MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39d0842cd4309ea2140bd8f4cffd0af9fe686e8262ac7430933b8f6b9445a137. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	39d0842cd4309ea2140bd8f4cffd0af9fe686e8262ac7430933b8f6b9445a137
SHA3-384 hash:	d761aa5f4d7e8db3bbaabd929cbf8880dd8790485aec751e9e9f8ce5a0008d77665bfa69a710eb33669f5095630bafbd
SHA1 hash:	61338a93574b9208586254caa4ad79f99d4e2a32
MD5 hash:	61c7908ba5cb2fca5b0e24b646c46e94
humanhash:	network-west-virginia-asparagus
File name:	61c7908ba5cb2fca5b0e24b646c46e94.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	313'344 bytes
First seen:	2022-01-18 18:25:05 UTC
Last seen:	2022-01-18 19:29:50 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a05ea1db0e2f90f226f7ed04f606f73c (1 x ArkeiStealer)
ssdeep	6144:/YQjtof5CiD9dhGq8SuQmOn8AF5W+tA5csb7ITsq://tof5CqPhGOuQUAFjicU7
TLSH	T18E64CEC17A92DC73C08235718825CFB49A7ABC32E56994C337B82B6E6F702D12677356
File icon (PE):
dhash icon	fcfcb4f4d4d4d8c0 (19 x RedLineStealer, 16 x RaccoonStealer, 14 x Smoke Loader)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

157

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

61c7908ba5cb2fca5b0e24b646c46e94.exe

Verdict:

Malicious activity

Analysis date:

2022-01-19 04:45:39 UTC

Tags:

stealer loader

Link:

https://app.any.run/tasks/4469d67f-ac55-4cbe-9e82-cc25f0952c5d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/220304/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.21906.32740.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Changing a file

Creating a file in the %AppData% subdirectories

Creating a window

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Launching a process

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/4602/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

CPUID_Instruction

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/61e706080f8c757253c95e9d/reports/77ed4599-ef4d-4ce8-86b7-7eb92ff77b1b/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Vidar

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ffdd0201-4fd3-4d75-bdb2-4ecab434571f

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/922723

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found C&C like URL pattern

Found evasive API chain (may stop execution after checking computer name)

Found evasive API chain (may stop execution after checking locale)

Found evasive API chain (may stop execution after checking mutex)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Self deletion via cmd delete

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/39d0842cd4309ea2140bd8f4cffd0af9fe686e8262ac7430933b8f6b9445a137/

Threat name:

Win32.Trojan.CrypterX

Status:

Malicious

First seen:

2022-01-18 18:26:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 28 (67.86%)

Threat level:

5/5

Result

Malware family:

arkei

Score:

10/10

Tags:

family:arkei botnet:homesteadr discovery spyware stealer

Link:

https://tria.ge/reports/220118-w2nsmscedm/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Arkei Stealer Payload

Arkei

Malware Config

C2 Extraction:

http://homesteadr.link/ggate.php

Unpacked files

SH256 hash:

58c875973672b50f8a6bafe3d156ef52e1c7adddf1ac97850a033d853a3abd80

MD5 hash:

60c4ad438a1e6e13682cf77b0ff866ae

SHA1 hash:

749b211505cd711bc3c3bd465b03f1a6b3ae3337

Link:

https://www.unpac.me/results/57920f58-9e53-4ec1-8588-1e495162d385/

SH256 hash:

39d0842cd4309ea2140bd8f4cffd0af9fe686e8262ac7430933b8f6b9445a137

MD5 hash:

61c7908ba5cb2fca5b0e24b646c46e94

SHA1 hash:

61338a93574b9208586254caa4ad79f99d4e2a32

Link:

https://www.unpac.me/results/57920f58-9e53-4ec1-8588-1e495162d385/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/39d0842cd430/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/39d0842cd4309ea2140bd8f4cffd0af9fe686e8262ac7430933b8f6b9445a137

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

exe 39d0842cd4309ea2140bd8f4cffd0af9fe686e8262ac7430933b8f6b9445a137

(this sample)

Cape

https://www.capesandbox.com/analysis/220304/

URLhaus

https://urlhaus.abuse.ch/url/1983303/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample