MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52a28986b95ffa1c7fcca5b9761f21453810df404d5eec415ff970cbdb355745. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52a28986b95ffa1c7fcca5b9761f21453810df404d5eec415ff970cbdb355745
SHA3-384 hash: 4472ef68d0ab964eaeb4e6eb17c08aa9bceb92e1e1d0ec583c698aa9d3e7b92a5b9e5d56b0a0b378080d46a5da1126d9
SHA1 hash: e1ba2466747c5ff05cf2695b581f425ce1297993
MD5 hash: d5daa670f788300ff1bba96ffa333c68
humanhash: zulu-ohio-arkansas-triple
File name:d5daa670f788300ff1bba96ffa333c68
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:662'528 bytes
First seen:2021-11-25 22:32:03 UTC
Last seen:2021-11-26 02:01:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b8b949414a1cbbc9af7d834ae8be805f (11 x RedLineStealer, 5 x RaccoonStealer, 4 x ArkeiStealer)
ssdeep 12288:YdnVPjlG+hJhW0pvYpoMZmlU8YWRW/hw0jTC85F0Qd7wXMFM2tiC:8nVP/2AAKQGlKfjTC8uwMAx
Threatray 377 similar samples on MalwareBazaar
TLSH T1C4E42391CB046886C91296F4CBDB99B8826CEDFC4AA07F9351D7317F5E7D293E40212E
File icon (PE):PE icon
dhash icon 92e0b496a6cada72 (12 x RedLineStealer, 7 x RaccoonStealer, 5 x BlankGrabber)
Reporter zbetcheckin
Tags:32 ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d5daa670f788300ff1bba96ffa333c68
Verdict:
Malicious activity
Analysis date:
2021-11-25 22:36:04 UTC
Tags:
loader stealer trojan
Link:
https://app.any.run/tasks/c0c39ea9-5b1a-4a3a-9c03-d8fde4805c7d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
PUA.Win.Packer.AsprotectSke-3
Create hunting rule

PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending an HTTP GET request
Creating a file
Reading critical registry keys
DNS request
Changing a file
Creating a file in the %AppData% subdirectories
Creating a window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed racealer
Link:
https://www.filescan.io/uploads/61a00ee9f36138de3f3d62e2/reports/14a36eb3-42c7-45b4-b2f2-cbf601cf0702/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Binder
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/11005443-fb9d-42a0-b414-3f80dfd7c94a
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/896396
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has nameless sections
Self deletion via cmd delete
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/52a28986b95ffa1c7fcca5b9761f21453810df404d5eec415ff970cbdb355745/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-11-25 22:33:14 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82
ArkeiStealer
55bea97718d10ad6dde683d1316015e4ed475558d725ee34858b15ce8b434afb
ArkeiStealer
58f31e1dff0920a075bd80dfd7ce28fa71c749f1358fab458559b15be3e1a9fc
ArkeiStealer
723597992f5b76dfc24d1250b735a97d8fadd1b93a816512770078a102c01ffb
ArkeiStealer
ac50621ee130a988dc1ddc97ca8b1193249ce9a027648f482ef1b0f9cf7b2e88
ArkeiStealer
bb1944681aa2fcfd5f372fd44e041a63569b46130540225afc1560a1650d4e37
ArkeiStealer
d7cdfb895940efd584c78b7e56f9ed720491234df489ee9eb9aa98c24714d530
ArkeiStealer
dcf4ecc6d3b70a3e11077862b9e3830806191f0718eecb525a3e7d24246c0287
ArkeiStealer
fe3ae99417e0d632995ad5ceeccc4c0b308b8a30d2c93031f15837b607b8552b
ArkeiStealer
+ 367 additional samples on MalwareBazaar
Result
Malware family:
arkei
Create hunting rule
Score:
  10/10
Tags:
family:arkei botnet:default discovery spyware stealer
Link:
https://tria.ge/reports/211125-2fynlsccf8/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Arkei Stealer Payload
Arkei
Malware Config
C2 Extraction:
http://95.181.152.173/qlaU1H5jvC.php
Unpacked files
SH256 hash:
0dc330b844a6a91fe6a66fd2139cdedcee52fa9b248450a98fa2d2c390b4b90f
MD5 hash:
0f937c17f8c5e3d0324c0463a467d5e8
SHA1 hash:
8755944f91d252f1ed7d4877ac01710ef544cbd0
Link:
https://www.unpac.me/results/e3720f67-b033-4ad2-b5ee-14a831f9f43c/
SH256 hash:
6cf3861388b069eb06faf898e66c92ea3846374e06fceb320da5a89a3579539b
MD5 hash:
65b9280de3a5bba15ed7fdd1de2eda86
SHA1 hash:
7169cd8cd190d43433ed8688fcf54219d67a01e2
Link:
https://www.unpac.me/results/e3720f67-b033-4ad2-b5ee-14a831f9f43c/
SH256 hash:
52a28986b95ffa1c7fcca5b9761f21453810df404d5eec415ff970cbdb355745
MD5 hash:
d5daa670f788300ff1bba96ffa333c68
SHA1 hash:
e1ba2466747c5ff05cf2695b581f425ce1297993
Link:
https://www.unpac.me/results/e3720f67-b033-4ad2-b5ee-14a831f9f43c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/52a28986b95f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/52a28986b95ffa1c7fcca5b9761f21453810df404d5eec415ff970cbdb355745

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:quakbot_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 52a28986b95ffa1c7fcca5b9761f21453810df404d5eec415ff970cbdb355745

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1817893/
Cape
Cape
https://www.capesandbox.com/analysis/209526/

Comments


Avatar
zbet commented on 2021-11-25 22:32:05 UTC

url : hxxp://aaars.info/drisnya/1.exe