MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac50621ee130a988dc1ddc97ca8b1193249ce9a027648f482ef1b0f9cf7b2e88. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac50621ee130a988dc1ddc97ca8b1193249ce9a027648f482ef1b0f9cf7b2e88
SHA3-384 hash: a30f0225229a7d3d1ac0614f509fe3d5f4fbcb90bddcbef40ff1714e8789a9b37792006ade033664bed62f4c6bdf65c3
SHA1 hash: df2526522ba6a3d4e76773b7cb09299ef1b18a67
MD5 hash: 1790eae1cc50666ee6239bdd13123039
humanhash: kentucky-floor-lake-mars
File name:1790eae1cc50666ee6239bdd13123039
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'452'032 bytes
First seen:2021-11-13 01:43:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 15aeac4aa1d11f9ad3fc4c4ac7bb9468 (58 x RedLineStealer, 5 x RaccoonStealer, 3 x CoinMiner)
ssdeep 24576:VDsEmMJDeGBUBReuWuMf5CWfzCMuK0kMbJDIRRFJbk9JJ+/y9kEaHNYK3OGkP9Qr:6MJySpLf9i9XJ/NaHcY
Threatray 124 similar samples on MalwareBazaar
TLSH T1E26533702791CC5FF14E27BDAA2B76798B713084C360F377A3A9561E38EF6958819027
Reporter zbetcheckin
Tags:32 ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/205390/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Trojan.Generic-9907417-0
Create hunting rule

Win.Trojan.Generic-9907425-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/618f1867a00afa9663a5acd1/reports/2923a5b7-9e3c-4d6e-a38e-fe07ce9295b6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4f14c5fd-05ba-4c15-b7bb-4a1d2c5ed487
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/888455
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
DLL side loading technique detected
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 520928 Sample: 0pxHGTARwb Startdate: 13/11/2021 Architecture: WINDOWS Score: 100 34 Found malware configuration 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected Vidar stealer 2->38 40 2 other signatures 2->40 8 0pxHGTARwb.exe 2->8         started        process3 signatures4 42 Query firmware table information (likely to detect VMs) 8->42 44 Tries to detect sandboxes and other dynamic analysis tools (window names) 8->44 46 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 8->46 48 4 other signatures 8->48 11 AppLaunch.exe 127 8->11         started        16 WerFault.exe 23 9 8->16         started        process5 dnsIp6 30 37.1.211.108, 49740, 80 HVC-ASUS Ukraine 11->30 24 C:\ProgramData\sqlite3.dll, PE32 11->24 dropped 26 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 11->26 dropped 50 Tries to harvest and steal browser information (history, passwords, etc) 11->50 52 DLL side loading technique detected 11->52 54 Tries to steal Crypto Currency Wallets 11->54 56 Contains functionality to detect sleep reduction / modifications 11->56 18 cmd.exe 1 11->18         started        32 192.168.2.1 unknown unknown 16->32 28 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->28 dropped file7 signatures8 process9 process10 20 conhost.exe 18->20         started        22 timeout.exe 1 18->22         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac50621ee130a988dc1ddc97ca8b1193249ce9a027648f482ef1b0f9cf7b2e88/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-11 18:54:49 UTC
AV detection:
28 of 44 (63.64%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66
ArkeiStealer
038152eae96d57cb15d542b84755d9feadee7d2012fc183a1937c448c211671e
ArkeiStealer
191018b2c61b46c04fba2acfd7138621ad327b5e918bee60e551c466aa9aca33
ArkeiStealer
1d1ad9014ce8356b997ff90266f50fb3314d7135e4cc9832128ebfa49f5b8aec
ArkeiStealer
2f2cfbcafd48754c5a305fab8483db6741c8fb82e7cf5fb523453ee773669bed
ArkeiStealer
433cf9125a44e304eca2c5cf3bfe2af0b1deafd1c5e8d13d559e1bac9de711b3
ArkeiStealer
487435d01fc04eba8555aab50d83ef39195f810786da6df4eebb4b88623aba2d
ArkeiStealer
4c08d306d3272e38e7e592e6dd2f269ab79d9e375dbf2bc5911cadd10fb5755e
ArkeiStealer
88d819e97e573477222ae60022206e9d16fabeaa10385296f403adcb2edf1bac
ArkeiStealer
df3f1453ac8a57eb0f8bcf8d36db69471d3fa754c1be5b352a9e2699d57b28c4
ArkeiStealer
+ 114 additional samples on MalwareBazaar
Result
Malware family:
arkei
Create hunting rule
Score:
  10/10
Tags:
family:arkei evasion spyware stealer trojan
Link:
https://tria.ge/reports/211113-b5vedaeec2/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Downloads MZ/PE file
Arkei Stealer Payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Arkei
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
902e62de9ee52c18a7b8b4068916b91519e5e40dfd26e410cb7f5a3eb4b290a7
MD5 hash:
3ab46c18ccb3e91cbd8de37dbfe65ddb
SHA1 hash:
62289a376bf815b74abaa514dd6c17e32cf1bc51
Link:
https://www.unpac.me/results/5a2b2291-821b-4e4c-9950-5ed531c3e23d/
SH256 hash:
ac50621ee130a988dc1ddc97ca8b1193249ce9a027648f482ef1b0f9cf7b2e88
MD5 hash:
1790eae1cc50666ee6239bdd13123039
SHA1 hash:
df2526522ba6a3d4e76773b7cb09299ef1b18a67
Link:
https://www.unpac.me/results/5a2b2291-821b-4e4c-9950-5ed531c3e23d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ac50621ee130/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe ac50621ee130a988dc1ddc97ca8b1193249ce9a027648f482ef1b0f9cf7b2e88

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/205390/
  
URLhaus
https://urlhaus.abuse.ch/url/1781688/

Comments


Avatar
zbet commented on 2021-11-13 01:43:42 UTC

url : hxxp://file-file-host6.com/files/5752_1636656439_9604.exe