MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b61909aa48c3bd53bc5c94589078acba1a719998b4bb3be33a6207c104771dd1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b61909aa48c3bd53bc5c94589078acba1a719998b4bb3be33a6207c104771dd1
SHA3-384 hash: 8a6d29d8935a5b01dcb737e34de17c0613c71b69a504ceca906e5dce05a6451a2547433a2b711c7b0f7c2436980e0fbe
SHA1 hash: 7e8a2be7e57e3cfb11e29ea5afd6359dd5c2a35a
MD5 hash: 9495761e569d1589af99bb520cd01a54
humanhash: jersey-spring-rugby-carolina
File name:9495761e569d1589af99bb520cd01a54
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'361'920 bytes
First seen:2021-09-21 06:38:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5511694027f5c5aab51d18a076c7a70f (1 x ArkeiStealer)
ssdeep 3072:OpGSYF1aI2LsEBsabgMArKjXGI3UbSLctvkn7aOKzXgVg3Zeu2GBlF0W:qFYF1aI2LsYsGsrKD03vplF
Threatray 464 similar samples on MalwareBazaar
TLSH T1DE55C7E4B94D8C73FCE8363816D31D5C29293FC3B02D358F71AEB569A96BE81A945D00
File icon (PE):PE icon
dhash icon 88a8a08c8c8ea8a8 (5 x Squirrelwaffle, 4 x Formbook, 3 x ArkeiStealer)
Reporter zbetcheckin
Tags:32 ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9495761e569d1589af99bb520cd01a54
Verdict:
Malicious activity
Analysis date:
2021-09-21 06:41:28 UTC
Tags:
opendir loader stealer trojan
Link:
https://app.any.run/tasks/1fff8637-99e5-4a07-866c-1018f57cc4da

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/189665/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.16604.19579.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/060be008-9413-466a-891a-f8a2967faf0f
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/854598
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b61909aa48c3bd53bc5c94589078acba1a719998b4bb3be33a6207c104771dd1/
Verdict:
malicious
Similar samples:
111dd17966a5f7058eb1cfc468c1d062602437a69694aa05eff97d121d611408
ArkeiStealer
120a50bdd5effe67ea0270aa7f938039e7a5e6a589a13e9371e381f4d1518dcd
ArkeiStealer
2d91e376152618dd6a130215eb8db5c438eafa6738d62266e3edec027a58e88e
ArkeiStealer
341970fa08050ae3de11bf7d13c9f76f818298c1f8af73e285fc56a0bb12b77b
ArkeiStealer
3d59ac598ad756cfa7d56ea28d85071266ccfbcec2bc952600ff82fec99d633c
ArkeiStealer
3e46c3912ced6d4821bb215ad4feb1711e3f0becaae258899ce77037c648048a
ArkeiStealer
7173381414ec85250c6bd3c9b803f2d49b98a7826c8aeea37d9328d5e74d7fb6
ArkeiStealer
7fb3e8a0c4b50a519c283a7b7702ccd23c38e78dc251d32b120d8e8a89f87b49
ArkeiStealer
+ 454 additional samples on MalwareBazaar
Result
Malware family:
arkei
Create hunting rule
Score:
  10/10
Tags:
family:arkei discovery spyware stealer
Link:
https://tria.ge/reports/210921-hem1yagfa6/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Arkei Stealer Payload
Arkei
Unpacked files
SH256 hash:
276dc4052ac7191a71ee5a5ccce551d75ae883960f90c487401d91da8e916960
MD5 hash:
3885bf96e6e7e954bdbbcf5afcf9de8a
SHA1 hash:
c9ccbad0ea1ebb75653c7295db8b73bdcb5b6129
Link:
https://www.unpac.me/results/2adaf85e-ae20-4bd0-a49a-1ecce8349119/
SH256 hash:
b61909aa48c3bd53bc5c94589078acba1a719998b4bb3be33a6207c104771dd1
MD5 hash:
9495761e569d1589af99bb520cd01a54
SHA1 hash:
7e8a2be7e57e3cfb11e29ea5afd6359dd5c2a35a
Link:
https://www.unpac.me/results/2adaf85e-ae20-4bd0-a49a-1ecce8349119/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b61909aa48c3bd53bc5c94589078acba1a719998b4bb3be33a6207c104771dd1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe b61909aa48c3bd53bc5c94589078acba1a719998b4bb3be33a6207c104771dd1

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1637606/
Cape
Cape
https://www.capesandbox.com/analysis/189665/

Comments


Avatar
zbet commented on 2021-09-21 06:38:56 UTC

url : hxxp://103.169.90.205/blog/upload/21.exe