MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 71ee360efd0c5763ed9799acb28286af193392d18416535eec639cc7a4a258eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 71ee360efd0c5763ed9799acb28286af193392d18416535eec639cc7a4a258eb
SHA3-384 hash: 7224cd0608ea13b75d27f732b9087db8ff9c892836999b9dd76d3b770f98ecc4e2af7fc3b33a1a4743c27f92eb3b10d9
SHA1 hash: eaad647ae0ac3681fc1fceb224e6f986234e3978
MD5 hash: 85616aee4378a829d366178f044da0c8
humanhash: illinois-green-winner-idaho
File name:85616aee4378a829d366178f044da0c8.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:4'461'808 bytes
First seen:2022-11-27 12:30:21 UTC
Last seen:2022-11-27 14:29:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 407e3b5378b3b0b56c578f72b3227fa9 (5 x ArkeiStealer)
ssdeep 98304:om9vCApJPC8/VaFW3HKAPM8Njel8kLX4tkmTT6t:omZZpJPCwsFkhrN6/yzSt
Threatray 16'752 similar samples on MalwareBazaar
TLSH T1832633B6FB771885D9D70AB37642D84E2F50A13B9E082261B24F5EA14A3473FC9C24DD
TrID 52.9% (.EXE) Win32 Executable (generic) (4505/5/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon c8c686c08286e071 (2 x ArkeiStealer)
Reporter abuse_ch
Tags:ArkeiStealer exe signed

Code Signing Certificate

Organisation:Logitech Z-708 Template GIT ~
Issuer:Logitech Z-708 Template GIT ~
Algorithm:sha1WithRSAEncryption
Valid from:2022-11-23T14:10:52Z
Valid to:2032-11-24T14:10:52Z
Serial number: 55febdd61f39d0a146ffbf154157a7b5
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 43f83ffd00246daaf10afaf11b5bb28c5fdf00f119fda89f0bb040b056ddab76
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
ArkeiStealer C2:
http://95.217.31.208/

Intelligence

File Origin
# of uploads :
2
# of downloads :
259
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-24 20:07:16 UTC
Tags:
installer loader trojan stealer vidar
Link:
https://app.any.run/tasks/f5da79ef-2bcb-48a2-a4ee-c737bbe176ca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/339025/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.63862519.23710.12198.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Running batch commands
Creating a process with a hidden window
Launching a process
Stealing user critical data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6383588794f9bac087b381cc/reports/d427f263-a236-4e4c-b2d4-892d839e6cd3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6a1336c6-89bc-499c-8c13-bb4fc208a31d
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1121906
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides threads from debuggers
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Self deletion via cmd or bat file
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 754623 Sample: WUo5Kl5KXw.exe Startdate: 27/11/2022 Architecture: WINDOWS Score: 100 112 Malicious sample detected (through community Yara rule) 2->112 114 Antivirus detection for URL or domain 2->114 116 Antivirus detection for dropped file 2->116 118 4 other signatures 2->118 9 WUo5Kl5KXw.exe 26 2->9         started        14 gntuud.exe 2->14         started        process3 dnsIp4 84 149.154.167.99 TELEGRAMRU United Kingdom 9->84 86 89.208.104.172 PSKSET-ASRU Russian Federation 9->86 88 2 other IPs or domains 9->88 70 C:\Users\user\AppData\...\filename[1].exe, PE32 9->70 dropped 72 C:\Users\user\AppData\Local\...\bebra[1].exe, PE32+ 9->72 dropped 74 C:\Users\user\AppData\Local\...\412[1].exe, PE32+ 9->74 dropped 76 3 other malicious files 9->76 dropped 120 Detected unpacking (changes PE section rights) 9->120 122 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 9->122 124 Query firmware table information (likely to detect VMs) 9->124 126 7 other signatures 9->126 16 31940662595513603590.exe 3 9->16         started        20 77081938077207545602.exe 3 9->20         started        22 94856549359752409649.exe 9->22         started        25 cmd.exe 1 9->25         started        file5 signatures6 process7 dnsIp8 66 C:\Users\user\AppData\Local\...\gntuud.exe, PE32 16->66 dropped 94 Detected unpacking (changes PE section rights) 16->94 96 Detected unpacking (overwrites its own PE header) 16->96 98 Machine Learning detection for dropped file 16->98 100 Contains functionality to inject code into remote processes 16->100 27 gntuud.exe 18 16->27         started        68 C:\ProgramData\...\IntelGAS-Ver2.5.5.8.exe, PE32+ 20->68 dropped 102 Multi AV Scanner detection for dropped file 20->102 104 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->104 106 Tries to detect virtualization through RDTSC time measurements 20->106 32 schtasks.exe 20->32         started        34 icacls.exe 20->34         started        36 icacls.exe 20->36         started        38 icacls.exe 20->38         started        82 216.58.215.238 GOOGLEUS United States 22->82 108 Antivirus detection for dropped file 22->108 110 Tries to harvest and steal browser information (history, passwords, etc) 22->110 40 cmd.exe 1 22->40         started        42 conhost.exe 25->42         started        44 timeout.exe 1 25->44         started        file9 signatures10 process11 dnsIp12 90 77.73.134.66 FIBEROPTIXDE Kazakhstan 27->90 78 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32 27->78 dropped 80 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32 27->80 dropped 128 Detected unpacking (changes PE section rights) 27->128 130 Detected unpacking (overwrites its own PE header) 27->130 132 Creates an undocumented autostart registry key 27->132 134 2 other signatures 27->134 46 rundll32.exe 27->46         started        50 schtasks.exe 27->50         started        52 conhost.exe 32->52         started        54 conhost.exe 34->54         started        56 conhost.exe 36->56         started        58 conhost.exe 38->58         started        60 conhost.exe 40->60         started        62 choice.exe 1 40->62         started        file13 signatures14 process15 dnsIp16 92 192.168.2.6 unknown unknown 46->92 136 System process connects to network (likely due to code injection or exploit) 46->136 138 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 46->138 140 Tries to steal Instant Messenger accounts or passwords 46->140 142 2 other signatures 46->142 64 conhost.exe 50->64         started        signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/71ee360efd0c5763ed9799acb28286af193392d18416535eec639cc7a4a258eb/
Threat name:
Win32.Infostealer.Bandra
Create hunting rule
Status:
Malicious
First seen:
2022-11-25 03:11:10 UTC
File Type:
PE (Exe)
Extracted files:
105
AV detection:
12 of 26 (46.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ohxdmdx5brlwh3mxtgwlfaugv4mthewrqqlfgxxmmoompjfcldvq._file
Verdict:
malicious
Similar samples:
8864cd7cbc654d6a0abd75fe8152562f1a9837122bf829832fb4093be252b2e2
ArkeiStealer
88f86b01cb6078c58fd2d5ab9f1beb7c24fa1e4b71e1ca558678d7718c418b66
ArkeiStealer
b9e2df677315f07b08f43626c99817ab16c1aceb5812b2ea20cdbc96cdbead4a
ArkeiStealer
de96e27483b81bec57e86f32954d7de623bb7a6c89aefa721c136fb60d148768
ArkeiStealer
f763556b253fa22454cdc3e21f288cfcf360c4938b14258ee00e9a3c0e39ae17
ArkeiStealer
+ 16'742 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:vidar botnet:1707 collection discovery evasion spyware stealer trojan
Link:
https://tria.ge/reports/221127-pp2emsgd73/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses 2FA software files, possible credential harvesting
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Deletes itself
Loads dropped DLL
Modifies file permissions
Reads local data of messenger clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Detect Amadey credential stealer module
Vidar
Malware Config
C2 Extraction:
https://t.me/headshotsonly
https://steamcommunity.com/profiles/76561199436777531
77.73.134.66/o7Vsjd3a2f/index.php
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/59577f27-2e11-493f-9c74-e90bfb0a68a2
Unpacked files
SH256 hash:
291889baacad5d0e43214517eb8b62a9558e9db9ea1f2edb5cb674394a1e8846
MD5 hash:
06dc82be31c9533ab018e4943e5f18ef
SHA1 hash:
f09f2e24d9e696ecd5a21a5054ba34a57c0cf930
Link:
https://www.unpac.me/results/62b6de32-a07a-4c96-a463-485e59bcbcd5/
SH256 hash:
71ee360efd0c5763ed9799acb28286af193392d18416535eec639cc7a4a258eb
MD5 hash:
85616aee4378a829d366178f044da0c8
SHA1 hash:
eaad647ae0ac3681fc1fceb224e6f986234e3978
Link:
https://www.unpac.me/results/62b6de32-a07a-4c96-a463-485e59bcbcd5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Arkei Stealer
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/71ee360efd0c5763ed9799acb28286af193392d18416535eec639cc7a4a258eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/339025/

Comments