MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d391ed9356c4fa41f015b73f667663813b0d3b2e5ce1482fae64462a316bff6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7d391ed9356c4fa41f015b73f667663813b0d3b2e5ce1482fae64462a316bff6
SHA3-384 hash: 5d10ad30c95dfd0c8d5876dbaa6b30be4f4e4197cafa88534e8ada8ccdd28a9f4dd2f18fa3106a16b77533a72812595d
SHA1 hash: cb192b0134468f9e59d3b02cfc2f26652c8d689a
MD5 hash: 953f7ef3d735935dbbfb4c249bcd1534
humanhash: delaware-wolfram-magazine-single
File name:953f7ef3d735935dbbfb4c249bcd1534
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'630'504 bytes
First seen:2022-01-15 22:14:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e04ebbba4c96efce768dc51f0edb64fe (1 x ArkeiStealer)
ssdeep 24576:pRG67tlUs8oy1QvWEHoF69JAEEa4yxFzFkmrlnjvBbpJQd3XDh9DVkk:pRVlUsVvzHoFu+EyyxFlJZrQdDnDVv
TLSH T125752371A5C8D174F8062E70E6BBE3E6A6A05C8ED33D014D794C7A3B5AB368385141BE
File icon (PE):PE icon
dhash icon f0cca340808041a2 (1 x ArkeiStealer)
Reporter zbetcheckin
Tags:ArkeiStealer exe signed

Code Signing Certificate

Organisation:Polaroid Candy ILV (ZJ-2009-02)
Issuer:Polaroid Candy ILV (ZJ-2009-02)
Algorithm:sha1WithRSAEncryption
Valid from:2022-01-14T22:51:20Z
Valid to:2032-01-15T22:51:20Z
Serial number: 62afe29ef480238e4b41027e4a94388a
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 6955d4f5d2cf7279e06747a14c3ff78d3b7d7ee2783d8e2e1e7a8a1a2ece1beb
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
318
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
953f7ef3d735935dbbfb4c249bcd1534
Verdict:
Malicious activity
Analysis date:
2022-01-15 22:16:45 UTC
Tags:
loader stealer trojan
Link:
https://app.any.run/tasks/08317f51-f239-4ba1-8c18-f6c87a8fae3d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/219554/
Detection(s):
SecuriteInfo.com.AI.Packer.C66AE9231F.29755.30896.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/61e34769f2e8ec86fe03bd65/reports/233bbbeb-3c28-4b9e-b853-d6e873650b11/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ryuk
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6c95ac9f-4197-4ffb-92e2-255e98e6b7be
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/921282
Signature
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Hides threads from debuggers
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
Win32.Trojan.GenCBL
Create hunting rule
Status:
Malicious
First seen:
2022-01-15 22:15:14 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
15 of 27 (55.56%)
Threat level:
  5/5
Result
Malware family:
arkei
Create hunting rule
Score:
  10/10
Tags:
family:arkei botnet:default discovery spyware stealer
Link:
https://tria.ge/reports/220115-158pfafaf6/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Arkei Stealer Payload
Arkei
Malware Config
C2 Extraction:
http://185.7.214.239/POeNDXYchB.php
Unpacked files
SH256 hash:
b606c0a617be23aa3d822e9637c36c8d48ddc02f58672d38b84e4e435d3c8feb
MD5 hash:
5c9fb80b1ca46b2447317adce2490a66
SHA1 hash:
2c399c568ed75f46e323dbd55b9f0ad478065dd2
Link:
https://www.unpac.me/results/277cc301-5201-4705-b85a-7458ad243e92/
SH256 hash:
7d391ed9356c4fa41f015b73f667663813b0d3b2e5ce1482fae64462a316bff6
MD5 hash:
953f7ef3d735935dbbfb4c249bcd1534
SHA1 hash:
cb192b0134468f9e59d3b02cfc2f26652c8d689a
Link:
https://www.unpac.me/results/277cc301-5201-4705-b85a-7458ad243e92/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7d391ed9356c4fa41f015b73f667663813b0d3b2e5ce1482fae64462a316bff6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 7d391ed9356c4fa41f015b73f667663813b0d3b2e5ce1482fae64462a316bff6

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/219554/
  
URLhaus
https://urlhaus.abuse.ch/url/1979927/

Comments


Avatar
zbet commented on 2022-01-15 22:14:15 UTC

url : hxxp://data-host-coin-8.com/files/7841_1642280101_766.exe