MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a3f3ecdc47707e721e469b9ef8ebdd3f53148dad6a6148f2410efc0a2e2dab58. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a3f3ecdc47707e721e469b9ef8ebdd3f53148dad6a6148f2410efc0a2e2dab58
SHA3-384 hash: dedb6548e0f5e1726636c97bf6232d12392228ab3407abb59c53303ec75c1bc8588c865b6cf25851b57e058b9b7b9a54
SHA1 hash: 9e441f304adeecc6be6238a15077c1bed9d69266
MD5 hash: 63da424ac6b43d1fb78e502bff64efd0
humanhash: hawaii-paris-summer-floor
File name:63da424ac6b43d1fb78e502bff64efd0
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:323'584 bytes
First seen:2022-02-19 10:08:38 UTC
Last seen:2022-02-19 12:23:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c3d21882f5ca8acb29bf5dc0942efbd (2 x ArkeiStealer, 2 x RedLineStealer)
ssdeep 3072:iwsNsLI2+JZwzL6o0aVkqPN4gu66adldE0keoTTsxkgaBCh4kCWzBa:Kspg7AkaNSOliVEigaKhBa
Threatray 863 similar samples on MalwareBazaar
TLSH T16C64BF0172A0CC32D52E0E759C56C6B08A3BB8B19D24A5A7FBD4775E9E323D1DE1234E
File icon (PE):PE icon
dhash icon a1bcdcac9cccb48c (9 x RaccoonStealer, 6 x ArkeiStealer, 3 x Loki)
Reporter zbetcheckin
Tags:32 ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
295
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/242651/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.24383.9077.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Stealing user critical data
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/6665/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CPUID_Instruction
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
exploit ursnif wacatac
Link:
https://www.filescan.io/uploads/6210c1c0ac8ad0468b5589db/reports/90622c54-7b05-430a-b5d9-7dc92c96f983/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
FickerStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a179e91f-edb9-4653-9379-761f873114f5
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/942588
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking computer name)
Found evasive API chain (may stop execution after checking locale)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a3f3ecdc47707e721e469b9ef8ebdd3f53148dad6a6148f2410efc0a2e2dab58/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-02-19 10:09:10 UTC
File Type:
PE (Exe)
Extracted files:
37
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
6ffeae0bcdb13bc7aeb7bc57ead60db4c88d40aca6596c0f309031e8109b6be0
ArkeiStealer
813980ca5305ef5034e98b52596fddf3594108f4156f2057cb3d23b2b89e0ee2
ArkeiStealer
89667f582fc57b39ad83e402d591e07c33203a687a606a551a4894ccee03398f
ArkeiStealer
8ce1822eb29553ebaf2c1ac7f628a0c2532296de28bdb31f38db617404e9fa5a
ArkeiStealer
bca3ca4e7db762c56158918a1e50fe1a852a69acc9d27a67d04825b2fa946dd4
ArkeiStealer
c32c9b880976b25a9318b99cbcf9cabf1369e971c62a5642b4d13b9df6bf021d
ArkeiStealer
e507a57e055eb555aeb3a36da0e47544dcee994bd4d625e16668d55b350bc108
ArkeiStealer
fd3bc451730e3b3193fe465869dfa28878267aae9c6997821cdf5cc079e7a480
ArkeiStealer
+ 853 additional samples on MalwareBazaar
Result
Malware family:
arkei
Create hunting rule
Score:
  10/10
Tags:
family:arkei botnet:default discovery spyware stealer
Link:
https://tria.ge/reports/220219-l6smaaadb6/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Arkei
Suspicious use of NtCreateProcessExOtherParentProcess
Malware Config
C2 Extraction:
http://woor.link/548152.php
Unpacked files
SH256 hash:
95877edc01e9b4f4d239062ef0de52bb17b1c8ce375a6743503210fb4256020c
MD5 hash:
84fab8313958f2f6207444bb07862ad0
SHA1 hash:
0094623fc5f042eff4239dc9f5694d0ef6a742e7
Link:
https://www.unpac.me/results/abfd86e5-2f15-4bcd-9524-12d8d3a306c6/
SH256 hash:
a3f3ecdc47707e721e469b9ef8ebdd3f53148dad6a6148f2410efc0a2e2dab58
MD5 hash:
63da424ac6b43d1fb78e502bff64efd0
SHA1 hash:
9e441f304adeecc6be6238a15077c1bed9d69266
Link:
https://www.unpac.me/results/abfd86e5-2f15-4bcd-9524-12d8d3a306c6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a3f3ecdc47707e721e469b9ef8ebdd3f53148dad6a6148f2410efc0a2e2dab58

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe a3f3ecdc47707e721e469b9ef8ebdd3f53148dad6a6148f2410efc0a2e2dab58

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2048557/
Cape
Cape
https://www.capesandbox.com/analysis/242651/

Comments


Avatar
zbet commented on 2022-02-19 10:08:49 UTC

url : hxxp://statiy.live/CERT.exe