MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1d583650ec7dc99e6c0c4009908358518a0be5fbe7cb6e2b3a50889bb5da3a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1d583650ec7dc99e6c0c4009908358518a0be5fbe7cb6e2b3a50889bb5da3a1
SHA3-384 hash: b6f745258dcf2a2ba81995aca46d9292b67fcc91872697df76f24fb3c488b3eace6ebba2f98da598220c3517c8fc1ab9
SHA1 hash: 8da695d69d3e3c3df85767b57c24f46576d1aeef
MD5 hash: aec70ded586cfe6f9bae06560b0fe7a6
humanhash: california-seventeen-south-kitten
File name:aec70ded586cfe6f9bae06560b0fe7a6
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'013'648 bytes
First seen:2022-01-10 12:37:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8ce72e3282cfe3876fcd1078f6043be9 (1 x BitRAT, 1 x ArkeiStealer)
ssdeep 24576:rIl1cSdx7yIM6LCEYjHQQvRclPsSiI51/UOFw:G1f8I1CEYjwQalPsm5COFw
Threatray 86 similar samples on MalwareBazaar
TLSH T1272512D99A03C2A9C5925E3EF53D9148936ABE50A9F2FFCFE61D7370D6B20E06801D14
File icon (PE):PE icon
dhash icon f08caa5555b28cf0 (1 x ArkeiStealer)
Reporter zbetcheckin
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
aec70ded586cfe6f9bae06560b0fe7a6
Verdict:
Malicious activity
Analysis date:
2022-01-10 12:42:15 UTC
Tags:
loader stealer trojan
Link:
https://app.any.run/tasks/43f88ea5-af8b-4aa1-8385-c62b4e9ebec1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217994/
Detection(s):
Win.Malware.Generic-9934865-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for analyzing tools
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61dc28b202e388f9fdbddcea/reports/1c51c8ec-7f02-4b99-98f7-4edad3b4d332/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ryuk
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/63296407-523b-469d-ae19-287fa3f1acc0
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/917642
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect sleep reduction / modifications
Found malware configuration
Hides threads from debuggers
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a1d583650ec7dc99e6c0c4009908358518a0be5fbe7cb6e2b3a50889bb5da3a1/
Threat name:
Win32.Trojan.Vidar
Create hunting rule
Status:
Malicious
First seen:
2022-01-09 11:19:04 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
23 of 43 (53.49%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
5285ffebc00e0e75efcb1944329d1708d658eb5b4e5928d191323d933a3673e4
ArkeiStealer
773b40c8007545afd1b563bdf17dab8225acd4bd6def35e4db95f70fca16371c
ArkeiStealer
86f4809b73e73c837784b2a9a449d1d56f34ea22bd30b99a555962683113cde7
ArkeiStealer
8a76fd10a479dbf5bb5d60f6ef949641d2ef4f1262a6d9dd273cf93b7be934b3
ArkeiStealer
914644da1b2f5c041a3199411b353f3c8e5b7e965399ac015bbc6c5286da7a7e
ArkeiStealer
973294652225d5fa7ed66a39c2c0b1ef2b518169f1300ca0109c61cde55d35f1
ArkeiStealer
af01a7c85a964816f29a90703ab0db0e4afda17e5ab4842a0d7f353284f17646
ArkeiStealer
d3cfc436366c9d127c7a6233f6531cf6e5863153b41ba4ab6f8fe87f473c8c9d
ArkeiStealer
f960b96c81f71d848a119d18aa4074ecaa71e39086a611f2dc637d579b9f6afa
ArkeiStealer
+ 76 additional samples on MalwareBazaar
Result
Malware family:
arkei
Create hunting rule
Score:
  10/10
Tags:
family:arkei discovery spyware stealer
Link:
https://tria.ge/reports/220110-pt27qseeeq/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Arkei Stealer Payload
Arkei
Unpacked files
SH256 hash:
b92204c303ceb485715e057ee08a504077e8d31e4c06885389e08206e2903a0c
MD5 hash:
0b94bb86e68b5b1b1c7eccf8a633b3a3
SHA1 hash:
be3d255ef3562cd9f73fcbf16cf10c7a8807154e
Link:
https://www.unpac.me/results/faa0a7ab-3608-41c1-b550-f675351754ae/
SH256 hash:
a1d583650ec7dc99e6c0c4009908358518a0be5fbe7cb6e2b3a50889bb5da3a1
MD5 hash:
aec70ded586cfe6f9bae06560b0fe7a6
SHA1 hash:
8da695d69d3e3c3df85767b57c24f46576d1aeef
Link:
https://www.unpac.me/results/faa0a7ab-3608-41c1-b550-f675351754ae/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a1d583650ec7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a1d583650ec7dc99e6c0c4009908358518a0be5fbe7cb6e2b3a50889bb5da3a1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe a1d583650ec7dc99e6c0c4009908358518a0be5fbe7cb6e2b3a50889bb5da3a1

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1962361/
Cape
Cape
https://www.capesandbox.com/analysis/217994/

Comments


Avatar
zbet commented on 2022-01-10 12:37:44 UTC

url : hxxp://data-host-coin-8.com/files/4826_1641658240_6291.exe