MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9cae87b1118c6142f014a4a22be3a4489f40465a7de9e5cfa9aa019817e2dea4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9cae87b1118c6142f014a4a22be3a4489f40465a7de9e5cfa9aa019817e2dea4
SHA3-384 hash: 552a36b03b6bca3fa707dacae63f00262877d0b34664a7609915193d9bf234a8309a55ba553e915ad796c3cb2399d1b0
SHA1 hash: 2eb1b17c63679add3c179887564d5bee9f35eb17
MD5 hash: f9df6d6e4f01e87a31b07de5fa6ff7ad
humanhash: robert-single-louisiana-beryllium
File name:f9df6d6e4f01e87a31b07de5fa6ff7ad
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:2'702'480 bytes
First seen:2022-01-04 07:40:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 40a8cf41dbb64804603a13227a37d026 (1 x ArkeiStealer)
ssdeep 49152:CJtOaqUnR6rlJ5SJwx8WiZxE6eYH+Ikz1I7xfARCXdMsFpzklvNG4z/o86:2tOa5Qrsw8bpJH+SdM8WB
Threatray 8'536 similar samples on MalwareBazaar
TLSH T13FC533907B624440DBD8D5F46426029C92C07EF0DE74979E29453319EAF32CBBB4EBE9
File icon (PE):PE icon
dhash icon ccc4c4c4ccccc4c4 (1 x ArkeiStealer)
Reporter zbetcheckin
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f9df6d6e4f01e87a31b07de5fa6ff7ad
Verdict:
Malicious activity
Analysis date:
2022-01-04 07:43:20 UTC
Tags:
loader stealer trojan
Link:
https://app.any.run/tasks/475952d2-831f-43bc-9cf1-543acf7c5256

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217230/
Detection(s):
Win.Malware.Generic-9918574-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for analyzing tools
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/61d3fa17aeeec3fd2dfb6015/reports/07f7e6b2-9cf9-4083-bc5b-6a4eec2f4479/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b4264923-2091-4a25-bad4-b8e35e4ba08b
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/915132
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Self deletion via cmd delete
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9cae87b1118c6142f014a4a22be3a4489f40465a7de9e5cfa9aa019817e2dea4/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-01-04 06:43:33 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
034e8e297165eeb14372eea7a7e68756e561df39b84c5be924e542a36dee7418
ArkeiStealer
038152eae96d57cb15d542b84755d9feadee7d2012fc183a1937c448c211671e
ArkeiStealer
2d45c9f984150cbeafd07b26b269baefdb497d6e5687e8a0633601e9083afed1
ArkeiStealer
2ff10148112933987a694ab813725a70ab580d7288acf3f58e4ce70ebaf5cc91
ArkeiStealer
654574c360fcb5a7eb4f693d99d5f0c4e32f96b219a7327d41b39d7d5acde953
ArkeiStealer
81f4c01d5065f9332a7777b3fb6e5d3113560b68ddaea6da547c5533fc6c5bfb
ArkeiStealer
8ecb9b6e425216f33b0dad4e296680bfab382d7be119b9348eb523e55abd49cc
ArkeiStealer
8f9ff0227f4ce6ed3259d5f2f8bfd8c54496e9896ad5f522cdd768911be4b4bc
ArkeiStealer
90618d3aa5146d27b46476a4c7bfcc2e5323b74dcbcf2c0af6b4f00c4c2d9297
ArkeiStealer
959e3ca2579b6be8a11c06763c5a34ec118abc96d869e25bef06319c92da465e
ArkeiStealer
+ 8'526 additional samples on MalwareBazaar
Result
Malware family:
arkei
Create hunting rule
Score:
  10/10
Tags:
family:arkei discovery evasion spyware stealer trojan
Link:
https://tria.ge/reports/220104-jh493afhe5/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Arkei Stealer Payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Arkei
Unpacked files
SH256 hash:
01f3e21512d71fbbe9276c31eb821420f20948dfbefc94b8a43214fedc9e9ac1
MD5 hash:
92877bc618c9b69a7945e2e3f5d97140
SHA1 hash:
ee9468b0239f6fc7d509b6ea736de499bf6bf992
Link:
https://www.unpac.me/results/d5917eb3-9754-44b4-8431-6dd6e6b0f649/
SH256 hash:
9cae87b1118c6142f014a4a22be3a4489f40465a7de9e5cfa9aa019817e2dea4
MD5 hash:
f9df6d6e4f01e87a31b07de5fa6ff7ad
SHA1 hash:
2eb1b17c63679add3c179887564d5bee9f35eb17
Link:
https://www.unpac.me/results/d5917eb3-9754-44b4-8431-6dd6e6b0f649/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.83
Link:
https://yomi.yoroi.company/submissions/9cae87b1118c6142f014a4a22be3a4489f40465a7de9e5cfa9aa019817e2dea4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 9cae87b1118c6142f014a4a22be3a4489f40465a7de9e5cfa9aa019817e2dea4

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1947948/
Cape
Cape
https://www.capesandbox.com/analysis/217230/

Comments


Avatar
zbet commented on 2022-01-04 07:40:37 UTC

url : hxxp://91.243.44.130/stlr/maps.exe