MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 98ee19dbbe959081f2d95b7f56af58fcb7ecdc5b85bb9ee13775376b9bad1ccf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 98ee19dbbe959081f2d95b7f56af58fcb7ecdc5b85bb9ee13775376b9bad1ccf
SHA3-384 hash: c64f8c87e89c494837c15eef8b80fd4ba5252d75f922705a4ac8046365334c5cc3ff9dd0d17789776cfe9688692079d6
SHA1 hash: 5fc08c1200531073b5484dd40f72c9c6c651f748
MD5 hash: f9e6e88eb092ccd7e4b8626cba905657
humanhash: missouri-gee-nitrogen-xray
File name:f9e6e88eb092ccd7e4b8626cba905657.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'346'048 bytes
First seen:2021-10-14 11:39:28 UTC
Last seen:2021-10-14 13:06:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:gkm3mx4M9UspHfj3K5Q51QB0sm16SpB7opewH5Iz6Bm/9Tyarl0yZ5MtkZb:Emx4QpD00cSr83Cz/xyolpZ
Threatray 4'115 similar samples on MalwareBazaar
TLSH T1D3553321DB7F8D90DCEB143613DE5111C6B6F805025997BAD6791A23AF12F8B87C03EA
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
246
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2021-10-13 19:21:17 UTC
Tags:
evasion trojan loader opendir stealer vidar rat redline danabot
Link:
https://app.any.run/tasks/1d20f0dd-0b93-4b06-9ea8-1ef430b40beb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197544/
Detection(s):
SecuriteInfo.com.Variant.Cerbu.113972.20105.11315.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cerbu obfuscated packed
Link:
https://www.filescan.io/uploads/61681716fd35fe780c3fe2cd/reports/fccb9b56-d01c-453b-b912-2558d8cfcc05/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0ed153b4-9f6f-480a-b96d-ab0a6f6b137a
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/870403
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 502828 Sample: Hhfx4z3Jrt.exe Startdate: 14/10/2021 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 5 other signatures 2->47 8 Hhfx4z3Jrt.exe 1 2->8         started        process3 file4 27 C:\Users\user\AppData\...\Hhfx4z3Jrt.exe.log, ASCII 8->27 dropped 49 Self deletion via cmd delete 8->49 51 Injects a PE file into a foreign processes 8->51 12 Hhfx4z3Jrt.exe 75 8->12         started        17 Hhfx4z3Jrt.exe 8->17         started        signatures5 process6 dnsIp7 37 mas.to 88.99.75.82, 443, 49758 HETZNER-ASDE Germany 12->37 39 65.108.80.190, 49759, 80 ALABANZA-BALTUS United States 12->39 29 C:\Users\user\AppData\...\softokn3[1].dll, PE32 12->29 dropped 31 C:\Users\user\AppData\...\mozglue[1].dll, PE32 12->31 dropped 33 C:\Users\user\AppData\...\freebl3[1].dll, PE32 12->33 dropped 35 9 other files (none is malicious) 12->35 dropped 53 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->53 55 Self deletion via cmd delete 12->55 57 Tries to harvest and steal browser information (history, passwords, etc) 12->57 59 Tries to steal Crypto Currency Wallets 12->59 19 cmd.exe 1 12->19         started        file8 signatures9 process10 process11 21 taskkill.exe 1 19->21         started        23 conhost.exe 19->23         started        25 timeout.exe 1 19->25         started       
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/98ee19dbbe959081f2d95b7f56af58fcb7ecdc5b85bb9ee13775376b9bad1ccf/
Threat name:
ByteCode-MSIL.Ransomware.Phny
Create hunting rule
Status:
Malicious
First seen:
2021-10-14 01:59:30 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
152c854e0e028eaa43bef46d7375d5704cf43f2c22a0354d7757e7cf5cdc3a89
ArkeiStealer
1fbbaa6cfa20d6e11a3e5e4ba0702f608d474cbf5a86eef891fb57a671c684be
ArkeiStealer
3893dc157f444a1b98d11a33630f78a45579b826f3ce83c08bb7b176cbfa2418
ArkeiStealer
575d3a4edbf03fc3bead2e44d9f8a65047ff8f7e90d9130eca7a6825bc92fb56
ArkeiStealer
611796a36903059a2d1725d7849a375b9aa2902254c0d5f5fa2122e83570ea3a
ArkeiStealer
bf4d1dcd4b9129f47ec4239fa5a33e00c981e5fac5b8be880b76d2a1f5753c34
ArkeiStealer
cdd1ac2ccf205bcc0e8fecb0b117b809fcade0fcc0eba5f6b85a5dfc88443344
ArkeiStealer
+ 4'105 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:921 discovery spyware stealer suricata
Link:
https://tria.ge/reports/211014-nswswsghhn/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Vidar Stealer
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
https://mas.to/@oleg98
Unpacked files
SH256 hash:
8cb6e86b3c198de0b0f22ed8cf40897689c6b3bfa314a45f168826f5dd8ef851
MD5 hash:
b05de2393095aedd4594b4ac3ec90f0f
SHA1 hash:
94e9156c52103173b51dc9227539fcb77eb3e7e8
Link:
https://www.unpac.me/results/e86a3bc3-59fe-414e-b94e-24bef56c64bd/
SH256 hash:
98ee19dbbe959081f2d95b7f56af58fcb7ecdc5b85bb9ee13775376b9bad1ccf
MD5 hash:
f9e6e88eb092ccd7e4b8626cba905657
SHA1 hash:
5fc08c1200531073b5484dd40f72c9c6c651f748
Link:
https://www.unpac.me/results/e86a3bc3-59fe-414e-b94e-24bef56c64bd/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/98ee19dbbe95/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/98ee19dbbe959081f2d95b7f56af58fcb7ecdc5b85bb9ee13775376b9bad1ccf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 98ee19dbbe959081f2d95b7f56af58fcb7ecdc5b85bb9ee13775376b9bad1ccf

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/197544/
  
URLhaus
https://urlhaus.abuse.ch/url/1666411/
  
Delivery method
Distributed via web download

Comments