34c2bfeaa198e0dc38f3ad1b6

ArkeiStealer

722a297fad3b3764bd9f4df0b3bf5d403a367d8dcb22e1a5821f9c44296a8760

ArkeiStealer

dade5b7aa50e2e1df254ae9c8b70f59cfa6c47889bc1cb3ff722620b367fde60

ArkeiStealer

e19531b7bc44f39de7e750b65cb9a73c51d95bb1380c46772584e125f36550ff

ArkeiStealer

e61234a0934d7955c0bafda460b8220f7012958415e05635d61d433a6e0c9006

ArkeiStealer

f414b58167438e77909afa13c1e137874fb7aad4983d30cd9b769f205ace0078

ArkeiStealer

fa64bc211d04136ec885512c04ca91ed3b7ac8f4cf3cad1b254590afbede44d1

ArkeiStealer

fb22b06cf1d1785bae8c6c0995398074efb501edeb44249e7e3730b4ac3df547

ArkeiStealer

+ 900 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/221104-l9mv7sgcdk/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Loads dropped DLL

Downloads MZ/PE file

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/05f0e693-345e-4ccc-8093-7f0181153a7b

Unpacked files

SH256 hash:

61b751366204c270db12e3866d25196c2746a20c6f7b3abf9391bdd1a449e3c0

MD5 hash:

cc9f06a4a45d6b0e4f04bfc91e372ce4

SHA1 hash:

c941aff9946c3504cbe3fcdf56962db414e3e846

Link:

https://www.unpac.me/results/524a3a0c-1ff8-4597-b34d-cb071bf6e915/

SH256 hash:

365b72e0c1452e528e52d162db90916a924b542cdc8d2a696a0c6883446239d4

MD5 hash:

5a7e9c86887d51ef7a1043ef6f242e70

SHA1 hash:

269d9d060d70944bb9b2ede9f128f063358d7b88

Link:

https://www.unpac.me/results/524a3a0c-1ff8-4597-b34d-cb071bf6e915/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/365b72e0c1452e528e52d162db90916a924b542cdc8d2a696a0c6883446239d4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/328415/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample