MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91c43b63ed3549c521e4166ab7358e29ce19f8087c9053a8c6b6e4f17ddeb4c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	91c43b63ed3549c521e4166ab7358e29ce19f8087c9053a8c6b6e4f17ddeb4c5
SHA3-384 hash:	5602ed1abaebab559d25714e4aed79327093f93afaed6631dbd4bb907e9fd3fe866b4e05f72a47dd48bdf6937333666c
SHA1 hash:	dad4de38bedd0dd97a7e76f1e78c60f5dc26c35f
MD5 hash:	99854fad01d4d709cb0f609463491ddf
humanhash:	happy-nineteen-december-quiet
File name:	setup_x86_x64_install.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	4'054'065 bytes
First seen:	2021-10-10 20:11:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep	98304:J3yTpHIoJjZst0p/7xuJNT01cxHxFkrVFXggLUGypTLnoBcDYxkg:JQeoJjw0pmT01cxHGgILW7oC0kg
Threatray	616 similar samples on MalwareBazaar
TLSH	T13C1633EB7B95C16ADE153C7161314B6662E8612334A6A323CBC747C860A2FBF02F54F5
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	ffforward
Tags:	ArkeiStealer exe Raccoon Redline SilentXMRMiner Socelars vidar

Intelligence

File Origin

# of uploads :

# of downloads :

1'015

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

91c43b63ed3549c521e4166ab7358e29ce19f8087c9053a8c6b6e4f17ddeb4c5.exe

Verdict:

Malicious activity

Analysis date:

2021-10-10 21:06:23 UTC

Tags:

trojan rat redline evasion loader opendir stealer vidar

Link:

https://app.any.run/tasks/84740094-9144-49cc-b310-e1f6969f1789

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

CookieStealer

Link:

https://www.capesandbox.com/analysis/196411/

Detection(s):

Win.Packed.Barys-9859531-0

Win.Malware.Generic-9863888-0

Win.Packed.Jaik-9863991-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

barys mokes overlay packed

Link:

https://www.filescan.io/uploads/616349143831960005b33824/reports/e6b7ada5-1b04-49c1-bc0a-6ca30d7e14a2/overview

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/91c43b63ed3549c521e4166ab7358e29ce19f8087c9053a8c6b6e4f17ddeb4c5/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-10-10 20:12:13 UTC

AV detection:

30 of 45 (66.67%)

Threat level:

5/5

Verdict:

unknown

ArkeiStealer

2cbf19a8dbaba0978d5a52447c9cac23918c4394e751e0cde159d6e8b65c408f

ArkeiStealer

3eaed1d4442ddd5cb4691a9cfd5aef6f374be2a3489b934d9043bb6e980a4841

ArkeiStealer

80594c4ce01c53c6bcc472e88329cc23f51b0d3276c8f5b3a686033f8d2d452e

ArkeiStealer

941478d129063e71885f97791339a49c58c72991ccc8309734f12ef60aee5530

ArkeiStealer

9bd142ecfe89857de80bb3255a1655f680ca6451b45cca235096dc1c1285e806

ArkeiStealer

c48cd55efee57f0b7ff4547a0a20ebfbdf4188d059512b10a29879bf30c4fc19

ArkeiStealer

f5f477d945634e37e1abca7c1390e03a7535005c9ff071a191f4d24274bdf075

ArkeiStealer

f92cfeb06515f18113a950d5bd569a23cdd85514ef509ccff6c5a4e9a08ca4c7

ArkeiStealer

+ 606 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:redline family:smokeloader family:socelars family:vidar botnet:933 botnet:sad botnet:she aspackv2 backdoor infostealer stealer suricata themida trojan

Link:

https://tria.ge/reports/211010-yytwlagbbj/

Behaviour

Creates scheduled task(s)

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Loads dropped DLL

Themida packer

ASPack v2.12-2.42

Downloads MZ/PE file

Executes dropped EXE

Vidar Stealer

Process spawned unexpected child process

RedLine

RedLine Payload

SmokeLoader

Socelars

Socelars Payload

Vidar

suricata: ET MALWARE GCleaner Downloader Activity M5

suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

Malware Config

C2 Extraction:

135.181.129.119:4805
107.172.13.162:42751
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
https://mas.to/@serg4325

Malware family:

RedNet

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/91c43b63ed35/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/91c43b63ed3549c521e4166ab7358e29ce19f8087c9053a8c6b6e4f17ddeb4c5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

exe 91c43b63ed3549c521e4166ab7358e29ce19f8087c9053a8c6b6e4f17ddeb4c5

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/196411/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample