MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a156d2b61b0405b1b57b985670c249ff89145cfdea773597c512baf335b4b04d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 31 File information Comments

SHA256 hash:	a156d2b61b0405b1b57b985670c249ff89145cfdea773597c512baf335b4b04d
SHA3-384 hash:	1c0daed0b0c76142f14c572fbe73fcfd6d3179caab9bf8d848d8ffe26d1ed6db102a03e1df6e03c17a864be80d9b2f79
SHA1 hash:	54c31d3960170e43ce50f8b8c218b05593268cf1
MD5 hash:	14d8ea2e66d596a466742e68279fe860
humanhash:	east-alpha-alaska-twelve
File name:	14d8ea2e66d596a466742e68279fe860.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	7'659'008 bytes
First seen:	2025-06-22 08:21:09 UTC
Last seen:	2025-06-22 09:28:53 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7b8d983565478bdc1ccabfea31fdb5f2 (3 x ArkeiStealer, 1 x Spambot.Kelihos)
ssdeep	98304:S6xvQPk+9EPTeScdCR2/fXk7UCSF1K4XVIbeP4Isd+118frP3wbzWFimaI7dlos4:r7MEPhCHXkuF1PP2gbzWFimaI7dlWb
TLSH	T16276CF11BE4D8076E91A11304B2D9F2A1129BDA47B3429D3B2743E7DED723C16D3A72B
TrID	42.0% (.EXE) InstallShield setup (43053/19/16) 30.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 4.9% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	e1e0e6f7e6ed7e38 (4 x Spambot.Kelihos, 3 x ArkeiStealer)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

327

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

2036faba52389e1d9672126cee80cd502ad855c755e7e6611187729662050772.bin

Verdict:

Malicious activity

Analysis date:

2025-06-22 01:36:21 UTC

Tags:

lumma stealer themida loader amadey botnet rdp screenconnect rmm-tool discordgrabber generic stormkitty ims-api telegram vidar stealc evasion lclipper clipper auto-reg autoit python

Link:

https://app.any.run/tasks/0be304d0-3aeb-4e49-8d43-703741b46ceb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/10463/

Detection(s):

SecuriteInfo.com.Win32.Evo-gen.24280.29945.UNOFFICIAL

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6857bdce32ed47a3a8d67cbc

Tags:

infosteal shellcode dropper virus

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Connection attempt

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/a156d2b61b0405b1b57b985670c249ff89145cfdea773597c512baf335b4b04d

Malware family:

Microsoft Corporation

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/9fd914ad-d495-47bd-a800-31249e1011cf

Result

Threat name:

n/a

Detection:

malicious

Classification:

troj.evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1720180

Signature

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (overwrites its own PE header)

Multi AV Scanner detection for submitted file

PE file has nameless sections

Behaviour

Behavior Graph:

Download SVG

Score:

46%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/a156d2b61b0405b1b57b985670c249ff89145cfdea773597c512baf335b4b04d

Verdict:

inconclusive

YARA:

8 match(es)

Tags:

Executable Html Javascript in Html PE (Portable Executable) Win 32 Exe x86

Link:

https://app.malva.re/file/14d8ea2e66d596a466742e68279fe860

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a156d2b61b0405b1b57b985670c249ff89145cfdea773597c512baf335b4b04d/

Threat name:

Win32.Trojan.Egairtigado

Status:

Malicious

First seen:

2025-06-22 01:25:17 UTC

File Type:

PE (Exe)

Extracted files:

498

AV detection:

26 of 38 (68.42%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=uflnfnq3aqc3dnl3tblhbqsj76erixh55j3tlf6fck5pgnnuwbgq._file

Result

Malware family:

n/a

Score:

6/10

Tags:

discovery

Link:

https://tria.ge/reports/250622-j929sazzbx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Looks up external IP address via web service

Verdict:

Malicious

Tags:

external_ip_lookup

YARA:

n/a

Link:

https://app.threat.zone/submission/757b9cab-9719-4e3b-9e16-1070720dee99

Unpacked files

SH256 hash:

a156d2b61b0405b1b57b985670c249ff89145cfdea773597c512baf335b4b04d

MD5 hash:

14d8ea2e66d596a466742e68279fe860

SHA1 hash:

54c31d3960170e43ce50f8b8c218b05593268cf1

Detections:

win_oski_g0

Link:

https://www.unpac.me/results/a4479adc-859a-4b63-a35b-648bdd19307f/

SH256 hash:

f8c972d5596bcc8cbfdc8fbf55172a0657ed695e1b4dc9e94366d64516051ad6

MD5 hash:

d754d7cfa2808723485055c3152b8343

SHA1 hash:

248fc80a0ede07ae7ec38d6877f8306a03c50c32

Link:

https://www.unpac.me/results/a4479adc-859a-4b63-a35b-648bdd19307f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a156d2b61b0405b1b57b985670c249ff89145cfdea773597c512baf335b4b04d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	adonunix2 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	AD on UNIX

Rule name:	botnet_plaintext_c2 Create hunting rule
Author:	cip
Description:	Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__GlobalFlags Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	dgaagas Create hunting rule
Author:	Harshit
Description:	Uses certutil.exe to download a file named test.txt

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	reverse_http Create hunting rule
Author:	CD_R0M_
Description:	Identify strings with http reversed (ptth)

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	test_Malaysia Create hunting rule
Author:	rectifyq
Description:	Detects file containing malaysia string

Rule name:	win_stealer_generic Create hunting rule
Author:	Reedus0
Description:	Rule for detecting generic stealer malware

Rule name:	yara_template Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

exe a156d2b61b0405b1b57b985670c249ff89145cfdea773597c512baf335b4b04d

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3569136/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/10463/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample