MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e03315664302a299233cf88fbe8792f36bf5c76c16a936270866e0ade1b72382. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	e03315664302a299233cf88fbe8792f36bf5c76c16a936270866e0ade1b72382
SHA3-384 hash:	83d632608b2b0643a428155aac6bae7ec8e49d1e0d10f8bb1b71cfe8ea15778663c21c2c71b8e2dcdf70dbea4aee4ff0
SHA1 hash:	dc111f34be00cacde77ddc6b72741a218d134f3e
MD5 hash:	1da0c017946163f4bee8c7052c4b207d
humanhash:	ten-december-nine-steak
File name:	1da0c017946163f4bee8c7052c4b207d.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	1'406'016 bytes
First seen:	2022-01-05 10:54:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0c2969fd46b116e553c8450623d3559a (1 x ArkeiStealer)
ssdeep	24576:OBKr5fKs+yhrbyiqsjIF/wd5pPl5wIlYTNxAZWU+25+gKLTzdmGw7:VlKlIiZ5F/wjpPS+puhm
Threatray	8'555 similar samples on MalwareBazaar
TLSH	T1845512849AE4E269F19B4733BDFE030A79E4FC106A3CA75B5184305AC4B3BC1BC55B66
File icon (PE):
dhash icon	e8cc0b0ae029d48e (1 x ArkeiStealer)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

194

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1da0c017946163f4bee8c7052c4b207d.exe

Verdict:

Malicious activity

Analysis date:

2022-01-05 10:58:11 UTC

Tags:

stealer loader trojan

Link:

https://app.any.run/tasks/51bfd1f2-0ba6-4c94-b174-a57654fb9fc8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/217425/

Detection(s):

SecuriteInfo.com.Trojan.Siggen16.25626.21153.19352.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for analyzing tools

Searching for the window

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Changing a file

Creating a file in the %AppData% subdirectories

Sending a custom TCP request

Running batch commands

Creating a process with a hidden window

Launching a process

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

overlay packed vidar

Link:

https://www.filescan.io/uploads/61d5790bbfe53d318f276e4e/reports/3cce8543-dfb6-479e-9403-80d5670a7ad5/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Ryuk

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ac6ea98c-d155-476b-b84b-c662abd153d0

Result

Threat name:

Vidar

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/915774

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Found malware configuration

Hides threads from debuggers

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Multi AV Scanner detection for submitted file

Query firmware table information (likely to detect VMs)

Self deletion via cmd delete

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade analysis by execution special instruction which cause usermode exception

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e03315664302a299233cf88fbe8792f36bf5c76c16a936270866e0ade1b72382/

Threat name:

Win32.Trojan.Vidar

Status:

Malicious

First seen:

2022-01-05 02:58:46 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4azrkzsdakrjsiz47ch35b4s6nv7lr3mc2utmjyim3qk3ynxeoba._file

Verdict:

malicious

ArkeiStealer

038152eae96d57cb15d542b84755d9feadee7d2012fc183a1937c448c211671e

ArkeiStealer

2d45c9f984150cbeafd07b26b269baefdb497d6e5687e8a0633601e9083afed1

ArkeiStealer

2ff10148112933987a694ab813725a70ab580d7288acf3f58e4ce70ebaf5cc91

ArkeiStealer

3f8cb518e4cd79be7b52dee829e4c1553f39317df11e1ca17809cc77c46df2e2

ArkeiStealer

654574c360fcb5a7eb4f693d99d5f0c4e32f96b219a7327d41b39d7d5acde953

ArkeiStealer

81f4c01d5065f9332a7777b3fb6e5d3113560b68ddaea6da547c5533fc6c5bfb

ArkeiStealer

8ecb9b6e425216f33b0dad4e296680bfab382d7be119b9348eb523e55abd49cc

ArkeiStealer

8f9ff0227f4ce6ed3259d5f2f8bfd8c54496e9896ad5f522cdd768911be4b4bc

ArkeiStealer

9cae87b1118c6142f014a4a22be3a4489f40465a7de9e5cfa9aa019817e2dea4

ArkeiStealer

+ 8'545 additional samples on MalwareBazaar

Result

Malware family:

arkei

Score:

10/10

Tags:

family:arkei discovery evasion spyware stealer trojan

Link:

https://tria.ge/reports/220105-mz5hyaaefk/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks whether UAC is enabled

Checks BIOS information in registry

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Arkei Stealer Payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Arkei

Unpacked files

SH256 hash:

966c3e2b04494bb1f31766b4d18e0d66df96b1897ed209e4c65b79d78acbfd58

MD5 hash:

4cc827d0ab53bd02aa69763f6b86e858

SHA1 hash:

36b925f0622416cf94bbac0dadcc5a86979a2aad

Link:

https://www.unpac.me/results/6860667b-3d71-447d-ae1a-914d77f69667/

SH256 hash:

e03315664302a299233cf88fbe8792f36bf5c76c16a936270866e0ade1b72382

MD5 hash:

1da0c017946163f4bee8c7052c4b207d

SHA1 hash:

dc111f34be00cacde77ddc6b72741a218d134f3e

Link:

https://www.unpac.me/results/6860667b-3d71-447d-ae1a-914d77f69667/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/e03315664302/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.83

Link:

https://yomi.yoroi.company/submissions/e03315664302a299233cf88fbe8792f36bf5c76c16a936270866e0ade1b72382

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

exe e03315664302a299233cf88fbe8792f36bf5c76c16a936270866e0ade1b72382

(this sample)

Cape

https://www.capesandbox.com/analysis/217425/

URLhaus

https://urlhaus.abuse.ch/url/1947948/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample