MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9513adf4fa12a4f707667571b5ca11aef6ba70d5896eea4854b185d417925fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	c9513adf4fa12a4f707667571b5ca11aef6ba70d5896eea4854b185d417925fa
SHA3-384 hash:	1c1241ef09a66de357b2422301ced13036cffb0dc160ab6238b2f2f64a6f1c6b90196afe00a27fbb5892492667496d30
SHA1 hash:	bb6f711d85e2cd87a58ef30e024bf24fca92854f
MD5 hash:	7e061e8a0874ed059a7d413a291fcabd
humanhash:	winner-skylark-oxygen-juliet
File name:	7e061e8a0874ed059a7d413a291fcabd.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	360'960 bytes
First seen:	2022-02-12 07:45:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2303fabe051f12dd0d7e5bf4d5631077 (1 x ArkeiStealer)
ssdeep	6144:amJ0CPaxZIXX/mGAzjEM1O4RwIOO36TvsSZ:3VPCGH/mDxO4RwF3t
Threatray	832 similar samples on MalwareBazaar
TLSH	T1CB749E00BB90D035F1B716F8497A93ACB93E7EA25B3495CB62D52AEE56346E0DC31307
File icon (PE):
dhash icon	b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

258

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/241057/

Detection(s):

Win.Malware.Generic-9936539-0

Win.Packed.Filerepmalware-9938531-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

DNS request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Changing a file

Creating a file in the %AppData% subdirectories

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Launching a process

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/620765bf54047500bb44e7ae/reports/fa2aa0cf-9d96-4945-b778-dcc177ea958f/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/245ff791-de72-4ded-96c2-2925d852e254

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/938706

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after checking computer name)

Found evasive API chain (may stop execution after checking locale)

Found evasive API chain (may stop execution after checking mutex)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Self deletion via cmd delete

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c9513adf4fa12a4f707667571b5ca11aef6ba70d5896eea4854b185d417925fa/

Threat name:

Win32.Trojan.GenSteal

Status:

Malicious

First seen:

2022-02-12 04:01:16 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 43 (65.12%)

Threat level:

5/5

Verdict:

malicious

ArkeiStealer

6ffeae0bcdb13bc7aeb7bc57ead60db4c88d40aca6596c0f309031e8109b6be0

ArkeiStealer

89667f582fc57b39ad83e402d591e07c33203a687a606a551a4894ccee03398f

ArkeiStealer

b86da55b00429d3a757c64bc0489af5d2641bfa7aab9910eddec173af09c55b4

ArkeiStealer

e507a57e055eb555aeb3a36da0e47544dcee994bd4d625e16668d55b350bc108

ArkeiStealer

ec4524dcf5814a8446d9967b207761234760d189272dae66a9a0c184a6bcbc79

ArkeiStealer

f938a7c0ebc32402cc6d0a2535eaac499468a2eadab4d38337fe6ddcce5eb7d2

ArkeiStealer

fd3bc451730e3b3193fe465869dfa28878267aae9c6997821cdf5cc079e7a480

ArkeiStealer

+ 822 additional samples on MalwareBazaar

Result

Malware family:

arkei

Score:

10/10

Tags:

family:arkei botnet:dafault discovery spyware stealer

Link:

https://tria.ge/reports/220212-jlzhzsbcdq/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Windows directory

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Arkei Stealer Payload

Arkei

Malware Config

C2 Extraction:

http://googa.link/gate1.php

Unpacked files

SH256 hash:

22851d62503d5acddebde74b97f99c1731153e55dd1610c1a43debd9c9e3d9e2

MD5 hash:

e0557ae788cbe110ba3d5214726625a8

SHA1 hash:

6d0db8d3f169f20c87aa3833267dfa53c6520abf

Link:

https://www.unpac.me/results/645af4e3-37d0-4b20-bee4-d19c57580fd7/

SH256 hash:

c9513adf4fa12a4f707667571b5ca11aef6ba70d5896eea4854b185d417925fa

MD5 hash:

7e061e8a0874ed059a7d413a291fcabd

SHA1 hash:

bb6f711d85e2cd87a58ef30e024bf24fca92854f

Link:

https://www.unpac.me/results/645af4e3-37d0-4b20-bee4-d19c57580fd7/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	exec_macros Create hunting rule
Author:	ddvvmmzz
Description:	exec macros

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

exe c9513adf4fa12a4f707667571b5ca11aef6ba70d5896eea4854b185d417925fa

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2039550/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/241057/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample