MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4def4ad12c7aab38e6248c20e211272f1c920a0295c8beda6228543e58c2129c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4def4ad12c7aab38e6248c20e211272f1c920a0295c8beda6228543e58c2129c
SHA3-384 hash: b7e0d25ae60293e5e1a07580ff3b9e968dca1a008e107d9aca9dc9d1d8e093925d7ce3b71b8a1504d4e74cefc9ea60b7
SHA1 hash: 3cf58f57e91dc35c831e529006ddeebeb3e168b7
MD5 hash: d51c6dff0390d4bc5863d39780f9b976
humanhash: yankee-muppet-salami-don
File name:4def4ad12c7aab38e6248c20e211272f1c920a0295c8beda6228543e58c2129c.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:163'328 bytes
First seen:2022-05-03 10:15:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4e06c011d59529bff8e1f1c88254b928 (29 x MarsStealer, 21 x ArkeiStealer)
ssdeep 3072:U3T4Zw0W+H2fJpl7oeJbCBR4mfaKgowMUW7nv16JSp8Bb8EG:U4Zf2fblk6CB+mSKHa78EG
Threatray 4'163 similar samples on MalwareBazaar
TLSH T178F3F1570169121EC0F16F7ED1D17E3ACADC3A1E366CCA283A9C2FEC876D448572748A
TrID 38.0% (.EXE) Win64 Executable (generic) (10523/12/4)
23.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
16.3% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.EXE) OS/2 Executable (generic) (2029/13)
7.2% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter obfusor
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
273
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
arkei
Create hunting rule
ID:
1
File name:
Builded.exe
Verdict:
Malicious activity
Analysis date:
2022-04-30 21:36:50 UTC
Tags:
arkei trojan stealer vidar
Link:
https://app.any.run/tasks/7e12a437-0d31-48c9-af89-266a2eae6fdb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/268342/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.32841.13603.485.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Creating a window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/627100e72b32b1c37c8b68f6/reports/89b680b9-de7b-4aa6-9f64-48239e56377f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Oski Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/37cb46f7-bc62-4dce-aee1-65fcf7f291f2
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/986987
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to detect sleep reduction / modifications
Detected unpacking (creates a PE file in dynamic memory)
Found evasive API chain (may stop execution after checking computer name)
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
PE file has nameless sections
Self deletion via cmd delete
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4def4ad12c7aab38e6248c20e211272f1c920a0295c8beda6228543e58c2129c/
Threat name:
Win32.Trojan.MarsStealer
Create hunting rule
Status:
Malicious
First seen:
2022-05-03 10:16:06 UTC
File Type:
PE (Exe)
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
18a51631909a8b72c610fa2b7640530cbe0dbfcc73a8e84af917fa797dded717
ArkeiStealer
30f31299aa3016ca50e9c14d43dfa51fe0c174480951809d068900a998146caa
ArkeiStealer
3a2a1eff040a79d603b1ac2609a423ad8beb46d2876aa959f60dc98477707c0f
ArkeiStealer
6b18a223ce8f1f42880a54809880cd5c3a6890955d2469b10ea771dab333871e
ArkeiStealer
7f19bc8eb8f0555986de478bc9a17a8e052f4a9262b0a19b924d8e9c66a01ca7
ArkeiStealer
b2052d38af422bd9e54927e9d4606942e5f7da8c968ce7f441c62f9f49532a99
ArkeiStealer
c73fbcd3422e85b23bfa0e2d65ee0b35ecb344c7f1fe4d2827e45339137b356c
ArkeiStealer
de147d635d7404111032d34845dd05eddc00ae6ecf0814d89eed3c6a81c06629
ArkeiStealer
df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731
ArkeiStealer
+ 4'153 additional samples on MalwareBazaar
Result
Malware family:
arkei
Create hunting rule
Score:
  10/10
Tags:
family:arkei botnet:default discovery spyware stealer suricata
Link:
https://tria.ge/reports/220503-mar7baffdq/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Arkei
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
Unpacked files
SH256 hash:
ff4f92d4b1480fcf7ec25e0ea204c91222308487edcfc4619e63d7356db234b9
MD5 hash:
9f300e6200ae2cc3adba9ac367ba560d
SHA1 hash:
b6628daf1a3fa5739ca796f288e87bb25eedbbb7
Link:
https://www.unpac.me/results/d18eab08-37ba-4f0c-abdb-5c476fc2cec4/
SH256 hash:
4def4ad12c7aab38e6248c20e211272f1c920a0295c8beda6228543e58c2129c
MD5 hash:
d51c6dff0390d4bc5863d39780f9b976
SHA1 hash:
3cf58f57e91dc35c831e529006ddeebeb3e168b7
Link:
https://www.unpac.me/results/d18eab08-37ba-4f0c-abdb-5c476fc2cec4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4def4ad12c7a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4def4ad12c7aab38e6248c20e211272f1c920a0295c8beda6228543e58c2129c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/268342/

Comments