MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e43eb9d740ae582faabd5f31fb248cc2804b4e5af2a9122f7ae2fefacdf8292. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6e43eb9d740ae582faabd5f31fb248cc2804b4e5af2a9122f7ae2fefacdf8292
SHA3-384 hash: 36d72fa58dc52ef146827d82090e2b79533cd00c6027026bdec5a6f38081bb58a2210c70f8d6c52f517aa46cce091a7a
SHA1 hash: 2763c9c0646cf0166c7d4a9c94907ce1d4ab9d78
MD5 hash: cc63cb7d19ca8cffa27530b760c81528
humanhash: fanta-hot-football-wyoming
File name:cc63cb7d19ca8cffa27530b760c81528
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:91'136 bytes
First seen:2021-10-29 06:35:44 UTC
Last seen:2021-10-29 08:55:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 1536:mGT6MHTcbGI17LBVpU0sh4BGaL3aumVRl:my3zDABGVu8b
Threatray 578 similar samples on MalwareBazaar
TLSH T10D93FAD2A5CD449FC970D4F21AC693D345FE59E099325603323FBE582B2690FAA63F48
File icon (PE):PE icon
dhash icon 0090929498d0e2f0 (3 x ArkeiStealer, 1 x AsyncRAT, 1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ConsoleApp11.exe
Verdict:
Malicious activity
Analysis date:
2021-10-29 08:26:52 UTC
Tags:
opendir loader stealer
Link:
https://app.any.run/tasks/babaa430-e3dd-478c-8f74-9920f212bcea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Bulz.839185.23246.12156.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Launching a service
DNS request
Connection attempt
Sending a custom TCP request
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6653be92-b3dd-4c37-a02a-4a4ddae27856
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/879124
Signature
.NET source code contains potential unpacker
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6e43eb9d740ae582faabd5f31fb248cc2804b4e5af2a9122f7ae2fefacdf8292/
Threat name:
ByteCode-MSIL.Trojan.Bulz
Create hunting rule
Status:
Malicious
First seen:
2021-10-28 20:09:00 UTC
AV detection:
11 of 27 (40.74%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
2e14b592904e292539d9fc9d57a06df31676d5645ebaa49ebe129044d2d3baa3
ArkeiStealer
551c79b204f49811c9cc3a44b886d076feec99871aedb0d771860de61b6f8059
ArkeiStealer
5a2eff9610a0bdc09557cd54e9ad7e5b93b930359a8e322fb479ab7b1e20cf7d
ArkeiStealer
5ea70d1ccacc9fde5a0f1cf02273de35c8db3fdcf6ec8d5da788fed041a742ac
ArkeiStealer
66a4ad6ad86ac5cc502368cdd94be1164da5fb4da4b2c2048a09c1c37b175f40
ArkeiStealer
70d2439d21209fcc393ca4989fbe1d5966c651345ad9b38bab512dbe9861e2bb
ArkeiStealer
b3c5e8250ec320fd546df876a5be7ca4e9a70696dc2373ce5ff670def95d5238
ArkeiStealer
b8d2d5095e10c9f0c52a6eeb3ecf6ff52858bdb21037749943a8f38d0da36724
ArkeiStealer
ccbded51600db440d54831ff724cf0e988220da4cd069244ade361c959b8c852
ArkeiStealer
e0a642286227876154d27e399aab958ab958f2f2e528c4f4593e9d80c64a87c6
ArkeiStealer
+ 568 additional samples on MalwareBazaar
Result
Malware family:
arkei
Create hunting rule
Score:
  10/10
Tags:
family:arkei botnet: botnet:default discovery spyware stealer
Link:
https://tria.ge/reports/211029-hcxscshecp/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Arkei Stealer Payload
Arkei
Malware Config
C2 Extraction:
http://136.144.41.229/gJCbU1V9y2.php

Unpacked files
SH256 hash:
6e43eb9d740ae582faabd5f31fb248cc2804b4e5af2a9122f7ae2fefacdf8292
MD5 hash:
cc63cb7d19ca8cffa27530b760c81528
SHA1 hash:
2763c9c0646cf0166c7d4a9c94907ce1d4ab9d78
Link:
https://www.unpac.me/results/47f2a6f1-c901-4237-babb-3f6baabdea6d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/6e43eb9d740ae582faabd5f31fb248cc2804b4e5af2a9122f7ae2fefacdf8292

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 6e43eb9d740ae582faabd5f31fb248cc2804b4e5af2a9122f7ae2fefacdf8292

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1725547/

Comments


Avatar
zbet commented on 2021-10-29 06:35:45 UTC

url : hxxp://pinace.ddns.net/w/ConsoleApp11.exe