MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 388e833740f160ceb5946b7c5e89c5af08dde862a7dd38344149e72dea7ec00d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 388e833740f160ceb5946b7c5e89c5af08dde862a7dd38344149e72dea7ec00d
SHA3-384 hash: 8c172778254b07a605a9baae82a02ccea19b135bbf80b6c83be539b6ad90b5ae2587f811830d7c2136336225c5a373f8
SHA1 hash: d67cfae6e373901507d46fe479b937e6224afb31
MD5 hash: 15685a4b7c571f0151679a8d02b090c5
humanhash: butter-minnesota-cold-nine
File name:15685a4b7c571f0151679a8d02b090c5
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:589'824 bytes
First seen:2021-11-03 15:16:20 UTC
Last seen:2021-11-03 16:32:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6da48c08bfb04326a5b3050895dcdfb0 (1 x ArkeiStealer)
ssdeep 12288:/dpq2sSE2B0OWtV0oTqCuI+Gd+ABigEcV4Dhk3X9beHv0qYtYsGMmicEY:V82sSE2B0OWtyoTqCuI+Gd+ABigEcV4l
Threatray 579 similar samples on MalwareBazaar
TLSH T10EC492DDCD00C102DBE33BF222AD5E41C726D6BC0D146872A5C86D5E54B26F87626BEB
File icon (PE):PE icon
dhash icon d4b269969669b2d4 (4 x ArkeiStealer, 1 x NetSupport)
Reporter zbetcheckin
Tags:32 ArkeiStealer exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
15685a4b7c571f0151679a8d02b090c5
Verdict:
Malicious activity
Analysis date:
2021-11-03 15:33:53 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/82e19734-b0fd-4faf-b6a8-bb92e509c29e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/201893/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.47313034.2481.18311.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
anti-vm greyware virus
Link:
https://www.filescan.io/uploads/6182a7ef9982ff7c3f7d9f87/reports/4f2dd2a3-9143-4546-81e4-6f242062b2cf/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2ccd255f-8090-48a1-b4c7-a0e5d9709a7d
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/882400
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 514835 Sample: 1U60P2WiMj Startdate: 03/11/2021 Architecture: WINDOWS Score: 100 50 Found malware configuration 2->50 52 Antivirus detection for URL or domain 2->52 54 Antivirus detection for dropped file 2->54 56 9 other signatures 2->56 8 1U60P2WiMj.exe 129 2->8         started        13 sbcAZhZfQsIqUJEFnzpdLfQ.exe 1 2->13         started        process3 dnsIp4 44 thecowbook.com 45.8.124.234, 443, 49749, 49750 SELECTELRU Russian Federation 8->44 32 C:\Users\user\AppData\Local\...\instd[1].exe, PE32 8->32 dropped 34 C:\ProgramData\instd.exe, PE32 8->34 dropped 36 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 8->36 dropped 38 C:\ProgramData\sqlite3.dll, PE32 8->38 dropped 58 Self deletion via cmd delete 8->58 60 Tries to harvest and steal browser information (history, passwords, etc) 8->60 62 Tries to steal Crypto Currency Wallets 8->62 15 instd.exe 4 8->15         started        19 cmd.exe 1 8->19         started        file5 signatures6 process7 file8 40 C:\...\sbcAZhZfQsIqUJEFnzpdLfQ.exe, PE32 15->40 dropped 46 Antivirus detection for dropped file 15->46 48 Uses schtasks.exe or at.exe to add and modify task schedules 15->48 21 sbcAZhZfQsIqUJEFnzpdLfQ.exe 13 15->21         started        24 schtasks.exe 1 15->24         started        26 conhost.exe 19->26         started        28 timeout.exe 1 19->28         started        signatures9 process10 dnsIp11 42 thecowbook.com 21->42 30 conhost.exe 24->30         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/388e833740f160ceb5946b7c5e89c5af08dde862a7dd38344149e72dea7ec00d/
Threat name:
Win32.Spyware.Mufila
Create hunting rule
Status:
Malicious
First seen:
2021-11-03 15:17:05 UTC
AV detection:
16 of 27 (59.26%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
2e14b592904e292539d9fc9d57a06df31676d5645ebaa49ebe129044d2d3baa3
ArkeiStealer
5a2eff9610a0bdc09557cd54e9ad7e5b93b930359a8e322fb479ab7b1e20cf7d
ArkeiStealer
6e43eb9d740ae582faabd5f31fb248cc2804b4e5af2a9122f7ae2fefacdf8292
ArkeiStealer
70d2439d21209fcc393ca4989fbe1d5966c651345ad9b38bab512dbe9861e2bb
ArkeiStealer
b3c5e8250ec320fd546df876a5be7ca4e9a70696dc2373ce5ff670def95d5238
ArkeiStealer
b944023d535bc8e5980173e203cee0d2fc2df9e865b4a06fc0694436ce5b6541
ArkeiStealer
c28e190666a5967096f8c8e3ecd3a62e502fe84eb300113faa3fe06575ea118b
ArkeiStealer
ccbded51600db440d54831ff724cf0e988220da4cd069244ade361c959b8c852
ArkeiStealer
e0a642286227876154d27e399aab958ab958f2f2e528c4f4593e9d80c64a87c6
ArkeiStealer
edf6beb88780fb3085332f843b73418f52bbf095265dad631cf8e187644cb565
ArkeiStealer
+ 569 additional samples on MalwareBazaar
Result
Malware family:
arkei
Create hunting rule
Score:
  10/10
Tags:
family:arkei botnet:default discovery spyware stealer
Link:
https://tria.ge/reports/211103-sn192abcbp/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Arkei Stealer Payload
Arkei
Malware Config
C2 Extraction:
https://thecowbook.com/news.php
Unpacked files
SH256 hash:
9995e2e4c5dc001e606b80a460775e6e554912d376d08d2dab3cb0d6ffc577bc
MD5 hash:
6008fda1ec778b826045e573ceb8150c
SHA1 hash:
a0354f0846588680ec09a5ba88355c0754a36a20
Link:
https://www.unpac.me/results/5f4dedaf-f640-48e8-8f1f-46403da28a63/
SH256 hash:
388e833740f160ceb5946b7c5e89c5af08dde862a7dd38344149e72dea7ec00d
MD5 hash:
15685a4b7c571f0151679a8d02b090c5
SHA1 hash:
d67cfae6e373901507d46fe479b937e6224afb31
Link:
https://www.unpac.me/results/5f4dedaf-f640-48e8-8f1f-46403da28a63/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/388e833740f1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/388e833740f160ceb5946b7c5e89c5af08dde862a7dd38344149e72dea7ec00d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 388e833740f160ceb5946b7c5e89c5af08dde862a7dd38344149e72dea7ec00d

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/201893/
  
URLhaus
https://urlhaus.abuse.ch/url/1743557/

Comments


Avatar
zbet commented on 2021-11-03 15:16:21 UTC

url : hxxp://host-host-file6.com/files/5678_1635856331_3450.exe