MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47bfb8807a288e002ca1591f17a6dd98efcd9676337c19781a419079e9086d46. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 47bfb8807a288e002ca1591f17a6dd98efcd9676337c19781a419079e9086d46
SHA3-384 hash: 0e61ecf862bdf74150f8c9b8169a8ce9e1423a1b3fefa4f9c2b4b48a84b96631c8947f9221a1a1004f4aa773c20b2259
SHA1 hash: 84c1bb7256ae66ec825bf4b65b4ecc794ecaf04b
MD5 hash: ed98530be535ab04adeeecd1ad8e7ea4
humanhash: burger-enemy-vermont-leopard
File name:ed98530be535ab04adeeecd1ad8e7ea4
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:285'696 bytes
First seen:2022-02-09 12:41:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 01964b8ce8a862adba8387753bd05847 (2 x ArkeiStealer, 2 x BitRAT, 1 x Smoke Loader)
ssdeep 6144:8nx8s+eakPVrCHZGlxUynI4VnQ2ZUhcm8yNeJB5vVn2:8nYe7tuHexnQ2ZUv8yy5v
Threatray 818 similar samples on MalwareBazaar
TLSH T189549E10BBA0C035F1B756F8197A93ACB93E7AB15B2090CB52D56BEE16356E0EC31317
File icon (PE):PE icon
dhash icon b6dacabecee6baa2 (18 x RedLineStealer, 12 x Stop, 9 x ArkeiStealer)
Reporter zbetcheckin
Tags:32 ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
194
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/239516/
Detection(s):
Win.Malware.Generic-9936539-0
Create hunting rule

Win.Packed.Filerepmalware-9938531-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Creating a window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Launching a process
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/6499/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6203b6a24077c8b9a02693a0/reports/43bf5496-297f-4a35-a22c-94020d4aa9fc/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f658ed2d-7bad-4a68-a554-204d598f50e0
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/936916
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/47bfb8807a288e002ca1591f17a6dd98efcd9676337c19781a419079e9086d46/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2022-02-09 12:42:14 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
04584608efe95878a3a9bb3db4173fc4570475a281e1de046b043ab43f364ae2
ArkeiStealer
4fb9f08b1053d49ff58f30aa0016beefcd85041435ba9bb4b0402d99feb6df5e
ArkeiStealer
5c5d9711ea8ddb520646c0ac33e540c3860b795914749ee377040d8626ecc93b
ArkeiStealer
63f01e322665557daf9d9ceb3f8018d0d9326926bf14acab9796bcb342890a79
ArkeiStealer
650019380700d0b23b55df2ebbadbde8916ed07c10bd9427f5942c6c563d37de
ArkeiStealer
6a3d626d0ab359b8e7a3d3ea8551f3e948c26f74465c65e1f02f6aa76163fa2b
ArkeiStealer
b4564966c74ea17badd252d6c1b3a052f869e69d0c7cbbcb776af245135e9917
ArkeiStealer
b86da55b00429d3a757c64bc0489af5d2641bfa7aab9910eddec173af09c55b4
ArkeiStealer
ec4524dcf5814a8446d9967b207761234760d189272dae66a9a0c184a6bcbc79
ArkeiStealer
+ 808 additional samples on MalwareBazaar
Result
Malware family:
arkei
Create hunting rule
Score:
  10/10
Tags:
family:arkei botnet:dafault discovery spyware stealer
Link:
https://tria.ge/reports/220209-pxc21saear/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Arkei Stealer Payload
Arkei
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
http://googr.link/gate1.php
Unpacked files
SH256 hash:
054d474c1ae1a24df0f7a2a21a5e72c07b1c0f5562cdc37ef519214ff9ea2cd0
MD5 hash:
d51c939bdb90148e196f178860898a33
SHA1 hash:
366e8e022c1406b95dc2edcc0125b1db493c18fe
Link:
https://www.unpac.me/results/a60b0d06-af09-476d-8b62-956d2ae949d5/
SH256 hash:
47bfb8807a288e002ca1591f17a6dd98efcd9676337c19781a419079e9086d46
MD5 hash:
ed98530be535ab04adeeecd1ad8e7ea4
SHA1 hash:
84c1bb7256ae66ec825bf4b65b4ecc794ecaf04b
Link:
https://www.unpac.me/results/a60b0d06-af09-476d-8b62-956d2ae949d5/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 47bfb8807a288e002ca1591f17a6dd98efcd9676337c19781a419079e9086d46

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2038536/
Cape
Cape
https://www.capesandbox.com/analysis/239516/

Comments


Avatar
zbet commented on 2022-02-09 12:41:53 UTC

url : hxxp://googf.link/MediaPlayer.exe