MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 723597992f5b76dfc24d1250b735a97d8fadd1b93a816512770078a102c01ffb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 723597992f5b76dfc24d1250b735a97d8fadd1b93a816512770078a102c01ffb
SHA3-384 hash: b245cbff55df62ce3491a15a9eb08b0ae87e0c0865a21dce2a341e6a0c0d86e6cdef9cb2801bab276f78a6eba3773066
SHA1 hash: 066211e44c00b9c2b71d972b70a69973a0f2e3e2
MD5 hash: b1aaf5f9399bfc5127885fc30a9d2710
humanhash: mountain-nine-massachusetts-mexico
File name:b1aaf5f9399bfc5127885fc30a9d2710
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:662'528 bytes
First seen:2021-11-25 19:41:50 UTC
Last seen:2021-11-25 21:39:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b8b949414a1cbbc9af7d834ae8be805f (11 x RedLineStealer, 5 x RaccoonStealer, 4 x ArkeiStealer)
ssdeep 12288:shMn5hvzJ6q3OeHurrV0cMORhw0jTC85FFqwKfyrZe+tKTue8:3njt64TH8rVFfjTC89NKf18KR8
Threatray 3'472 similar samples on MalwareBazaar
TLSH T179E423A7F70AA499DD1142B2CF13D6A9742ABD694DE4A2E232DFBC3F2D71341C1011B9
File icon (PE):PE icon
dhash icon 92e0b496a6cada72 (12 x RedLineStealer, 7 x RaccoonStealer, 5 x BlankGrabber)
Reporter zbetcheckin
Tags:32 ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b1aaf5f9399bfc5127885fc30a9d2710
Verdict:
Malicious activity
Analysis date:
2021-11-25 19:44:31 UTC
Tags:
loader stealer
Link:
https://app.any.run/tasks/499c72a4-f8dd-435f-83df-e0bcb5af33d1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
PUA.Win.Packer.AsprotectSke-3
Create hunting rule

PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Creating a file
Sending a custom TCP request
Reading critical registry keys
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed racealer
Link:
https://www.filescan.io/uploads/619fe70df36138de3f3d1560/reports/9658f0ea-702b-45bf-b052-ec03b7012cd6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Binder
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fb5b16a5-8024-417e-a221-6f1c78822d24
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/896351
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file has nameless sections
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/723597992f5b76dfc24d1250b735a97d8fadd1b93a816512770078a102c01ffb/
Threat name:
Win32.Trojan.Convagent
Create hunting rule
Status:
Malicious
First seen:
2021-11-25 19:42:13 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0cdd906491990c6ba9c24bdd60172057587859a8e649ba7f4b51fece9a0fdac6
ArkeiStealer
162ab00c0e943f9548b04f3437867508656480585369cb705613dd3accfd54c2
ArkeiStealer
1b0daf8b1b8a09ae26a72e30fa638b000a991a7dfaf7c9297bec5c7f9d277574
ArkeiStealer
3badebcefb9e7153384cae83baaa119f6317c9381e8500ac285568590e0abd82
ArkeiStealer
55bea97718d10ad6dde683d1316015e4ed475558d725ee34858b15ce8b434afb
ArkeiStealer
59716b314ba0d53b7e8de32a73af01b7b383834bf038c3bcaa8f7d07afc8b280
ArkeiStealer
bb1944681aa2fcfd5f372fd44e041a63569b46130540225afc1560a1650d4e37
ArkeiStealer
d7cdfb895940efd584c78b7e56f9ed720491234df489ee9eb9aa98c24714d530
ArkeiStealer
dcf4ecc6d3b70a3e11077862b9e3830806191f0718eecb525a3e7d24246c0287
ArkeiStealer
f1b2cc9a9fed9992129c1673d423647dd8307aada8ccff1b3d0fea35c2c3e741
ArkeiStealer
+ 3'462 additional samples on MalwareBazaar
Result
Malware family:
arkei
Create hunting rule
Score:
  10/10
Tags:
family:arkei botnet:default discovery spyware stealer
Link:
https://tria.ge/reports/211125-yen61agdhm/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Arkei Stealer Payload
Arkei
Malware Config
C2 Extraction:
http://die-grausamste-herrin.at/wp.php
Unpacked files
SH256 hash:
778dbbb644f5412be6b3771595fb4e0194ec57ff3c72e8525bac264698eaa83a
MD5 hash:
81189137f6194eca8589ebd8226cede1
SHA1 hash:
6251c98ed53c3971066263846265899c36d5cbae
Link:
https://www.unpac.me/results/f9ab6aa8-5cbb-4c84-8bec-3369fa3de977/
SH256 hash:
b88d85089002c656092249a08fa4988932211679caac1b6385258fb7c042864f
MD5 hash:
572939f892deedf9e6a2d069c3d092d8
SHA1 hash:
583f4238abc0ba48e4d3d8fe98cdcb38ebfa9d23
Link:
https://www.unpac.me/results/f9ab6aa8-5cbb-4c84-8bec-3369fa3de977/
SH256 hash:
723597992f5b76dfc24d1250b735a97d8fadd1b93a816512770078a102c01ffb
MD5 hash:
b1aaf5f9399bfc5127885fc30a9d2710
SHA1 hash:
066211e44c00b9c2b71d972b70a69973a0f2e3e2
Link:
https://www.unpac.me/results/f9ab6aa8-5cbb-4c84-8bec-3369fa3de977/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/723597992f5b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/723597992f5b76dfc24d1250b735a97d8fadd1b93a816512770078a102c01ffb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:quakbot_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 723597992f5b76dfc24d1250b735a97d8fadd1b93a816512770078a102c01ffb

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1817493/
Cape
Cape
https://www.capesandbox.com/analysis/209498/

Comments


Avatar
zbet commented on 2021-11-25 19:41:52 UTC

url : hxxp://die-grausamste-herrin.at/content/xeca.exe