MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 564925c7389e2fdbdcb7231a0752a042257c9ef306b7830633edddb43d1e15c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 6


Intelligence 6 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 564925c7389e2fdbdcb7231a0752a042257c9ef306b7830633edddb43d1e15c2
SHA3-384 hash: 315c26e3dc83906f2955c88bfd992b4ea1332d8f62c0c23dc830314a6cc672bed8d8cff7e16079239570d15376c94d27
SHA1 hash: 71ee057fe113d9780afd24bde803d26bb21b984a
MD5 hash: b96eab4c10042f114e3dbd4bda9e4ecc
humanhash: pip-uncle-ack-fifteen
File name:Software.zip
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:2'613'929 bytes
First seen:2023-01-27 02:56:27 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 24576:BSFCnQlAyS+5oTWbKBA4ZbuzRAe5KWr/feX2R7VH:QFCQlAySkoTWbJyoR1K4fC67x
TLSH T14BC5C0166D8353DDAE6603448CE4ECF93AE151292B24E83E514197B3DA817ED6C3F2BC
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter adm1n_usa32
Tags:ArkeiStealer exe file-pumped zip


Avatar
adm1n_usa32
ccleaner fake dl

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://65.108.249.43/ https://threatfox.abuse.ch/ioc/1074391/

Intelligence

File Origin
# of uploads :
1
# of downloads :
246
Origin country :
US US
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Software.exe
Pumped file This file is pumped. MalwareBazaar has de-pumped it.
File size:491'423'568 bytes
SHA256 hash: 6cbdababcb17ba1760713f9d25ab12e634314e52f9c30b6ee9dda7385eddb52c
MD5 hash: 8133dbd11e351dc1b3ae5bf85605140b
De-pumped file size:1'715'712 bytes (Vs. original size of 491'423'568 bytes)
De-pumped SHA256 hash: ceb3007d4015dd96043315cd91f6c4ff82da1b206921311c8833d76947e92702
De-pumped MD5 hash: 8228b1dcd7b8a7622e25cae632879a10
MIME type:application/x-dosexec
Signature ArkeiStealer
Vendor Threat Intelligence
Gathering data
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/564925c7389e2fdbdcb7231a0752a042257c9ef306b7830633edddb43d1e15c2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/564925c7389e2fdbdcb7231a0752a042257c9ef306b7830633edddb43d1e15c2/
Threat name:
ByteCode-MSIL.Trojan.Hulk
Create hunting rule
Status:
Malicious
First seen:
2023-01-27 02:57:54 UTC
File Type:
Binary (Archive)
Extracted files:
51
AV detection:
8 of 37 (21.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kzeslrzytyx5xxfxemnaouvaiisxzhxta23ygbrt5xo3ipi6cxba._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:15 discovery evasion persistence spyware stealer trojan
Link:
https://tria.ge/reports/230127-jlylpahh79/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar
Malware Config
C2 Extraction:
https://t.me/litlebey
https://steamcommunity.com/profiles/76561199472399815
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/564925c7389e2fdbdcb7231a0752a042257c9ef306b7830633edddb43d1e15c2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with unregistered version of .NET Reactor
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

zip 564925c7389e2fdbdcb7231a0752a042257c9ef306b7830633edddb43d1e15c2

(this sample)

Executable exe a43b6e7f55eed94ef6438e821506cbc12cb95fcd00b2bc135b130d6880fa0a30

anyrun
any.run
https://app.any.run/tasks/108e976e-ce63-46e7-a99e-109d234ec209
  
Delivery method
Distributed via web download
  
Dropping
SHA256 a43b6e7f55eed94ef6438e821506cbc12cb95fcd00b2bc135b130d6880fa0a30
  
Dropping
MD5 17a5ef3082b8f44000c4d1e78d98fb88

Comments