MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9bd142ecfe89857de80bb3255a1655f680ca6451b45cca235096dc1c1285e806. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	9bd142ecfe89857de80bb3255a1655f680ca6451b45cca235096dc1c1285e806
SHA3-384 hash:	a6fd2ecfa8180c8be14bb5e6b2bfed730635930ea210824f8b637c82ddd6f2f1d53c31cdfa5c56f665425fc6d130df62
SHA1 hash:	0326aab7deddfefc048c9a67ac9ce4ee14ea9003
MD5 hash:	a4d23ac3c7172b9aa02e35b6bf0fd21f
humanhash:	johnny-nevada-low-magazine
File name:	setup_x86_x64_install.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	4'054'502 bytes
First seen:	2021-10-10 19:30:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep	98304:JwOLAdLUm3WFTzOzZfkT2Ribt7xkk49JBLHInas2Xzr+:JwOcN3mWZfkTIibtik4honas6y
Threatray	615 similar samples on MalwareBazaar
TLSH	T1291633D97789FA73D0CF40B940B1DF4A0C736BAC1C176941E3A39E5A5E1AE513A2A1F0
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	Anonymous
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

223

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

setup_x86_x64_install.exe

Verdict:

Malicious activity

Analysis date:

2021-10-10 19:25:09 UTC

Tags:

trojan rat redline evasion loader stealer vidar

Link:

https://app.any.run/tasks/3fddc248-3496-4ef7-93bc-79445fc27b46

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/196410/

Detection(s):

Win.Packed.Barys-9859531-0

Win.Malware.Generic-9863888-0

Win.Packed.Jaik-9863991-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

barys mokes overlay packed

Link:

https://www.filescan.io/uploads/61633f781c2d58ba7400246e/reports/3d55b323-144d-4822-ba39-63f6b83d4ad8/overview

Detection:

redlinestealer

Link:

https://mwdb.cert.pl/sample/9bd142ecfe89857de80bb3255a1655f680ca6451b45cca235096dc1c1285e806/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-10-10 19:31:05 UTC

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Verdict:

unknown

ArkeiStealer

2cbf19a8dbaba0978d5a52447c9cac23918c4394e751e0cde159d6e8b65c408f

ArkeiStealer

3eaed1d4442ddd5cb4691a9cfd5aef6f374be2a3489b934d9043bb6e980a4841

ArkeiStealer

5967f1aef118ddfcd1d14d5cf3f29a62a845052c9ed9ce91587c0015b1047c58

ArkeiStealer

80594c4ce01c53c6bcc472e88329cc23f51b0d3276c8f5b3a686033f8d2d452e

ArkeiStealer

941478d129063e71885f97791339a49c58c72991ccc8309734f12ef60aee5530

ArkeiStealer

c48cd55efee57f0b7ff4547a0a20ebfbdf4188d059512b10a29879bf30c4fc19

ArkeiStealer

f5f477d945634e37e1abca7c1390e03a7535005c9ff071a191f4d24274bdf075

ArkeiStealer

f92cfeb06515f18113a950d5bd569a23cdd85514ef509ccff6c5a4e9a08ca4c7

ArkeiStealer

+ 605 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:redline family:smokeloader family:socelars family:vidar botnet:933 botnet:937 botnet:ani botnet:sad botnet:she aspackv2 backdoor infostealer stealer suricata themida trojan

Link:

https://tria.ge/reports/211010-x8cvdsgbak/

Behaviour

Checks SCSI registry key(s)

Creates scheduled task(s)

Kills process with taskkill

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Loads dropped DLL

Themida packer

ASPack v2.12-2.42

Downloads MZ/PE file

Executes dropped EXE

Vidar Stealer

Process spawned unexpected child process

RedLine

RedLine Payload

SmokeLoader

Socelars

Socelars Payload

Vidar

suricata: ET MALWARE GCleaner Downloader Activity M5

suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

Malware Config

C2 Extraction:

http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
135.181.129.119:4805
45.142.215.47:27643
107.172.13.162:42751
https://mas.to/@serg4325

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9bd142ecfe89857de80bb3255a1655f680ca6451b45cca235096dc1c1285e806

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/196410/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample