MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4340bc1e1ddb5d268a010401be96435063de733a2601d158d13f56da9f20df5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4340bc1e1ddb5d268a010401be96435063de733a2601d158d13f56da9f20df5d
SHA3-384 hash: c3250a0d0eaa21459fa1f5eb01227564ae6dad70fee166690f5427c0b19fe16cdde26af23f62b610785c1ede4e29b227
SHA1 hash: 74b4d4a19500d3644a6a4f523ad7d4adcb1ace6f
MD5 hash: ec72a93f6279b16006f2196f330166ee
humanhash: burger-quebec-harry-hotel
File name:ec72a93f6279b16006f2196f330166ee.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:5'124'457 bytes
First seen:2021-09-28 06:27:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep 98304:8SiwHhbbp/qa7irrDRcLAs6EOZ354tnteHOBQNnPcMa:Np/qRv9qAzEPttRmcd
Threatray 1 similar samples on MalwareBazaar
TLSH T15636123FF268A53EC46E1B3245B38250897B7A60A81A8C1F57FC384DCF765601E3B656
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
zukuluti.pdf
Verdict:
Malicious activity
Analysis date:
2021-09-28 00:16:50 UTC
Tags:
evasion trojan opendir loader rat redline stealer vidar autoit 1xxbot
Link:
https://app.any.run/tasks/5808144f-752d-45a5-900a-d8841830d544

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/192391/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/003db2a0-9d4e-4330-8886-b823433cd7e6
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/859592
Signature
.NET source code contains in memory code execution
Found many strings related to Crypto-Wallets (likely being stolen)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 492023 Sample: br4Cu3BycW.exe Startdate: 28/09/2021 Architecture: WINDOWS Score: 76 40 Multi AV Scanner detection for dropped file 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected Vidar stealer 2->44 46 3 other signatures 2->46 9 br4Cu3BycW.exe 2 2->9         started        process3 file4 32 C:\Users\user\AppData\...\br4Cu3BycW.tmp, PE32 9->32 dropped 12 br4Cu3BycW.tmp 3 13 9->12         started        process5 file6 34 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 12->34 dropped 15 br4Cu3BycW.exe 2 12->15         started        process7 file8 36 C:\Users\user\AppData\...\br4Cu3BycW.tmp, PE32 15->36 dropped 18 br4Cu3BycW.tmp 5 127 15->18         started        process9 file10 24 C:\Users\user\AppData\...\is-7MTO8.tmp, PE32 18->24 dropped 26 C:\Users\user\...\CrystalReports.exe (copy), PE32 18->26 dropped 28 C:\Users\user\...\tsharkdecode.dll (copy), PE32+ 18->28 dropped 30 38 other files (none is malicious) 18->30 dropped 21 CrystalReports.exe 13 18->21         started        process11 dnsIp12 38 147.135.170.166, 80 OVHFR France 21->38
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4340bc1e1ddb5d268a010401be96435063de733a2601d158d13f56da9f20df5d/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-28 03:27:55 UTC
AV detection:
8 of 28 (28.57%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
ccbded51600db440d54831ff724cf0e988220da4cd069244ade361c959b8c852
ArkeiStealer
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210928-g8cxdsahem/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
5a3ccc92f7966f8a3f8d0fbc50cef8452560341f4e23c769247b3cdd0818af11
MD5 hash:
eeb69f7b86959ae72b9d37443fb7f3d0
SHA1 hash:
ea687885ff8711724639134819bfffe3934e0cc1
Link:
https://www.unpac.me/results/1e267abf-cfd7-481a-8a79-e24028cc55eb/
SH256 hash:
74a7390843cb3376c714cabd6fa5ff973ddd4cc70f7c6bdfc808ebf0b542831d
MD5 hash:
0d934f0d296e6269ded43e6c9dc2aacf
SHA1 hash:
cdf64fca97814684e4383c4ed2e719d0b245269b
Link:
https://www.unpac.me/results/1e267abf-cfd7-481a-8a79-e24028cc55eb/
SH256 hash:
012a9e626e14509f02c588dd0677232f131fccdb4f993c60d6db6ed0d6cde218
MD5 hash:
e1044ae751df4d00ca0ee946bced3cca
SHA1 hash:
9f466b27c5257f1800dfab4e5f1d90453ddb286c
Link:
https://www.unpac.me/results/1e267abf-cfd7-481a-8a79-e24028cc55eb/
SH256 hash:
4340bc1e1ddb5d268a010401be96435063de733a2601d158d13f56da9f20df5d
MD5 hash:
ec72a93f6279b16006f2196f330166ee
SHA1 hash:
74b4d4a19500d3644a6a4f523ad7d4adcb1ace6f
Link:
https://www.unpac.me/results/1e267abf-cfd7-481a-8a79-e24028cc55eb/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4340bc1e1ddb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4340bc1e1ddb5d268a010401be96435063de733a2601d158d13f56da9f20df5d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 4340bc1e1ddb5d268a010401be96435063de733a2601d158d13f56da9f20df5d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1642816/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/192391/

Comments