MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a46171e4dd7e071a68dc37a02c102bf57f8cc59808217ca9a27d7799ccf62630. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a46171e4dd7e071a68dc37a02c102bf57f8cc59808217ca9a27d7799ccf62630
SHA3-384 hash: 7405e6e9f81978f0f0347b65cb68125481de48d9537d4ce35c69dd5342c7207fcbecaf5435baf6d131e5a7bea9c22e66
SHA1 hash: 8321ea379ff35d43a6b7e8baa1e7189740f77205
MD5 hash: 1d812a08acd9e8dce50adc344fbac211
humanhash: video-september-gee-butter
File name:1d812a08acd9e8dce50adc344fbac211.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:5'389'322 bytes
First seen:2022-12-10 09:05:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 98304:tWYJnZAhfDI5sIHMYMfY3H0+7Y3N3/ZB8YcnqIkr0PCu6ilURtqspAJi05MprYRc:tWcnZJ5HHQfAD7Y3N3kYcnqIn6imqspD
Threatray 21 similar samples on MalwareBazaar
TLSH T14546336EA502BF6DE739D0BB0B5E88653CBE417FDEC24717356479472BC1906B02822B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
189
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a46171e4dd7e071a68dc37a02c102bf57f8cc59808217ca9a27d7799ccf62630.exe
Verdict:
Suspicious activity
Analysis date:
2022-12-10 09:44:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/293bfff3-3670-4463-897f-348829bce4c9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/344957/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for the window
Creating a window
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a file
DNS request
Launching a process
Sending a custom TCP request
Сreating synchronization primitives
Searching for synchronization primitives
Moving a recently created file
Launching cmd.exe command interpreter
Launching a service
Launching the default Windows debugger (dwwin.exe)
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63944bc1a2c2485912c7e5e8/reports/eb43c39e-98f5-4e86-9814-a9af2e6f8f64/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8cf9431c-a8d0-4486-af0e-69ea5f9a3dc5
Result
Threat name:
Cryptbot, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1131867
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates files with lurking names (e.g. Crack.exe)
Drops PE files with a suspicious file extension
Found API chain indicative of debugger detection
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Cryptbot
Yara detected CryptbotV2
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 764590 Sample: iyMl69SZMo.exe Startdate: 10/12/2022 Architecture: WINDOWS Score: 100 78 Snort IDS alert for network traffic 2->78 80 Multi AV Scanner detection for domain / URL 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 10 other signatures 2->84 10 iyMl69SZMo.exe 10 2->10         started        14 mchost.exe 2->14         started        process3 file4 62 C:\Users\user\...\Pre-Activated-Setup.exe, PE32 10->62 dropped 64 C:\Users\user\AppData\Local\...\Crack+Key.exe, PE32 10->64 dropped 100 Creates files with lurking names (e.g. Crack.exe) 10->100 16 Pre-Activated-Setup.exe 79 10->16         started        21 Crack+Key.exe 9 10->21         started        102 Found API chain indicative of debugger detection 14->102 signatures5 process6 dnsIp7 66 qalfya311.top 16->66 68 www.google.com 216.58.212.164, 443, 49699 GOOGLEUS United States 16->68 70 192.168.2.1 unknown unknown 16->70 54 C:\Users\user\AppData\Roaming\...\mchost.exe, PE32 16->54 dropped 56 C:\Users\user\AppData\Roaming\...\mchost.chm, Unicode 16->56 dropped 86 Multi AV Scanner detection for dropped file 16->86 23 cmd.exe 1 16->23         started        26 WerFault.exe 16->26         started        28 WerFault.exe 16->28         started        58 C:\Users\user\AppData\Local\...ngine.exe, PE32 21->58 dropped 30 Engine.exe 503 21->30         started        file8 signatures9 process10 signatures11 88 Obfuscated command line found 23->88 90 Uses ping.exe to sleep 23->90 92 Drops PE files with a suspicious file extension 23->92 94 2 other signatures 23->94 32 conhost.exe 23->32         started        34 schtasks.exe 1 23->34         started        36 cmd.exe 1 30->36         started        process12 process13 38 cmd.exe 2 36->38         started        42 conhost.exe 36->42         started        file14 60 C:\Users\user\AppData\...\Breaking.exe.pif, PE32 38->60 dropped 96 Obfuscated command line found 38->96 98 Uses ping.exe to sleep 38->98 44 Breaking.exe.pif 16 38->44         started        48 powershell.exe 11 38->48         started        50 powershell.exe 11 38->50         started        52 2 other processes 38->52 signatures15 process16 dnsIp17 72 RRmbcAgsRTV.RRmbcAgsRTV 44->72 74 t.me 149.154.167.99, 443, 49700 TELEGRAMRU United Kingdom 44->74 76 95.217.25.31, 49701, 80 HETZNER-ASDE Germany 44->76 104 Tries to harvest and steal browser information (history, passwords, etc) 44->104 106 Tries to steal Crypto Currency Wallets 44->106 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a46171e4dd7e071a68dc37a02c102bf57f8cc59808217ca9a27d7799ccf62630/
Threat name:
Win32.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2022-12-07 21:59:27 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=urqxdzg5pydru2g4g6qcyebl6v7yzrmybaqxzkncpv3ztthweyya._file
Verdict:
malicious
Similar samples:
1ddbd0850493c851ab3503b8af24118e2f4c0441a997436d13fb5596f96178eb
ArkeiStealer
29842f71bd503e86896ae4b274aa21a0eaa67144ad83e2df89072ea8e8458fd0
ArkeiStealer
6287dc709cd7b990a32615d9d8ccff3d2e1de1ef375662c771b165801ae6b191
ArkeiStealer
83303bd8432e42ddbc86aa5f2fba7b07ded48ef47ec39d42f62b410081b14090
ArkeiStealer
c99d58fd025a25f09226d6201f7cd16d487e5d0dbe264394438049d3bb5f083c
ArkeiStealer
f1d76f93fe7eee3f845d8b849054d5f268616734c10c941977c5b3e3017a295c
ArkeiStealer
f3b57fa817cc307ed23d17e2560e8f373719b86f66499482aa8b25dd30bb4638
ArkeiStealer
+ 11 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:vidar botnet:1839 discovery spyware stealer upx
Link:
https://tria.ge/reports/221210-k1794saa8t/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Drops desktop.ini file(s)
Maps connected drives based on registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
CryptBot
Vidar
Malware Config
C2 Extraction:
http://qalfya311.top/gate.php
https://t.me/dishasta
https://steamcommunity.com/profiles/76561199441933804
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c6c0981b-ebf0-4c3a-8e7f-c9e37c092a37
Unpacked files
SH256 hash:
0132c185e69550ae7fa93410b2898ef4b2d43b793bd40ccc98dd4ee9111b4f5c
MD5 hash:
3f32dd4e028f3041d35652d956742db9
SHA1 hash:
a212613b5efba77395ca764e5ab586269fbac79d
Link:
https://www.unpac.me/results/7694dd73-ebd9-467e-aa0a-70985d075b1f/
SH256 hash:
18479a0a722d7346505ac27b20a8c4ea6ac8b087010a6ed02aeb5833c9d9e7ff
MD5 hash:
8085a7221b1ca6dc5be44e029c7eb9e7
SHA1 hash:
2bffedeea6da345f53d3c27b112b0a3fbc5bb22c
Link:
https://www.unpac.me/results/7694dd73-ebd9-467e-aa0a-70985d075b1f/
SH256 hash:
1f0e489f7c3e429cf3f9fd646b37f70a4cee92d782e9e6c3de2e4877acab05aa
MD5 hash:
6adb4a40719a11471c2b455041ae5e0e
SHA1 hash:
244138c707f5f2b30736c16071203762bffba108
Link:
https://www.unpac.me/results/7694dd73-ebd9-467e-aa0a-70985d075b1f/
SH256 hash:
de1ca628ff6ce1eff410c77623338605504694432ccbcf55a588045a4ed6002b
MD5 hash:
94c419ef8a901178dac721f4b1dfe4f5
SHA1 hash:
c8f6643173ebf1df3baa0c7c0d9978b663a46532
Link:
https://www.unpac.me/results/7694dd73-ebd9-467e-aa0a-70985d075b1f/
SH256 hash:
a46171e4dd7e071a68dc37a02c102bf57f8cc59808217ca9a27d7799ccf62630
MD5 hash:
1d812a08acd9e8dce50adc344fbac211
SHA1 hash:
8321ea379ff35d43a6b7e8baa1e7189740f77205
Link:
https://www.unpac.me/results/7694dd73-ebd9-467e-aa0a-70985d075b1f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a46171e4dd7e071a68dc37a02c102bf57f8cc59808217ca9a27d7799ccf62630

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe a46171e4dd7e071a68dc37a02c102bf57f8cc59808217ca9a27d7799ccf62630

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2450734/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/344957/

Comments