MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fb9f08b1053d49ff58f30aa0016beefcd85041435ba9bb4b0402d99feb6df5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4fb9f08b1053d49ff58f30aa0016beefcd85041435ba9bb4b0402d99feb6df5e
SHA3-384 hash: 731483e6d65a54d436d645484e3c9c1f11b8781fc171dc3be7c9bc6643c688ad0ad765e6d4790b8ccd6bbdd689349543
SHA1 hash: 5790779c7a63d48e933a6d38dc5d79a9288b9bde
MD5 hash: 3f8a073be59c3c47bdf4e9a42273ae84
humanhash: maryland-oregon-wisconsin-mississippi
File name:3f8a073be59c3c47bdf4e9a42273ae84
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:289'280 bytes
First seen:2022-02-07 09:40:31 UTC
Last seen:2022-02-07 12:37:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 059e939bc149cd78a08e6bfa706a4e4a (2 x RedLineStealer, 1 x ArkeiStealer, 1 x Loki)
ssdeep 6144:WEKX0N2aoQgXvOJoTOhQNt7Nw7M3BYYRW7jzecsUrUBO:WSN2nffOWTzt7Nw7M3aheU
Threatray 803 similar samples on MalwareBazaar
TLSH T137549D00BBA0D035F1B752F8467A936DA93E7AB15B3094CF63D52AEA16356E0DC3131B
File icon (PE):PE icon
dhash icon badacabecee6baa6 (95 x Stop, 87 x RedLineStealer, 62 x Smoke Loader)
Reporter zbetcheckin
Tags:32 ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/234282/
Detection(s):
Win.Packed.Filerepmalware-9938531-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Creating a window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Launching a process
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/6209/overview
Behaviour
MalwareBazaar
CPUID_Instruction
MeasuringTime
SystemUptime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6200e93131f00fad9db3bf7b/reports/6e7d083b-6e1c-47c6-88e0-a1341a300b75/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/69c9c90f-9c56-4c9b-ae46-8544499b8b6a
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/935040
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking computer name)
Found evasive API chain (may stop execution after checking locale)
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4fb9f08b1053d49ff58f30aa0016beefcd85041435ba9bb4b0402d99feb6df5e/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2022-02-07 09:41:08 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
51d3930607f54a9dc851dd9bb78eadff459a64021f89037bf7d90a40033c103a
ArkeiStealer
5c5d9711ea8ddb520646c0ac33e540c3860b795914749ee377040d8626ecc93b
ArkeiStealer
81046b6948cd3b8ca105c0580b8aecabaff132161125328e49925570b6b22b80
ArkeiStealer
81bc6e0cf586a808ef3ee9c5ace20622f414853a8606007357104c39f5fa5693
ArkeiStealer
892504033a259f380c1e2a35db15b95bffcff4f96c36a84731afde6c5b35371a
ArkeiStealer
8bb345912903d2f964cf381e57b5aa02e86a9236f0c365b41920069f80fa8bac
ArkeiStealer
95e4e83e579f6195b85751b47686f0a3a42933caac2c1c2afd73bd35b00ad981
ArkeiStealer
d6f82559be32a5739fd1c6a1eade697c8d90c331ec31cc7690dd2fdb4e70ab74
ArkeiStealer
e069ce2651bc7095e62c6a919fee34c696eb76995b5ef58d5311d89218847fd0
ArkeiStealer
+ 793 additional samples on MalwareBazaar
Result
Malware family:
arkei
Create hunting rule
Score:
  10/10
Tags:
family:arkei botnet:dafault discovery spyware stealer
Link:
https://tria.ge/reports/220207-lnrx2aaha9/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Arkei Stealer Payload
Arkei
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
http://googe.link/gate1.php
Unpacked files
SH256 hash:
98f0827fee8802f8437c3fe659d873073506bedd373a44340f2e789878533bbb
MD5 hash:
21251e0932a38b35814157a08c9179a2
SHA1 hash:
b34fbab1948ad6259f84ba6af836dfd09812b6b7
Link:
https://www.unpac.me/results/d71e65b5-16b1-4bc4-893b-7e63ade00aff/
SH256 hash:
4fb9f08b1053d49ff58f30aa0016beefcd85041435ba9bb4b0402d99feb6df5e
MD5 hash:
3f8a073be59c3c47bdf4e9a42273ae84
SHA1 hash:
5790779c7a63d48e933a6d38dc5d79a9288b9bde
Link:
https://www.unpac.me/results/d71e65b5-16b1-4bc4-893b-7e63ade00aff/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 4fb9f08b1053d49ff58f30aa0016beefcd85041435ba9bb4b0402d99feb6df5e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2033769/
Cape
Cape
https://www.capesandbox.com/analysis/234282/

Comments


Avatar
zbet commented on 2022-02-07 09:40:34 UTC

url : hxxp://guseyn.info/MediaPlayer.exe