MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 802f550d896ea78feb6a01d2de13e12dbd3160e6af9276e97fdcbc88de9484b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	802f550d896ea78feb6a01d2de13e12dbd3160e6af9276e97fdcbc88de9484b0
SHA3-384 hash:	48d6b2456dfe0b3ee5dd1c5fd6c275e4f94185c58c83227ab2bc4e0f1ce100cad03f0c99ddbcaa17ada46efaf9ce7795
SHA1 hash:	1b4b51e3b1499814cebbc7f1f637a2374f9fbdba
MD5 hash:	23383d1420453f40ac1d601080943b94
humanhash:	east-georgia-oscar-utah
File name:	23383d1420453f40ac1d601080943b94.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	285'184 bytes
First seen:	2022-04-16 06:03:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2cf04614b406ff2c676d7a763cd2a280 (1 x ArkeiStealer)
ssdeep	6144:18Fgw4UIHxBKp0/K5oEWXwE3n4iu2pjvnDBmzRwu7:+/4UIRBKp0/pEKw4g2p7ne
Threatray	4'141 similar samples on MalwareBazaar
TLSH	T1D0549E10B6A0E035F1B712F44ABA97A8B92E7EB15B3150CB62D527EE57346D4EC3031B
TrID	40.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 17.0% (.SCR) Windows screen saver (13101/52/3) 13.6% (.EXE) Win64 Executable (generic) (10523/12/4) 8.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

290

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

arkei

ID:

File name:

23383d1420453f40ac1d601080943b94.exe

Verdict:

Malicious activity

Analysis date:

2022-04-16 06:04:54 UTC

Tags:

arkei trojan stealer vidar

Link:

https://app.any.run/tasks/89e3136c-1df5-475b-87f4-65e92a86e1aa

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/264069/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader44.51582.27048.9047.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

DNS request

Sending an HTTP GET request

Creating a file

Sending a custom TCP request

Reading critical registry keys

Changing a file

Creating a file in the %AppData% subdirectories

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Launching a process

Stealing user critical data

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/14002/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/625a5c56ffe27d5119e372b9/reports/aeccdc73-458f-4f35-ae77-4fb037e73e60/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Oski Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/678e3c51-bc40-4666-a887-661f797344cc

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/977609

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Detected unpacking (creates a PE file in dynamic memory)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Possible FUD Crypter (malicious underground PE packer) detected

Self deletion via cmd delete

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/802f550d896ea78feb6a01d2de13e12dbd3160e6af9276e97fdcbc88de9484b0/

Threat name:

Win32.Trojan.Convagent

Status:

Malicious

First seen:

2022-04-16 00:41:17 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Verdict:

malicious

ArkeiStealer

4bcff4386ce8fadce358ef0dbe90f8d5aa7b4c7aec93fca2e605ca2cbc52218b

ArkeiStealer

573f167f1bdc3b46aad784dd1279d5460857837991fcc1769920c0435a961ef8

ArkeiStealer

5aefbefef1a5a2ee938f4d9c7705b6e38b375b858d21dae1efc137f36b29751d

ArkeiStealer

60e2041e9280879b054540d9d8cef49a738ceb9c5c8f73a0f47016a862645cf7

ArkeiStealer

6b18a223ce8f1f42880a54809880cd5c3a6890955d2469b10ea771dab333871e

ArkeiStealer

7022a16d455a3ad78d0bbeeb2793cb35e48822c3a0a8d9eaa326ffc91dd9e625

ArkeiStealer

7f19bc8eb8f0555986de478bc9a17a8e052f4a9262b0a19b924d8e9c66a01ca7

ArkeiStealer

ba9cf00e158a45c784e263e07e773f089d27130480157c0797dbeedc66788629

ArkeiStealer

+ 4'131 additional samples on MalwareBazaar

Result

Malware family:

arkei

Score:

10/10

Tags:

family:arkei botnet:default discovery spyware stealer

Link:

https://tria.ge/reports/220416-gsk8tsgaa5/

Behaviour

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Checks processor information in registry

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Arkei

Malware Config

C2 Extraction:

http://cheapf.link/48484.php

Unpacked files

SH256 hash:

55ebc76a3b0c8a54bb8bab5d037a275aa6f84de7aec90930f9152e922ee548f4

MD5 hash:

ce994ec6247081d1cb3e2c4f8defddf1

SHA1 hash:

8022954d23cb54889362f431d78b2e6d38571272

Link:

https://www.unpac.me/results/1777c8be-d356-494d-b3df-3550a05c8313/

SH256 hash:

802f550d896ea78feb6a01d2de13e12dbd3160e6af9276e97fdcbc88de9484b0

MD5 hash:

23383d1420453f40ac1d601080943b94

SHA1 hash:

1b4b51e3b1499814cebbc7f1f637a2374f9fbdba

Link:

https://www.unpac.me/results/1777c8be-d356-494d-b3df-3550a05c8313/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/802f550d896e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/802f550d896ea78feb6a01d2de13e12dbd3160e6af9276e97fdcbc88de9484b0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/264069/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample