MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2786a0170e3cbdf616d75472b66707656e355653ad013e07eb749bb0c9e7e84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	a2786a0170e3cbdf616d75472b66707656e355653ad013e07eb749bb0c9e7e84
SHA3-384 hash:	a4aea3a3980fa828dabf388c24b54471563fe0a2c3ebdb28c7ceb601a41cf0814a03ae22c0126aac8abbe07c34e12c3b
SHA1 hash:	8c1a40364d3840b1adc34d6294bdb8fcd3c07731
MD5 hash:	f10bafd9637d034f61514a1762be2d66
humanhash:	early-lake-nineteen-georgia
File name:	f10bafd9637d034f61514a1762be2d66.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	275'968 bytes
First seen:	2022-04-09 08:04:11 UTC
Last seen:	2022-04-09 08:35:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	261a063e361cd863df1a0b82f2dd8ee4 (1 x ArkeiStealer, 1 x Smoke Loader)
ssdeep	6144:voCnbIXpTPwlIHgK81X4YMYZbhoIRUyYm67LVg:gCnKpTPwlsAX4zYroIuyYFG
Threatray	4'132 similar samples on MalwareBazaar
TLSH	T1D744AE10BB90D035E1B756F84A7AC3ACB92E7DA19B3465CF22D526EE56346E0EC30347
File icon (PE):
dhash icon	b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

301

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

arkei

ID:

File name:

f10bafd9637d034f61514a1762be2d66.exe

Verdict:

Malicious activity

Analysis date:

2022-04-09 08:09:29 UTC

Tags:

arkei trojan stealer vidar

Link:

https://app.any.run/tasks/c7fd9cb4-aa28-4d00-b488-9034543a2ce9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/262286/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader44.49463.11597.32089.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

DNS request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Changing a file

Creating a file in the %AppData% subdirectories

Creating a window

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Launching a process

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Stealing user critical data

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/13261/overview

Behaviour

SystemUptime

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/62513e2fd149c40acb10645e/reports/b8c1e624-fddd-436c-8682-24fe893397e6/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/c338d03e-c0b7-4937-970d-ba2d8b5ad698

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/973712

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Self deletion via cmd delete

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a2786a0170e3cbdf616d75472b66707656e355653ad013e07eb749bb0c9e7e84/

Threat name:

Win32.Trojan.Tnega

Status:

Malicious

First seen:

2022-04-09 03:21:41 UTC

AV detection:

22 of 42 (52.38%)

Threat level:

5/5

Verdict:

malicious

ArkeiStealer

3a2a1eff040a79d603b1ac2609a423ad8beb46d2876aa959f60dc98477707c0f

ArkeiStealer

7f19bc8eb8f0555986de478bc9a17a8e052f4a9262b0a19b924d8e9c66a01ca7

ArkeiStealer

90572b46120921941b9c004e411af18398a33de08d001e851965710d9b1c9860

ArkeiStealer

ba9cf00e158a45c784e263e07e773f089d27130480157c0797dbeedc66788629

ArkeiStealer

c2487b0dcceb0fa54bc8af20666e181c4620f1120eb7f4a5c35f7df5e876b7e0

ArkeiStealer

c40c4ad03430f7dc6718e0229b64bf3a515d1fabb042acc0a0fd69f82fd14867

ArkeiStealer

de147d635d7404111032d34845dd05eddc00ae6ecf0814d89eed3c6a81c06629

ArkeiStealer

+ 4'122 additional samples on MalwareBazaar

Result

Malware family:

arkei

Score:

10/10

Tags:

family:arkei botnet:default discovery spyware stealer

Link:

https://tria.ge/reports/220409-jyt42afec5/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Arkei

Malware Config

C2 Extraction:

http://jsdkcr.link/47747.php

Unpacked files

SH256 hash:

d43c081c802235addf4267f8da30fb4596778b982765452c005f8b2eed888876

MD5 hash:

9ffb08a3cdb4d651ccfcc3f6967694fc

SHA1 hash:

914c723094708f02e97edcbbf50151f3b081e274

Link:

https://www.unpac.me/results/00a5f903-0b06-4293-9e1c-2dad03d812ec/

SH256 hash:

a2786a0170e3cbdf616d75472b66707656e355653ad013e07eb749bb0c9e7e84

MD5 hash:

f10bafd9637d034f61514a1762be2d66

SHA1 hash:

8c1a40364d3840b1adc34d6294bdb8fcd3c07731

Link:

https://www.unpac.me/results/00a5f903-0b06-4293-9e1c-2dad03d812ec/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/a2786a0170e3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a2786a0170e3cbdf616d75472b66707656e355653ad013e07eb749bb0c9e7e84

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

exe a2786a0170e3cbdf616d75472b66707656e355653ad013e07eb749bb0c9e7e84

(this sample)

Cape

https://www.capesandbox.com/analysis/262286/

URLhaus

https://urlhaus.abuse.ch/url/2136958/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample