MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ebede97ffbf81f04066704a15084a3c6fa2ec8b5fdd3dfae28a2986c35366ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	6ebede97ffbf81f04066704a15084a3c6fa2ec8b5fdd3dfae28a2986c35366ff
SHA3-384 hash:	90a807442bcec31fb7d412d77b0e5ebdd7da49fab56062ad64ddbc3fd92cb088e92447a6344ef23f7c4474943c5d26e4
SHA1 hash:	9e70fc07fd9b1ff921bc70bdece1ec808c04cb2e
MD5 hash:	4dde4121803a48dabde19ead92cdfc60
humanhash:	oscar-lemon-violet-solar
File name:	4dde4121803a48dabde19ead92cdfc60.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	1'828'352 bytes
First seen:	2022-03-13 17:15:22 UTC
Last seen:	2022-03-13 18:43:13 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	445554923421947cbff896012e27345a (301 x RedLineStealer, 11 x RaccoonStealer, 5 x CoinMiner)
ssdeep	49152:FEGM6yp5jbXJn+wnuxCeaV2lXyWYho7czNaKYNF:6GM5p5j7h+wuxCeawlCWYho7cxlYNF
Threatray	5'398 similar samples on MalwareBazaar
TLSH	T19185335E8FCF8C4DC31B3A39DB761E356D8743917A6C42EAA167AA00C2371A3BC74915
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

194

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

Setup_x32_x64.exe

Verdict:

Malicious activity

Analysis date:

2022-03-13 09:37:25 UTC

Tags:

evasion trojan rat redline socelars stealer loader opendir phishing arkei vidar ransomware stop

Link:

https://app.any.run/tasks/d899bfe8-7a48-4976-a402-9cf669bc073a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/249891/

Detection(s):

PUA.Win.Packer.Asprotect-3

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Changing a file

Creating a file in the %AppData% subdirectories

Creating a window

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/622e26d8b94fb38cb4725353/reports/03a4ece3-59b4-44a0-bf1d-90a1f16545d9/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Oski Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4ec838cb-9adb-4ae6-80fe-52128532e1c5

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/955645

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Found evasive API chain (may stop execution after checking computer name)

Found evasive API chain (may stop execution after checking locale)

Found evasive API chain (may stop execution after checking mutex)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

PE file has nameless sections

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6ebede97ffbf81f04066704a15084a3c6fa2ec8b5fdd3dfae28a2986c35366ff/

Threat name:

Win32.Trojan.MarsStealer

Status:

Malicious

First seen:

2022-03-13 15:45:57 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 27 (85.19%)

Threat level:

5/5

Verdict:

malicious

ArkeiStealer

1b0daf8b1b8a09ae26a72e30fa638b000a991a7dfaf7c9297bec5c7f9d277574

ArkeiStealer

4c132381f51afdc421235e833c3834ff25c0101737aa3a3755c7525db0b0ea8e

ArkeiStealer

72af712564867211f3aabc7d1199f1a3c98abfbae158e182c4bc112a63ca7066

ArkeiStealer

7616d28ae0259737b65234b689f0ed88875aaede87f2408068ad41144dd489d0

ArkeiStealer

94b6f442982377412659b219dffc88f6d171b044c66583cc025335de2f8e6aa4

ArkeiStealer

ba1d27e1521b29f5fabc05094b177131f356588ce26b2e5336910df2bd1cc919

ArkeiStealer

bb1944681aa2fcfd5f372fd44e041a63569b46130540225afc1560a1650d4e37

ArkeiStealer

d7cdfb895940efd584c78b7e56f9ed720491234df489ee9eb9aa98c24714d530

ArkeiStealer

+ 5'388 additional samples on MalwareBazaar

Result

Malware family:

arkei

Score:

10/10

Tags:

family:arkei botnet:default evasion ransomware spyware stealer trojan

Link:

https://tria.ge/reports/220313-vxlbaaafan/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks whether UAC is enabled

Checks BIOS information in registry

Loads dropped DLL

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Arkei

Malware Config

C2 Extraction:

http://62.204.41.133/TnoGfVj67h.php

Unpacked files

SH256 hash:

f81e9eecc15f44ba740277c098f5fcb35e7e3461ea1bc2d6bae795a330483c9c

MD5 hash:

d17437db1ca0cced26b975f22d0ad102

SHA1 hash:

6f1f1d2ce76a022f301bd40b709da9ebdb00b97c

Link:

https://www.unpac.me/results/dc6e2f5e-4081-4810-841b-b3fb9d4113f5/

SH256 hash:

aac85b2d0cbf68905fc30ebdfe5ace1382a875ff4b32463fcdd2c57f17155dc1

MD5 hash:

d00952fe1ad4467fa1bcbdc86e7a7166

SHA1 hash:

b33c68148e65cc29ad38d8ff4a0df24819dcee1a

Link:

https://www.unpac.me/results/dc6e2f5e-4081-4810-841b-b3fb9d4113f5/

SH256 hash:

6ebede97ffbf81f04066704a15084a3c6fa2ec8b5fdd3dfae28a2986c35366ff

MD5 hash:

4dde4121803a48dabde19ead92cdfc60

SHA1 hash:

9e70fc07fd9b1ff921bc70bdece1ec808c04cb2e

Link:

https://www.unpac.me/results/dc6e2f5e-4081-4810-841b-b3fb9d4113f5/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/6ebede97ffbf/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6ebede97ffbf81f04066704a15084a3c6fa2ec8b5fdd3dfae28a2986c35366ff

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/249891/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample