MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63f01e322665557daf9d9ceb3f8018d0d9326926bf14acab9796bcb342890a79. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	63f01e322665557daf9d9ceb3f8018d0d9326926bf14acab9796bcb342890a79
SHA3-384 hash:	783a1fb586274517f958138fa7e996c1f87befb53c652ec571081853026f9d6cd43103f6db963b78864ba48f1ea3f349
SHA1 hash:	3936c959809460d48281fddf85652c36843c150f
MD5 hash:	b287beb3f363b4e61f59bf2b715b90a7
humanhash:	steak-delta-arizona-queen
File name:	b287beb3f363b4e61f59bf2b715b90a7.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	325'120 bytes
First seen:	2022-02-07 14:54:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a4da89cf7279b64e418bdf5c01100db9 (1 x RaccoonStealer, 1 x ArkeiStealer, 1 x DCRat)
ssdeep	6144:pn+KDUWwaCZTI8IAsgtzt7ITsqziga/UHk:t+KD5wXs8bsuZ7VHUH
Threatray	805 similar samples on MalwareBazaar
TLSH	T1EE64BEC176A1D472C4913D308861CBE15A3BBC31DA60A10BF778BB6F6EB53D99632742
File icon (PE):
dhash icon	a1bcdcac9cccb48c (9 x RaccoonStealer, 6 x ArkeiStealer, 3 x Loki)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

128

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/235894/

Detection(s):

Win.Dropper.Raccoon-9916366-0

Win.Dropper.LokiBot-9938483-0

Win.Packed.Filerepmalware-9938574-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

DNS request

Creating a file

Reading critical registry keys

Changing a file

Creating a file in the %AppData% subdirectories

Creating a window

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Launching a process

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Query of malicious DNS domain

Stealing user critical data

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/6260/overview

Behaviour

SystemUptime

MeasuringTime

EvasionGetTickCount

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/620132cb845a69d77349b5fe/reports/58c8b104-9167-45d4-a306-b0c35f33880f/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5749d3b0-0c54-4d5c-86fe-d881330e1b1e

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/935260

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/63f01e322665557daf9d9ceb3f8018d0d9326926bf14acab9796bcb342890a79/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-02-07 14:55:16 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Verdict:

malicious

ArkeiStealer

7a7c19f6fb76910063eacc921a204e55b57ae3bbe824f0d8b2623ee17953ec40

ArkeiStealer

81046b6948cd3b8ca105c0580b8aecabaff132161125328e49925570b6b22b80

ArkeiStealer

892504033a259f380c1e2a35db15b95bffcff4f96c36a84731afde6c5b35371a

ArkeiStealer

8bb345912903d2f964cf381e57b5aa02e86a9236f0c365b41920069f80fa8bac

ArkeiStealer

95e4e83e579f6195b85751b47686f0a3a42933caac2c1c2afd73bd35b00ad981

ArkeiStealer

d6f82559be32a5739fd1c6a1eade697c8d90c331ec31cc7690dd2fdb4e70ab74

ArkeiStealer

e069ce2651bc7095e62c6a919fee34c696eb76995b5ef58d5311d89218847fd0

ArkeiStealer

+ 795 additional samples on MalwareBazaar

Result

Malware family:

arkei

Score:

10/10

Tags:

family:arkei botnet:default discovery spyware stealer

Link:

https://tria.ge/reports/220207-sahwjaddg7/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Arkei Stealer Payload

Arkei

Malware Config

C2 Extraction:

http://coin-file-file-19.com/tratata.php

Unpacked files

SH256 hash:

69ba4e2995d6b11bb319d7373d150560ea295c02773fe5aa9c729bfd2c334e1e

MD5 hash:

58922177676773ec3324c33734ae9ef9

SHA1 hash:

ce0a3cae8ee18c6d1f22361224b3692d61d5d7a2

Link:

https://www.unpac.me/results/6397d31f-d29f-42b3-b0e8-663d56a35b13/

SH256 hash:

63f01e322665557daf9d9ceb3f8018d0d9326926bf14acab9796bcb342890a79

MD5 hash:

b287beb3f363b4e61f59bf2b715b90a7

SHA1 hash:

3936c959809460d48281fddf85652c36843c150f

Link:

https://www.unpac.me/results/6397d31f-d29f-42b3-b0e8-663d56a35b13/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

exe 63f01e322665557daf9d9ceb3f8018d0d9326926bf14acab9796bcb342890a79

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1988764/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/235894/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample