MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d2da68fe587e925bf033bbe461648f1df4b19ed179e460368091d5804973546. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	6d2da68fe587e925bf033bbe461648f1df4b19ed179e460368091d5804973546
SHA3-384 hash:	675742be17554b1bda7fe5c3e6810c9f1afff09dd93b0711816d1961bee37b16bcaf11d4ebe3ea23451eb4b03ee32ea3
SHA1 hash:	9b638147d23fe9a92d8cda51222a854796dc93b2
MD5 hash:	3ebe53a0ba9db8f001380511e9c21308
humanhash:	sink-spaghetti-paris-shade
File name:	3ebe53a0ba9db8f001380511e9c21308.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	272'384 bytes
First seen:	2022-02-08 18:52:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	87aefbd068a4f8006308eb232c83c777 (1 x ArkeiStealer)
ssdeep	3072:cHBzo8HP8aFHanEioirEW+rbwtnfyipnc+caQsWtVMQM:cHoaFHRPo+gfyFtVMQ
Threatray	816 similar samples on MalwareBazaar
TLSH	T1D044BE9172B0D473C89619719434CBF03ABAB87319B1864B77682B2E6F702D15B3A35F
File icon (PE):
dhash icon	38b078eccacccc43 (88 x Smoke Loader, 38 x Stop, 33 x RedLineStealer)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

151

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/238533/

Detection(s):

Win.Dropper.LokiBot-9938483-0

Win.Packed.Filerepmalware-9938574-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Creating a file

Reading critical registry keys

Changing a file

Creating a file in the %AppData% subdirectories

Creating a window

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Launching a process

Launching the default Windows debugger (dwwin.exe)

Query of malicious DNS domain

Stealing user critical data

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/6403/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

CPUID_Instruction

EvasionQueryPerformanceCounter

EvasionGetTickCount

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/6202bcce845a69d7734ecc3d/reports/d7e4dbef-d8f2-42d6-ab97-7dc725af4afb/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f905bad7-880f-4926-bf29-31bb2c43a5ac

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/936394

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6d2da68fe587e925bf033bbe461648f1df4b19ed179e460368091d5804973546/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2022-02-08 18:53:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 27 (88.89%)

Threat level:

5/5

Verdict:

malicious

ArkeiStealer

6a3d626d0ab359b8e7a3d3ea8551f3e948c26f74465c65e1f02f6aa76163fa2b

ArkeiStealer

7a7c19f6fb76910063eacc921a204e55b57ae3bbe824f0d8b2623ee17953ec40

ArkeiStealer

892504033a259f380c1e2a35db15b95bffcff4f96c36a84731afde6c5b35371a

ArkeiStealer

95e4e83e579f6195b85751b47686f0a3a42933caac2c1c2afd73bd35b00ad981

ArkeiStealer

af138c1b86f37a90982bf31a77b736435c0d94b0c273b1005d1313305d5c7d58

ArkeiStealer

b4564966c74ea17badd252d6c1b3a052f869e69d0c7cbbcb776af245135e9917

ArkeiStealer

d6f82559be32a5739fd1c6a1eade697c8d90c331ec31cc7690dd2fdb4e70ab74

ArkeiStealer

e069ce2651bc7095e62c6a919fee34c696eb76995b5ef58d5311d89218847fd0

ArkeiStealer

+ 806 additional samples on MalwareBazaar

Result

Malware family:

arkei

Score:

10/10

Tags:

family:arkei botnet:default discovery spyware stealer

Link:

https://tria.ge/reports/220208-xjmnasdca7/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Windows directory

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Arkei Stealer Payload

Arkei

Suspicious use of NtCreateProcessExOtherParentProcess

Malware Config

C2 Extraction:

http://coin-file-file-19.com/tratata.php

Unpacked files

SH256 hash:

69ba4e2995d6b11bb319d7373d150560ea295c02773fe5aa9c729bfd2c334e1e

MD5 hash:

58922177676773ec3324c33734ae9ef9

SHA1 hash:

ce0a3cae8ee18c6d1f22361224b3692d61d5d7a2

Link:

https://www.unpac.me/results/ee0c56a4-fda8-4e14-9a38-0e26983ba2ff/

SH256 hash:

6d2da68fe587e925bf033bbe461648f1df4b19ed179e460368091d5804973546

MD5 hash:

3ebe53a0ba9db8f001380511e9c21308

SHA1 hash:

9b638147d23fe9a92d8cda51222a854796dc93b2

Link:

https://www.unpac.me/results/ee0c56a4-fda8-4e14-9a38-0e26983ba2ff/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

exe 6d2da68fe587e925bf033bbe461648f1df4b19ed179e460368091d5804973546

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1988764/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/238533/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample