MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 446736e381fa8942f8d32cb4f2ae8fb6a9245fa0e70b7f7298ee7a5cb6fe9f32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 446736e381fa8942f8d32cb4f2ae8fb6a9245fa0e70b7f7298ee7a5cb6fe9f32
SHA3-384 hash: 254ebd52e45528f5ea0c8cdb8ebea11e5f3fc22f8b8cf358cf6a0aecb304e197a46e1aee59553b199424a24be5bb6bdc
SHA1 hash: e44b66c8dccfc544b38f6607ae58e100867df043
MD5 hash: f8fa0dfbd7f850d4627db88616bac7f5
humanhash: fish-summer-moon-quebec
File name:f8fa0dfbd7f850d4627db88616bac7f5.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:6'790'000 bytes
First seen:2021-09-30 15:19:19 UTC
Last seen:2021-11-25 12:35:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0ab020de3096b6aafb4fadfac4d16825 (16 x CryptBot, 3 x ArkeiStealer, 3 x LockBit)
ssdeep 98304:pH7CgqLPRPYv7cZuwYx72XPo0+Xv6zV470d7pz7dTH3OHMNsZlQUafCyr3Ey6Nho:d+gqLKB2pscuopz7dTeNmfCyk+2OPhX
Threatray 46 similar samples on MalwareBazaar
TLSH T18066E130768BC52BD5A604B15A3CDB9F51287FB60F6290D7A3E42E6E45B48C35332E27
File icon (PE):PE icon
dhash icon 6ded69c7b130b2c0 (12 x CryptBot, 8 x ValleyRAT, 4 x NetSupport)
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
183
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6292405991145472.zip
Verdict:
Malicious activity
Analysis date:
2021-09-30 08:32:02 UTC
Tags:
trojan loader rat redline evasion stealer opendir vidar raccoon
Link:
https://app.any.run/tasks/87b0c06a-ab4e-4b23-a141-894d850e2552

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/193721/
Result
Verdict:
Clean
Maliciousness:
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/53927ca3-33a7-4f8c-aed9-db54ac8d9e41
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/862044
Signature
.NET source code contains in memory code execution
Found many strings related to Crypto-Wallets (likely being stolen)
Multi AV Scanner detection for domain / URL
PE file has a writeable .text section
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 494472 Sample: yvY2AMOxwb.exe Startdate: 30/09/2021 Architecture: WINDOWS Score: 72 43 Multi AV Scanner detection for domain / URL 2->43 45 Yara detected Vidar stealer 2->45 47 Found many strings related to Crypto-Wallets (likely being stolen) 2->47 49 2 other signatures 2->49 7 evreporter.exe 127 2->7         started        12 yvY2AMOxwb.exe 268 2->12         started        14 msiexec.exe 2->14         started        16 msiexec.exe 2->16         started        process3 dnsIp4 41 185.215.113.39, 49752, 80 WHOLESALECONNECTIONSNL Portugal 7->41 27 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 7->27 dropped 29 C:\ProgramData\sqlite3.dll, PE32 7->29 dropped 51 Tries to harvest and steal browser information (history, passwords, etc) 7->51 18 cmd.exe 1 7->18         started        31 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 12->31 dropped 33 C:\Users\user\AppData\...\swresample-1.dll, PE32 12->33 dropped 35 C:\Users\user\AppData\...\pthreadGC2.dll, PE32 12->35 dropped 37 20 other files (none is malicious) 12->37 dropped 20 msiexec.exe 2 12->20         started        file5 signatures6 process7 dnsIp8 23 conhost.exe 18->23         started        25 timeout.exe 1 18->25         started        39 0.0.1.7 unknown unknown 20->39 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/446736e381fa8942f8d32cb4f2ae8fb6a9245fa0e70b7f7298ee7a5cb6fe9f32/
Threat name:
Win32.Infostealer.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-09-30 15:20:10 UTC
AV detection:
4 of 26 (15.38%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
3555826df75751600d127b343a3214a0f9b4c211b1fdcdf9ccceb1dda6be5f27
ArkeiStealer
38b2cd6c40791c11a2cdb5f2c31f2304175a202e11e25bfcc87ed914e6bf5902
ArkeiStealer
42e369c8a08e42bb7ca81f3b4598b1352766fd602c32adc21cd5f1afab85f7f3
ArkeiStealer
4f2ada4fba44e50c0c23762724b98dcd98d54340ace84ea1493358987c3dfebd
ArkeiStealer
57e2f9ee6aaad4097ac2b1151fe1cf9546c8fbc470670b73c8039285f4fd4db5
ArkeiStealer
73c1188d93bd4318a830cb6d891aae7580a61c396ce37ba3676a321bbd3a137e
ArkeiStealer
96f69fe5148b0838909afe927aa280b4919b7f12b1593ed4a461de49fa725b1b
ArkeiStealer
ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9
ArkeiStealer
+ 36 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210930-sqrtdaaae3/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates connected drives
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
446736e381fa8942f8d32cb4f2ae8fb6a9245fa0e70b7f7298ee7a5cb6fe9f32
MD5 hash:
f8fa0dfbd7f850d4627db88616bac7f5
SHA1 hash:
e44b66c8dccfc544b38f6607ae58e100867df043
Link:
https://www.unpac.me/results/8ceb6b27-f28e-4319-9124-4d1db49769b1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/446736e381fa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/446736e381fa8942f8d32cb4f2ae8fb6a9245fa0e70b7f7298ee7a5cb6fe9f32

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 446736e381fa8942f8d32cb4f2ae8fb6a9245fa0e70b7f7298ee7a5cb6fe9f32

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/193721/
  
URLhaus
https://urlhaus.abuse.ch/url/1642879/
  
Delivery method
Distributed via web download

Comments