MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f943d65dcd851c0f5209915f9da7937b474fe40cb3da03579916ebb4f192e5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f943d65dcd851c0f5209915f9da7937b474fe40cb3da03579916ebb4f192e5d
SHA3-384 hash: e9de75081649b9c13f315e86817954d3f23b912074f07fcf79e87007aeebcac65730d94675f27fddb84910c14c2b3436
SHA1 hash: 6727234317ee5318ef83fbef4b0cf2510e262405
MD5 hash: e109ffd6170183fc6e8ab7fcbf07d9f6
humanhash: early-don-butter-blue
File name:e109ffd6170183fc6e8ab7fcbf07d9f6
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:163'328 bytes
First seen:2022-06-15 16:55:40 UTC
Last seen:2022-06-15 17:39:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4e06c011d59529bff8e1f1c88254b928 (29 x MarsStealer, 21 x ArkeiStealer)
ssdeep 3072:UI8DJmXN/8Q8Aum7NK5oLE2qGI9wrCuDACBY07UJSp8Bb8EG:H8Dk38Au2s5+E+UeCqACBBI8EG
Threatray 4'311 similar samples on MalwareBazaar
TLSH T19CF3E06E780E4B6EC87C793BBC8E5E38A83C568C66CC9F1981DC1DA104C546C9E359A7
TrID 38.0% (.EXE) Win64 Executable (generic) (10523/12/4)
23.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
16.3% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.EXE) OS/2 Executable (generic) (2029/13)
7.2% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter zbetcheckin
Tags:32 ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
249
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/280241/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.32841.4611.7035.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Launching a process
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62aa0f28c07f2e38a149c9d2/reports/c4fa12a9-af17-456b-8e21-3c0aff6da3ef/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Oski Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7171975c-18be-4bed-9f67-24452073190a
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1013856
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to detect sleep reduction / modifications
Detected unpacking (creates a PE file in dynamic memory)
Found C&C like URL pattern
Found evasive API chain (may stop execution after checking computer name)
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
PE file has nameless sections
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6f943d65dcd851c0f5209915f9da7937b474fe40cb3da03579916ebb4f192e5d/
Threat name:
Win32.Trojan.MarsStealer
Create hunting rule
Status:
Malicious
First seen:
2022-06-15 16:56:08 UTC
File Type:
PE (Exe)
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n6kd2zo43bi4b5jatek7twtzg62hj7sazm62anlzsfxlwtyzfzoq._file
Verdict:
malicious
Similar samples:
170872babd88df2e2ab45b85d2a140711bed972625e8d826d508f81f811283ec
ArkeiStealer
18a51631909a8b72c610fa2b7640530cbe0dbfcc73a8e84af917fa797dded717
ArkeiStealer
27223530f9da259a9f2318b525399a30f5656ca4d2951d76af8039484d8f3e74
ArkeiStealer
34ba222ef969f09ecca5506cbada7c346469a96a6af0cdd21146d4435196deda
ArkeiStealer
4def4ad12c7aab38e6248c20e211272f1c920a0295c8beda6228543e58c2129c
ArkeiStealer
672fea64c92edc4d937d3132577b65813738bfddeab6a6b3ef35e6fa4b987009
ArkeiStealer
739c117bf4f36301346c45dedccdccfef781bcf4863f4e200691f4b89641bf11
ArkeiStealer
de147d635d7404111032d34845dd05eddc00ae6ecf0814d89eed3c6a81c06629
ArkeiStealer
df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731
ArkeiStealer
+ 4'301 additional samples on MalwareBazaar
Result
Malware family:
arkei
Create hunting rule
Score:
  10/10
Tags:
family:arkei botnet:default discovery spyware stealer suricata
Link:
https://tria.ge/reports/220615-vfnp3sbbc2/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Arkei
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
suricata: ET MALWARE Generic Request to gate.php Dotted-Quad
suricata: ET MALWARE Generic gate .php GET with minimal headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Win32/Vidar Variant/Mars CnC Activity (GET)
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
Unpacked files
SH256 hash:
1fb5306a8f9349f2bc9392313ae49235813c9a7557002c83d795f47180d5e4a6
MD5 hash:
414a4916aad7b9e6a54ebfb37fd4842b
SHA1 hash:
ffd8fe35f7b42e4511ef34d4e12203a1bbe1a57b
Link:
https://www.unpac.me/results/55e10fd8-46cd-4b63-a31b-8070c6cdc42b/
SH256 hash:
6f943d65dcd851c0f5209915f9da7937b474fe40cb3da03579916ebb4f192e5d
MD5 hash:
e109ffd6170183fc6e8ab7fcbf07d9f6
SHA1 hash:
6727234317ee5318ef83fbef4b0cf2510e262405
Link:
https://www.unpac.me/results/55e10fd8-46cd-4b63-a31b-8070c6cdc42b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6f943d65dcd8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6f943d65dcd851c0f5209915f9da7937b474fe40cb3da03579916ebb4f192e5d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 6f943d65dcd851c0f5209915f9da7937b474fe40cb3da03579916ebb4f192e5d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2239332/
Cape
Cape
https://www.capesandbox.com/analysis/280241/

Comments


Avatar
zbet commented on 2022-06-15 16:55:48 UTC

url : hxxp://srv30763236.ultasrv.com/HsJzA.exe