MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 654574c360fcb5a7eb4f693d99d5f0c4e32f96b219a7327d41b39d7d5acde953. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 654574c360fcb5a7eb4f693d99d5f0c4e32f96b219a7327d41b39d7d5acde953
SHA3-384 hash: 4a42f2590e32f3306935174644732bc3b396a618465ddde8b209a56f423249e6377dcdddfa9f8d1a85d40b3cb2f88f8f
SHA1 hash: 65edc531c1313df4adbff520b31a998becbd6760
MD5 hash: 765885e4a5bf2b58911c445e2ba0f7df
humanhash: bluebird-mexico-bluebird-enemy
File name:765885e4a5bf2b58911c445e2ba0f7df.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:2'207'616 bytes
First seen:2021-12-28 07:18:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9e9b258b5302ad09f6f0e1033167a77f (1 x ArkeiStealer)
ssdeep 49152:3C4rV+yASntPTt3o37ySGjHACR/SX08HZ11AGq2dpJ4Wu:yMAmPp4LqB98W92dbG
Threatray 8'470 similar samples on MalwareBazaar
TLSH T1F9A533D6E1C1C8A0CC3803394EBB8CF60637BE9A7174683F776E77611673285A41AA57
File icon (PE):PE icon
dhash icon f0e1cc9e86243878 (1 x ArkeiStealer)
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
210
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
765885e4a5bf2b58911c445e2ba0f7df.exe
Verdict:
Malicious activity
Analysis date:
2021-12-28 07:21:34 UTC
Tags:
loader stealer
Link:
https://app.any.run/tasks/06944aa7-eade-4f7f-8752-92389ae73750

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/216660/
Detection(s):
Win.Dropper.Obsidium-9917799-0
Create hunting rule

Win.Malware.Generic-9918574-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Sending a custom TCP request
Changing a file
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61caba6c4ab5c44cbf54709d/reports/29e6e6a9-00cd-46f9-a623-08c177f2b0ab/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1fa45f54-743a-4106-af61-c381b8b865a9
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/913382
Signature
Hides threads from debuggers
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Self deletion via cmd delete
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 545860 Sample: Y5sJGPcVCK.exe Startdate: 28/12/2021 Architecture: WINDOWS Score: 84 24 Multi AV Scanner detection for submitted file 2->24 7 Y5sJGPcVCK.exe 139 2->7         started        process3 dnsIp4 22 185.7.214.239, 49751, 80 DELUNETDE France 7->22 18 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 7->18 dropped 20 C:\ProgramData\sqlite3.dll, PE32 7->20 dropped 26 Query firmware table information (likely to detect VMs) 7->26 28 Tries to detect sandboxes and other dynamic analysis tools (window names) 7->28 30 Self deletion via cmd delete 7->30 32 6 other signatures 7->32 12 cmd.exe 1 7->12         started        file5 signatures6 process7 process8 14 conhost.exe 12->14         started        16 timeout.exe 1 12->16         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/654574c360fcb5a7eb4f693d99d5f0c4e32f96b219a7327d41b39d7d5acde953/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-12-27 20:59:29 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
19 of 43 (44.19%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0091825486c2d7cfdee49e98c6795be8d32a7f50a68e0d33542b1f047fb7ed7a
ArkeiStealer
0533463b6983139e071f35584203c27ef68a7d4dfde1c63b2155a2d7ed8afb6a
ArkeiStealer
2d45c9f984150cbeafd07b26b269baefdb497d6e5687e8a0633601e9083afed1
ArkeiStealer
89e3b00acfc8b0904398665280312cf9a2b426db3eb77b2e5303131de48a2dde
ArkeiStealer
8ecb9b6e425216f33b0dad4e296680bfab382d7be119b9348eb523e55abd49cc
ArkeiStealer
90618d3aa5146d27b46476a4c7bfcc2e5323b74dcbcf2c0af6b4f00c4c2d9297
ArkeiStealer
b817002c69c6315e116f14d6fe64151577999eb773842f052fb17d9a7413a53c
ArkeiStealer
d303ff1d8ecf2f8c4d19465c207d6b3e6085318452f7177cee9223632a0fead8
ArkeiStealer
e558134f888d403ba60d7db59978502a9071951528cd4873bd4702921012d69e
ArkeiStealer
f4f37faf7b52b7544ee58a029dcc54a71941aedcdd2b4eacda2f39c3217aad48
ArkeiStealer
+ 8'460 additional samples on MalwareBazaar
Result
Malware family:
arkei
Create hunting rule
Score:
  10/10
Tags:
family:arkei discovery evasion spyware stealer trojan
Link:
https://tria.ge/reports/211228-h5jffadef4/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Arkei Stealer Payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Arkei
Unpacked files
SH256 hash:
20b4757195bb30d57412919ac279349377ea7a1f1d6062008e00d663be7866f5
MD5 hash:
f07bf141f6599ed92941305fb3a712ed
SHA1 hash:
7a0d3fbaf79ec550801b2ff68f15a1a20fe4d96d
Link:
https://www.unpac.me/results/7176e168-fef5-4e4a-b7ad-a03e34b6cdd3/
SH256 hash:
654574c360fcb5a7eb4f693d99d5f0c4e32f96b219a7327d41b39d7d5acde953
MD5 hash:
765885e4a5bf2b58911c445e2ba0f7df
SHA1 hash:
65edc531c1313df4adbff520b31a998becbd6760
Link:
https://www.unpac.me/results/7176e168-fef5-4e4a-b7ad-a03e34b6cdd3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/654574c360fc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.83
Link:
https://yomi.yoroi.company/submissions/654574c360fcb5a7eb4f693d99d5f0c4e32f96b219a7327d41b39d7d5acde953

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 654574c360fcb5a7eb4f693d99d5f0c4e32f96b219a7327d41b39d7d5acde953

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1920198/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/216660/

Comments