MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a2eff9610a0bdc09557cd54e9ad7e5b93b930359a8e322fb479ab7b1e20cf7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	5a2eff9610a0bdc09557cd54e9ad7e5b93b930359a8e322fb479ab7b1e20cf7d
SHA3-384 hash:	ad5179eba620d9c5ef30d68d214a62d287a2d845811b88032662b1d168a21cb69645da86f4c888d5e4eea64e9d45e93c
SHA1 hash:	d36fc061fa33e05d6af67f7c63fa330e5d7f10ad
MD5 hash:	b1ca646c9d9563a9a43d3a43eac0cec9
humanhash:	spaghetti-edward-chicken-monkey
File name:	b1ca646c9d9563a9a43d3a43eac0cec9.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	156'160 bytes
First seen:	2021-09-27 17:41:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	26b2a22c1afb78875d9384441bc03abe (4 x ArkeiStealer, 4 x RedLineStealer, 2 x Stop)
ssdeep	3072:/h4yZqO1ceOtHNf+6hfPXGmJ1k+qfPOkk/z:p4ev17cHNxtpqf2k2
Threatray	476 similar samples on MalwareBazaar
TLSH	T190E3E01278A0E576E7535DB1452BC3E12B3A7D715F65A2633B5827AF2F301F0812B3A2
File icon (PE):
dhash icon	4839b234e8c38890 (121 x RaccoonStealer, 54 x RedLineStealer, 51 x ArkeiStealer)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

211

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

b1ca646c9d9563a9a43d3a43eac0cec9.exe

Verdict:

Malicious activity

Analysis date:

2021-09-27 17:44:37 UTC

Tags:

trojan

Link:

https://app.any.run/tasks/3f716d3a-4a39-4127-9634-561c1af26954

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/192230/

Detection(s):

SecuriteInfo.com.Packed-GDTB1CA646C9D95.5578.11808.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

DNS request

Connection attempt

Sending an HTTP GET request

Modifying an executable file

Creating a file

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b7957c82-d867-4db6-a136-ba4eb718e8b2

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/859264

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Self deletion via cmd delete

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5a2eff9610a0bdc09557cd54e9ad7e5b93b930359a8e322fb479ab7b1e20cf7d/

Threat name:

Win32.Trojan.Racealer

Status:

Malicious

First seen:

2021-09-27 17:42:12 UTC

AV detection:

18 of 28 (64.29%)

Threat level:

5/5

Verdict:

malicious

ArkeiStealer

6995cc187abb7a1e4d973a54078e041eedd383f505174f9ebb3f0b897fa06d60

ArkeiStealer

70d2439d21209fcc393ca4989fbe1d5966c651345ad9b38bab512dbe9861e2bb

ArkeiStealer

b3c5e8250ec320fd546df876a5be7ca4e9a70696dc2373ce5ff670def95d5238

ArkeiStealer

c28e190666a5967096f8c8e3ecd3a62e502fe84eb300113faa3fe06575ea118b

ArkeiStealer

ccbded51600db440d54831ff724cf0e988220da4cd069244ade361c959b8c852

ArkeiStealer

d4928b68e9f811d65718737a7eea99963cc2b9778fb127151e610868fcb9de7e

ArkeiStealer

e29a1c1188926719adc1bece4f4e828ac78c0aaca2cb01e141e6cf7ca5539e6b

ArkeiStealer

edf6beb88780fb3085332f843b73418f52bbf095265dad631cf8e187644cb565

ArkeiStealer

f3caecffb11faf28d31a3f30e39511ab1dbbce621259b73172d94f9a75962d1c

ArkeiStealer

+ 466 additional samples on MalwareBazaar

Result

Malware family:

arkei

Score:

10/10

Tags:

family:arkei discovery spyware stealer

Link:

https://tria.ge/reports/210927-v92h2ahfbn/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Arkei Stealer Payload

Arkei

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

4b33410c1350737eb7eb734fb597c32083ae1a60955a871fe914b5ccff23a91a

MD5 hash:

e4e7f7cb036464db3050cf0fe6e7aaec

SHA1 hash:

44d6b2bfa01b4f2f7b3ffbd522d267af35a9cb01

Link:

https://www.unpac.me/results/ed4545bf-1925-439a-9cc7-6817a9d45600/

SH256 hash:

5a2eff9610a0bdc09557cd54e9ad7e5b93b930359a8e322fb479ab7b1e20cf7d

MD5 hash:

b1ca646c9d9563a9a43d3a43eac0cec9

SHA1 hash:

d36fc061fa33e05d6af67f7c63fa330e5d7f10ad

Link:

https://www.unpac.me/results/ed4545bf-1925-439a-9cc7-6817a9d45600/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/5a2eff9610a0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5a2eff9610a0bdc09557cd54e9ad7e5b93b930359a8e322fb479ab7b1e20cf7d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

exe 5a2eff9610a0bdc09557cd54e9ad7e5b93b930359a8e322fb479ab7b1e20cf7d

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1603785/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/192230/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample