MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7173381414ec85250c6bd3c9b803f2d49b98a7826c8aeea37d9328d5e74d7fb6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments 1

SHA256 hash:	7173381414ec85250c6bd3c9b803f2d49b98a7826c8aeea37d9328d5e74d7fb6
SHA3-384 hash:	086d77849abe19237e9cd3ec3bddafc1d79c6481702b33e161a950ab507d49d86e0847848c820ef99b306b08a22e9ad7
SHA1 hash:	8467cf8260ff78b94f57c925e592e377e45782bc
MD5 hash:	9770d8c263122462bd1443a3a1ba6f1e
humanhash:	lamp-timing-mississippi-kentucky
File name:	9770d8c263122462bd1443a3a1ba6f1e
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	203'264 bytes
First seen:	2021-09-03 00:16:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b7ebe503aba8ff6fce4b2b89581116dd (4 x ArkeiStealer, 3 x Stop, 2 x RedLineStealer)
ssdeep	3072:djxcoLwFDjV42bk79wWHlH9Xc1oICD5/tTle5oXtjSwrv9ENPGQCeKJIX:djxLLwFDA79hHlFxp555tVvMGQCeK
Threatray	406 similar samples on MalwareBazaar
TLSH	T1F714BE32BAD0C433D5E6C5704969CEA1167FB8715D64858B36793F2F2D712C2AA2232F
dhash icon	4839b2b4e8c38890 (137 x RaccoonStealer, 37 x Smoke Loader, 30 x RedLineStealer)
Reporter	zbetcheckin
Tags:	32 ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

156

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

9770d8c263122462bd1443a3a1ba6f1e

Verdict:

Malicious activity

Analysis date:

2021-09-03 00:18:26 UTC

Tags:

stealer loader trojan

Link:

https://app.any.run/tasks/1cdbbb95-1ba8-4887-93f8-a212fcb48bf5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/184975/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.8293.23830.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching the default Windows debugger (dwwin.exe)

DNS request

Connection attempt

Sending an HTTP GET request

Creating a file

Creating a file in the Windows subdirectories

Deleting a recently created file

Reading critical registry keys

Replacing files

Changing a file

Creating a file in the %AppData% subdirectories

Creating a window

Sending a UDP request

Running batch commands

Creating a process with a hidden window

Launching a process

Stealing user critical data

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8b5a423a-8dc1-45ae-a395-2eef4b8bda69

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/844450

Signature

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Self deletion via cmd delete

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7173381414ec85250c6bd3c9b803f2d49b98a7826c8aeea37d9328d5e74d7fb6/

Threat name:

Win32.Ransomware.Convagent

Status:

Malicious

First seen:

2021-09-03 00:17:05 UTC

AV detection:

13 of 43 (30.23%)

Threat level:

5/5

Verdict:

suspicious

ArkeiStealer

120a50bdd5effe67ea0270aa7f938039e7a5e6a589a13e9371e381f4d1518dcd

ArkeiStealer

382dbb2ef5f54e3735817318b680935e068749651f702213ab3edfb7842115fd

ArkeiStealer

3d59ac598ad756cfa7d56ea28d85071266ccfbcec2bc952600ff82fec99d633c

ArkeiStealer

5d372a19bbdae072e4fb4ff9deded30dbb40f4a74b54fbf77888a1523e864129

ArkeiStealer

90b9d553b4883ed20e3273a86351f103d10b012dab0c82179bb6b5bfcc188b88

ArkeiStealer

b817002c69c6315e116f14d6fe64151577999eb773842f052fb17d9a7413a53c

ArkeiStealer

e9abbf811d367cf26f493d72ccd96749e534804ac27d36956dce0484b1440f25

ArkeiStealer

+ 396 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/210903-ak2saafaak/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Unpacked files

SH256 hash:

1f176e8977339c0c1bbeeff314643dc3573ab61c775ed11868d9ee86e9fb525e

MD5 hash:

d37126feef855198ae18050cdfd63779

SHA1 hash:

ac125b74ea35c3410eb549a41aebd0c924a088ed

Link:

https://www.unpac.me/results/33c39eea-884a-47b9-b6f4-994ff7fb7387/

SH256 hash:

7173381414ec85250c6bd3c9b803f2d49b98a7826c8aeea37d9328d5e74d7fb6

MD5 hash:

9770d8c263122462bd1443a3a1ba6f1e

SHA1 hash:

8467cf8260ff78b94f57c925e592e377e45782bc

Link:

https://www.unpac.me/results/33c39eea-884a-47b9-b6f4-994ff7fb7387/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/7173381414ec/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7173381414ec85250c6bd3c9b803f2d49b98a7826c8aeea37d9328d5e74d7fb6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing potential Windows Defender anti-emulation checks