MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6351ac2c5e0124556db67bf3ad64416420ff710515c43004e33e6d64b5e9ef29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6351ac2c5e0124556db67bf3ad64416420ff710515c43004e33e6d64b5e9ef29
SHA3-384 hash: 378fea7cb873ec6ade22caa987676105665485d3b7e7fd4c3836a688a26a83a34be9b0e7c661d1842644a52fe441318f
SHA1 hash: 2eec29bb4c7ef1246a4acf204b84a0596357e0a1
MD5 hash: 89f5cfea81898ff7a400d1d44b7ee76a
humanhash: nineteen-salami-foxtrot-foxtrot
File name:89f5cfea81898ff7a400d1d44b7ee76a.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:397'312 bytes
First seen:2022-06-17 05:59:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d16b449ac6356f89498f6db2ceb841d8 (1 x ArkeiStealer, 1 x RedLineStealer)
ssdeep 12288:BMScdfiAMIYUWOshK14iyV4zH0cF25ODyJ27:aJpYUIK14ilzFLDyJ2
TLSH T1D684BF10BA90C035F6F702F45AB6A36CB52EBAE0576490CF52E556EE57386E0EC3131B
TrID 40.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
17.0% (.SCR) Windows screen saver (13101/52/3)
13.6% (.EXE) Win64 Executable (generic) (10523/12/4)
8.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 2dac137039939b91 (13 x RedLineStealer, 9 x Amadey, 9 x Smoke Loader)
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
247
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
socelars
Create hunting rule
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2022-06-16 19:39:26 UTC
Tags:
evasion trojan socelars stealer rat redline loader ransomware stop
Link:
https://app.any.run/tasks/010ed8fb-3aa7-4e1d-a0e8-3fe07460b76a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/280836/
Detection(s):
Win.Packed.Generic-9952003-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Stealing user critical data
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/21690/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed vidar
Link:
https://www.filescan.io/uploads/62ac1865b0582adf05acde8a/reports/7d2d407b-4bd0-46ff-be1c-56373df237d7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Arkei Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a6d6905d-470d-4d4c-9318-ba14d34ba91d
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1014919
Signature
Antivirus detection for URL or domain
Detected unpacking (creates a PE file in dynamic memory)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6351ac2c5e0124556db67bf3ad64416420ff710515c43004e33e6d64b5e9ef29/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2022-06-14 20:10:26 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
33 of 40 (82.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mni2ylc6aesfk3nwppz22zcbmqqp64ifcxcdabhdhzwwjnpj54uq._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:517 discovery spyware stealer suricata
Link:
https://tria.ge/reports/220617-gqbavadbf5/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Vidar Stealer
Vidar
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
Malware Config
C2 Extraction:
https://t.me/tg_dailylessons
https://busshi.moe/@olegf9844xx
Unpacked files
SH256 hash:
ccd0dda0b9f7a8c24f4e2d88b404ae09e24e6415fa9b2aeb032892e63dc2357c
MD5 hash:
2c5000a835f83f59d8a571dc9efc7b6f
SHA1 hash:
c3d64008150c63ed6b1e0bf36da36f1046342dd8
Link:
https://www.unpac.me/results/fa717cd9-a758-4aed-94fc-902e3f530281/
SH256 hash:
6351ac2c5e0124556db67bf3ad64416420ff710515c43004e33e6d64b5e9ef29
MD5 hash:
89f5cfea81898ff7a400d1d44b7ee76a
SHA1 hash:
2eec29bb4c7ef1246a4acf204b84a0596357e0a1
Link:
https://www.unpac.me/results/fa717cd9-a758-4aed-94fc-902e3f530281/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6351ac2c5e0124556db67bf3ad64416420ff710515c43004e33e6d64b5e9ef29

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/280836/

Comments