MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca5bfe5d1baa1423a43e98ead6e96df99582bace3802be84209cf9afff1c0196. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca5bfe5d1baa1423a43e98ead6e96df99582bace3802be84209cf9afff1c0196
SHA3-384 hash: 87da3cfd053b4093a76f991cf83f72adfb7c75d6a9a321a49496b177ef6b3b1a152dd5582b654c74f38087147ad5db3e
SHA1 hash: 69ed9c4250fd34db6aee01d973e9b96c21a1bd9b
MD5 hash: d1d54e2b8c751c1093e6a0e0e09b899e
humanhash: purple-fifteen-india-north
File name:d1d54e2b8c751c1093e6a0e0e09b899e.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:205'824 bytes
First seen:2021-11-26 19:18:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 18236996516f1699a9cb95ecb494d7df (2 x ArkeiStealer, 1 x Smoke Loader)
ssdeep 3072:E9eShFrMrpqFEM/pGh+oER+i9IBRQl9appCeoWpRFNAXcjruV5Xd2:tYrMgqMxGhTdTQlEphoy2Crg5U
Threatray 672 similar samples on MalwareBazaar
TLSH T1E714CF3526D3C4B2D5EB163028B0DBA2DABB7833167184BF33642A2E1D602D549F675F
File icon (PE):PE icon
dhash icon fcfcb4d4d4d4d8c8 (18 x RedLineStealer, 10 x RaccoonStealer, 5 x Smoke Loader)
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
163
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d1d54e2b8c751c1093e6a0e0e09b899e.exe
Verdict:
Malicious activity
Analysis date:
2021-11-26 19:27:00 UTC
Tags:
loader stealer trojan
Link:
https://app.any.run/tasks/bb1a0465-cf41-455d-9701-cc37e8cc9ca6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Creating a file
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Creating a window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Query of malicious DNS domain
Stealing user critical data
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61a1332af36138de3f3fa4fb/reports/53e9a606-4ece-4f03-b1dc-2498db1c61cd/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dridex
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bf5cdeba-2aa0-47d8-a622-9ad6c2cfd292
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/896952
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ca5bfe5d1baa1423a43e98ead6e96df99582bace3802be84209cf9afff1c0196/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-11-26 19:19:09 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
24 of 27 (88.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zjn74xi3vikchjb6tdvnn2ln7gkyfowohabl5bbatt4277y4agla._file
Verdict:
malicious
Similar samples:
15aeb8380c7b5b50ed1e2ff29c342cfe5c29a26554020001f7f9f1449f996e71
ArkeiStealer
21236f482fd43316627fbabef3cfa537bbefaece481a7ee8f0350c9343fa3cc8
ArkeiStealer
558c59266227c872fce3ff02a9a543194920446758cfc07b6d57d7af7e6d08a1
ArkeiStealer
5b2533a35f7917c8e12a3c24213a37bc5ff1477425a56f7c1d034d85a505f383
ArkeiStealer
7c8e77237e7cdd86ef4f36039b78d3663af0405fd889fdce402e5786864e1c8b
ArkeiStealer
b0e9f6ede4c6442ffed1ae5c650474ae10582945c9ec689d5ac4650f81ee0fdf
ArkeiStealer
b0ffdeb93d45ef22371b46cf607a43a75e24568a9bc784187489c0761c3481ec
ArkeiStealer
d00467d6b6ae9407dce2a18f93cb6018b2da8ea7724090a9e364affa94da2e6f
ArkeiStealer
e9e743d52bcafca9ad84c790cd1b1f5665c508a84ee34ddee896ef8c49223db4
ArkeiStealer
+ 662 additional samples on MalwareBazaar
Result
Malware family:
arkei
Create hunting rule
Score:
  10/10
Tags:
family:arkei botnet:default discovery spyware stealer
Link:
https://tria.ge/reports/211126-xz2gdshea4/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Arkei Stealer Payload
Arkei
Malware Config
C2 Extraction:
http://file-file-host4.com/tratata.php
Unpacked files
SH256 hash:
deca9b0a8db323fc178abe82a383f6fa7a8819f2988adc749985cfa4b6c6129b
MD5 hash:
82da3e49ea84d45b197395c4084462ba
SHA1 hash:
5e3fd61476affe5bd932fce3d69df087e4e7c1fa
Link:
https://www.unpac.me/results/b51dc0c9-f8a1-45e1-a790-94ffb83774f0/
SH256 hash:
ca5bfe5d1baa1423a43e98ead6e96df99582bace3802be84209cf9afff1c0196
MD5 hash:
d1d54e2b8c751c1093e6a0e0e09b899e
SHA1 hash:
69ed9c4250fd34db6aee01d973e9b96c21a1bd9b
Link:
https://www.unpac.me/results/b51dc0c9-f8a1-45e1-a790-94ffb83774f0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ca5bfe5d1baa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ca5bfe5d1baa1423a43e98ead6e96df99582bace3802be84209cf9afff1c0196

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe ca5bfe5d1baa1423a43e98ead6e96df99582bace3802be84209cf9afff1c0196

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1811957/
  
Delivery method
Distributed via web download

Comments