MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fb3e8a0c4b50a519c283a7b7702ccd23c38e78dc251d32b120d8e8a89f87b49. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	7fb3e8a0c4b50a519c283a7b7702ccd23c38e78dc251d32b120d8e8a89f87b49
SHA3-384 hash:	ec99efeb5611f9f2e8601a743d9cfbc9279e7a16301c01a18639306acc57c8dadfafa6856f5d7bc0949f6f559d1c96e0
SHA1 hash:	74170bf430cfc225768cffdb976fa68b917ae9ac
MD5 hash:	5e990c5457707f41c3b72acefa304932
humanhash:	pennsylvania-north-angel-hamper
File name:	5e990c5457707f41c3b72acefa304932.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	202'752 bytes
First seen:	2021-09-03 07:44:53 UTC
Last seen:	2021-09-03 09:35:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b7ebe503aba8ff6fce4b2b89581116dd (4 x ArkeiStealer, 3 x Stop, 2 x RedLineStealer)
ssdeep	3072:TjxcoLwFA0HmgidzxalFl8V7WnDn54XtjSwrv9ENPGvi1vw7KJIX:TjxLLwFA05NlFl8VLtVvMGAvw7K
Threatray	410 similar samples on MalwareBazaar
TLSH	T16414AD217AD0C073D8E286704D75CEE1263FB8719964848776783F2B6E712D2AA6235F
dhash icon	4839b2b4e8c38890 (137 x RaccoonStealer, 37 x Smoke Loader, 30 x RedLineStealer)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

113

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

5e990c5457707f41c3b72acefa304932.exe

Verdict:

Malicious activity

Analysis date:

2021-09-03 07:49:15 UTC

Tags:

stealer loader trojan

Link:

https://app.any.run/tasks/47dd4233-cd4a-4d52-a8de-9e0eeb979700

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/185068/

Detection(s):

SecuriteInfo.com.Trojan.Siggen15.6099.8683.29254.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a UDP request

Launching the default Windows debugger (dwwin.exe)

Connection attempt

Sending an HTTP GET request

Creating a file

Creating a file in the Windows subdirectories

Deleting a recently created file

Reading critical registry keys

Replacing files

Changing a file

Creating a file in the %AppData% subdirectories

Creating a window

Running batch commands

Creating a process with a hidden window

Launching a process

Stealing user critical data

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6fb22abd-a61a-4039-a6fd-9167caf1ae59

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/844775

Signature

Contains functionality to detect sleep reduction / modifications

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7fb3e8a0c4b50a519c283a7b7702ccd23c38e78dc251d32b120d8e8a89f87b49/

Threat name:

Win32.Trojan.Sabsik

Status:

Malicious

First seen:

2021-09-03 03:21:40 UTC

AV detection:

13 of 43 (30.23%)

Threat level:

5/5

Verdict:

suspicious

ArkeiStealer

120a50bdd5effe67ea0270aa7f938039e7a5e6a589a13e9371e381f4d1518dcd

ArkeiStealer

341970fa08050ae3de11bf7d13c9f76f818298c1f8af73e285fc56a0bb12b77b

ArkeiStealer

3d59ac598ad756cfa7d56ea28d85071266ccfbcec2bc952600ff82fec99d633c

ArkeiStealer

3e46c3912ced6d4821bb215ad4feb1711e3f0becaae258899ce77037c648048a

ArkeiStealer

7173381414ec85250c6bd3c9b803f2d49b98a7826c8aeea37d9328d5e74d7fb6

ArkeiStealer

90b9d553b4883ed20e3273a86351f103d10b012dab0c82179bb6b5bfcc188b88

ArkeiStealer

e9abbf811d367cf26f493d72ccd96749e534804ac27d36956dce0484b1440f25

ArkeiStealer

+ 400 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/210903-jle5cacga6/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

1f176e8977339c0c1bbeeff314643dc3573ab61c775ed11868d9ee86e9fb525e

MD5 hash:

d37126feef855198ae18050cdfd63779

SHA1 hash:

ac125b74ea35c3410eb549a41aebd0c924a088ed

Link:

https://www.unpac.me/results/b5c64626-bb4d-4d58-85e9-d6352318d0a3/

SH256 hash:

7fb3e8a0c4b50a519c283a7b7702ccd23c38e78dc251d32b120d8e8a89f87b49

MD5 hash:

5e990c5457707f41c3b72acefa304932

SHA1 hash:

74170bf430cfc225768cffdb976fa68b917ae9ac

Link:

https://www.unpac.me/results/b5c64626-bb4d-4d58-85e9-d6352318d0a3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7fb3e8a0c4b50a519c283a7b7702ccd23c38e78dc251d32b120d8e8a89f87b49

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing potential Windows Defender anti-emulation checks