MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af138c1b86f37a90982bf31a77b736435c0d94b0c273b1005d1313305d5c7d58. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	af138c1b86f37a90982bf31a77b736435c0d94b0c273b1005d1313305d5c7d58
SHA3-384 hash:	43d28917946313568153f5448cdc3153ded5d32d4d8bc507e804025d4b537b57d439102ba33babec5fc018803f7c43a3
SHA1 hash:	6ca7bc048d2c707c5dae97b79c9af3a2dcb7f8aa
MD5 hash:	5165de1c6152b1bf5e0f9a953e79191c
humanhash:	purple-violet-lake-floor
File name:	5165de1c6152b1bf5e0f9a953e79191c.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	270'848 bytes
First seen:	2022-02-08 08:20:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	091728773b35dc40ea3917ab097b59a3 (1 x ArkeiStealer, 1 x Smoke Loader)
ssdeep	3072:cHBzotcaXmRnhsVSo3c/EWcXsIc74yCcrjuPJ1+/z08:cH7aXmLsB2+Tc74yCc/qsr
Threatray	810 similar samples on MalwareBazaar
TLSH	T1B044CE1132D3D432C5961E74A834CBE55A7ABB721963928B37B8FB6E1E703D12636313
File icon (PE):
dhash icon	38b078eccacccc43 (88 x Smoke Loader, 38 x Stop, 33 x RedLineStealer)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

151

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

af138c1b86f37a90982bf31a77b736435c0d94b0c273b1005d1313305d5c7d58.zip

Verdict:

Malicious activity

Analysis date:

2022-02-08 08:46:59 UTC

Tags:

stealer loader trojan arkei vidar

Link:

https://app.any.run/tasks/6744c682-d94e-4297-a79d-ae52a167974a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/237855/

Detection(s):

Win.Dropper.LokiBot-9938483-0

Win.Packed.Filerepmalware-9938574-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

DNS request

Creating a file

Reading critical registry keys

Changing a file

Creating a file in the %AppData% subdirectories

Creating a window

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Launching a process

Launching the default Windows debugger (dwwin.exe)

Query of malicious DNS domain

Stealing user critical data

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/6353/overview

Behaviour

SystemUptime

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware lokibot

Link:

https://www.filescan.io/uploads/620228054077c8b9a0206990/reports/4311f5f7-cfbe-4b04-bb03-4bb8d3237ce9/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dc0a09fe-103e-4791-83bb-6e4e4600b448

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/935923

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/af138c1b86f37a90982bf31a77b736435c0d94b0c273b1005d1313305d5c7d58/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2022-02-08 08:21:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=v4jyyg4g6n5jbgbl6mnhpnzwinoa3ffqyjz3cac5cmjtaxk4pvma._file

Verdict:

malicious

ArkeiStealer

6a3d626d0ab359b8e7a3d3ea8551f3e948c26f74465c65e1f02f6aa76163fa2b

ArkeiStealer

7a7c19f6fb76910063eacc921a204e55b57ae3bbe824f0d8b2623ee17953ec40

ArkeiStealer

81046b6948cd3b8ca105c0580b8aecabaff132161125328e49925570b6b22b80

ArkeiStealer

892504033a259f380c1e2a35db15b95bffcff4f96c36a84731afde6c5b35371a

ArkeiStealer

95e4e83e579f6195b85751b47686f0a3a42933caac2c1c2afd73bd35b00ad981

ArkeiStealer

b4564966c74ea17badd252d6c1b3a052f869e69d0c7cbbcb776af245135e9917

ArkeiStealer

d6f82559be32a5739fd1c6a1eade697c8d90c331ec31cc7690dd2fdb4e70ab74

ArkeiStealer

e069ce2651bc7095e62c6a919fee34c696eb76995b5ef58d5311d89218847fd0

ArkeiStealer

+ 800 additional samples on MalwareBazaar

Result

Malware family:

arkei

Score:

10/10

Tags:

family:arkei botnet:default discovery spyware stealer

Link:

https://tria.ge/reports/220208-j81dsseggn/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Windows directory

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Arkei Stealer Payload

Arkei

Suspicious use of NtCreateProcessExOtherParentProcess

Malware Config

C2 Extraction:

http://coin-file-file-19.com/tratata.php

Unpacked files

SH256 hash:

69ba4e2995d6b11bb319d7373d150560ea295c02773fe5aa9c729bfd2c334e1e

MD5 hash:

58922177676773ec3324c33734ae9ef9

SHA1 hash:

ce0a3cae8ee18c6d1f22361224b3692d61d5d7a2

Link:

https://www.unpac.me/results/41040dc8-5f9d-41aa-ab52-13cd8b3fd0fa/

SH256 hash:

af138c1b86f37a90982bf31a77b736435c0d94b0c273b1005d1313305d5c7d58

MD5 hash:

5165de1c6152b1bf5e0f9a953e79191c

SHA1 hash:

6ca7bc048d2c707c5dae97b79c9af3a2dcb7f8aa

Link:

https://www.unpac.me/results/41040dc8-5f9d-41aa-ab52-13cd8b3fd0fa/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

exe af138c1b86f37a90982bf31a77b736435c0d94b0c273b1005d1313305d5c7d58

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1988764/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/237855/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample