MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 515d537093956f134ef3bc3037b609afc47dc225964ffa527bec9c1be7243d1b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 515d537093956f134ef3bc3037b609afc47dc225964ffa527bec9c1be7243d1b
SHA3-384 hash: a9c3f40c79870019b78a1d1b6e435ded36ee1fd9cfbad05939e5b4d5ee2095375056235ad59284930f94fbd5e3a0b87d
SHA1 hash: 7a4e7d527f0dd67d00b38c4893800998ed2ca4df
MD5 hash: 44d57bd9b9006ac10bdf35f7d347037f
humanhash: golf-black-dakota-william
File name:44d57bd9b9006ac10bdf35f7d347037f.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:321'848 bytes
First seen:2021-11-03 16:44:53 UTC
Last seen:2021-11-03 19:19:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 59ee824971f432b778ca9bd24dd5ed5f (4 x RaccoonStealer, 2 x RedLineStealer, 1 x ArkeiStealer)
ssdeep 6144:UEkoyMvUNtSVeWL1xtRPU2z8K5Bstmbra4U:UD9M1VH1xtRPU5K5BymM
Threatray 581 similar samples on MalwareBazaar
TLSH T196649D10B7A1C035F4F222F48AB69279B53F7AA16B3454CF12D526EE5674AE1EC3130B
File icon (PE):PE icon
dhash icon b2dacabecee6baa2 (33 x RedLineStealer, 30 x Smoke Loader, 28 x Stop)
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
44d57bd9b9006ac10bdf35f7d347037f.exe
Verdict:
Malicious activity
Analysis date:
2021-11-03 16:50:26 UTC
Tags:
trojan loader stealer
Link:
https://app.any.run/tasks/2f1098be-b9b9-421e-a7a9-4cbbef8416b0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/201924/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.79584.30815.12054.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Connection attempt
Sending an HTTP GET request
Creating a file
Deleting a recently created file
Modifying an executable file
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/6182bc909982ff7c3f7dc88b/reports/7a010084-3f0f-41b8-baa6-4dde086f736e/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/83806561-0fe5-4352-b386-146798af4c1d
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/882437
Signature
Binary is likely a compiled AutoIt script file
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the user root directory
Found malware configuration
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Self deletion via cmd delete
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 514868 Sample: CbebfjwfUs.exe Startdate: 03/11/2021 Architecture: WINDOWS Score: 100 49 Found malware configuration 2->49 51 Multi AV Scanner detection for dropped file 2->51 53 Yara detected Vidar stealer 2->53 55 4 other signatures 2->55 8 CbebfjwfUs.exe 129 2->8         started        13 sisbkup.exe 2->13         started        15 sisbkup.exe 2->15         started        process3 dnsIp4 47 45.95.235.77, 49748, 80 YURTEH-ASUA Russian Federation 8->47 39 C:\Users\user\AppData\Local\...\c1[1].exe, PE32 8->39 dropped 41 C:\ProgramData\cupd.exe, PE32 8->41 dropped 43 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 8->43 dropped 45 C:\ProgramData\sqlite3.dll, PE32 8->45 dropped 65 Detected unpacking (changes PE section rights) 8->65 67 Detected unpacking (overwrites its own PE header) 8->67 69 Self deletion via cmd delete 8->69 79 3 other signatures 8->79 17 cupd.exe 1 8->17         started        21 cmd.exe 1 8->21         started        71 Query firmware table information (likely to detect VMs) 13->71 73 Tries to detect sandboxes and other dynamic analysis tools (window names) 13->73 75 Hides threads from debuggers 13->75 77 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->77 file5 signatures6 process7 file8 37 C:\Users\user\AppData\...\sisbkup.exe (copy), PE32 17->37 dropped 57 Multi AV Scanner detection for dropped file 17->57 59 Query firmware table information (likely to detect VMs) 17->59 61 Machine Learning detection for dropped file 17->61 63 3 other signatures 17->63 23 cmd.exe 1 17->23         started        25 conhost.exe 21->25         started        27 timeout.exe 1 21->27         started        signatures9 process10 process11 29 conhost.exe 23->29         started        31 icacls.exe 1 23->31         started        33 icacls.exe 1 23->33         started        35 icacls.exe 1 23->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/515d537093956f134ef3bc3037b609afc47dc225964ffa527bec9c1be7243d1b/
Threat name:
Win32.Trojan.Strab
Create hunting rule
Status:
Malicious
First seen:
2021-11-03 16:45:06 UTC
AV detection:
17 of 27 (62.96%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
29d67868f7d6b3a2d0024e2d6d2a1850a9c3297907673328296b9c33692a9553
ArkeiStealer
5a2eff9610a0bdc09557cd54e9ad7e5b93b930359a8e322fb479ab7b1e20cf7d
ArkeiStealer
70d2439d21209fcc393ca4989fbe1d5966c651345ad9b38bab512dbe9861e2bb
ArkeiStealer
71afc45f296c232c605e7e18e5303e59efefedc94f3a3c47c6e91ca46d586ce7
ArkeiStealer
b944023d535bc8e5980173e203cee0d2fc2df9e865b4a06fc0694436ce5b6541
ArkeiStealer
ccbded51600db440d54831ff724cf0e988220da4cd069244ade361c959b8c852
ArkeiStealer
e558134f888d403ba60d7db59978502a9071951528cd4873bd4702921012d69e
ArkeiStealer
edf6beb88780fb3085332f843b73418f52bbf095265dad631cf8e187644cb565
ArkeiStealer
f24723275fef7c816ed025e24ff55657b5bbce2c0e8df3ffb59b8bec2890d405
ArkeiStealer
+ 571 additional samples on MalwareBazaar
Result
Malware family:
arkei
Create hunting rule
Score:
  10/10
Tags:
family:arkei discovery evasion spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/211103-t9dljabdfj/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
autoit_exe
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Arkei Stealer Payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Arkei
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Unpacked files
SH256 hash:
6f2217410e8a6f4f3ac03fad1b45fc32197f9caf89a84fa924ac4b6085adef46
MD5 hash:
cb6b3d2d4d6d5163497ff3afef0f7e40
SHA1 hash:
f79bb95cb620ffa702d593f1b9e2fe9c97480523
Link:
https://www.unpac.me/results/5ab95167-de85-41b7-9b89-da3dc6c0ddb4/
SH256 hash:
515d537093956f134ef3bc3037b609afc47dc225964ffa527bec9c1be7243d1b
MD5 hash:
44d57bd9b9006ac10bdf35f7d347037f
SHA1 hash:
7a4e7d527f0dd67d00b38c4893800998ed2ca4df
Link:
https://www.unpac.me/results/5ab95167-de85-41b7-9b89-da3dc6c0ddb4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/515d53709395/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/515d537093956f134ef3bc3037b609afc47dc225964ffa527bec9c1be7243d1b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 515d537093956f134ef3bc3037b609afc47dc225964ffa527bec9c1be7243d1b

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/201924/
  
URLhaus
https://urlhaus.abuse.ch/url/1744311/
  
Delivery method
Distributed via web download

Comments