MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e295a5ccbaa87c7487cf1060ad15e63e8389ba947937afabdf00919add065d88. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e295a5ccbaa87c7487cf1060ad15e63e8389ba947937afabdf00919add065d88
SHA3-384 hash: c5186c1cb30e297736ede1a6f88dea1affdee964d3d426c25803cb84aeacf79184f9baae2c5c2d2ac2e6dd99a8fb9366
SHA1 hash: 2236bf3de936b14124c6a84b8511eced0725e015
MD5 hash: 425a0af58b27c014b59ae8af87e2eaff
humanhash: alpha-hamper-jupiter-ten
File name:425a0af58b27c014b59ae8af87e2eaff.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'851'032 bytes
First seen:2022-07-30 14:25:09 UTC
Last seen:2022-07-30 15:14:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fed0885d0abd834d60abdab89a35e94c (1 x ArkeiStealer)
ssdeep 49152:fSKKDGebSFblI3oX9Fjg2LrKGLtL/NfElkIr0Rqdmo+VqD9KLQ:fzsGSSFZX9Ng2KGLtLFfEkqdUqkU
Threatray 68 similar samples on MalwareBazaar
TLSH T149851209D76CD6F7C0F73AF1009D973FBE7CD4127A23C655232492856F25FA824A2A1A
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 3386cccce8e8cccc (1 x ArkeiStealer)
Reporter abuse_ch
Tags:ArkeiStealer exe signed

Code Signing Certificate

Organisation:konkofaith.org
Issuer:Go Daddy Secure Certificate Authority - G2
Algorithm:sha256WithRSAEncryption
Valid from:2021-11-23T01:13:43Z
Valid to:2022-12-25T01:13:43Z
Serial number: 3214061ea68ce341
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 27fb5e540c369483cbfa87557337b5e7e9c678012c09796519e1745e420de2bb
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/295239/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.6819.18768.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/62e53f955c07b66577dafef9/reports/1f98dc9d-4cca-443e-adec-384de1a5905d/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3d3dfd2b-2e96-4c11-b7f2-cbe81c0c80cf
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1043536
Signature
Antivirus detection for URL or domain
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 676030 Sample: 3XJu0D1iFt.exe Startdate: 30/07/2022 Architecture: WINDOWS Score: 100 69 Snort IDS alert for network traffic 2->69 71 Antivirus detection for URL or domain 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 3 other signatures 2->75 8 3XJu0D1iFt.exe 4 2->8         started        12 DllResource.exe 2->12         started        process3 dnsIp4 49 C:\Users\user\TypeRes\DllResource.exe, PE32 8->49 dropped 51 C:\Users\...\DllResource.exe:Zone.Identifier, ASCII 8->51 dropped 77 Self deletion via cmd or bat file 8->77 79 Uses schtasks.exe or at.exe to add and modify task schedules 8->79 15 DllResource.exe 65 8->15         started        20 cmd.exe 1 8->20         started        22 schtasks.exe 1 8->22         started        55 192.168.2.1 unknown unknown 12->55 file5 signatures6 process7 dnsIp8 57 193.233.193.68, 49856, 49860, 49871 FREE-NET-ASFREEnetEU Russian Federation 15->57 41 C:\Users\user\AppData\...\vcruntime140.dll, PE32 15->41 dropped 43 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 15->43 dropped 45 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 15->45 dropped 47 25 other files (none is malicious) 15->47 dropped 59 Found evasive API chain (may stop execution after checking mutex) 15->59 61 Tries to harvest and steal ftp login credentials 15->61 63 Tries to harvest and steal browser information (history, passwords, etc) 15->63 67 3 other signatures 15->67 24 cmd.exe 1 15->24         started        65 Uses ping.exe to check the status of other devices and networks 20->65 26 PING.EXE 1 20->26         started        29 conhost.exe 20->29         started        31 chcp.com 1 20->31         started        33 conhost.exe 22->33         started        file9 signatures10 process11 dnsIp12 35 conhost.exe 24->35         started        37 PING.EXE 1 24->37         started        39 chcp.com 1 24->39         started        53 127.0.0.1 unknown unknown 26->53 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e295a5ccbaa87c7487cf1060ad15e63e8389ba947937afabdf00919add065d88/
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2022-07-30 14:26:14 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
10 of 26 (38.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4kk2ltf2vb6hjb6pcbqk2fpgh2bytouupe327k67acizvxiglwea._file
Verdict:
malicious
Similar samples:
0a84fc0f1fc811c84e6b138e12d11f935c3907f91e5a09092aa2588dca6145a7
ArkeiStealer
57c9630ff4575c0881314c5f31f4177249c84218642cef6c3896fbc6337c380a
ArkeiStealer
7400fed7476a6b4b5045a9f482928e40cbbf34532f9d476507c9f49ac3023ebb
ArkeiStealer
747bff52167a03f0db2458b3a67b8ea292044dafe4dd921f0c6613b7030987a1
ArkeiStealer
78b8bca706d170a7e98740a467ee951b4d8d11b4c37a80dcfe917691f5a32b5c
ArkeiStealer
7f6aff9bfba1f2b99f44bf234b63b2bbdd9f56accff33e1a258dc229050beb22
ArkeiStealer
8795bb17e6a0ce6dc06236d4042c625f2154bd1d8e5df494c23ffa3e58124395
ArkeiStealer
b6ff145884d38092869144e2e68f0c8e50a64c0f376641396d29778ae96450fd
ArkeiStealer
cbb64bb040b36f1c89cb1fbf72237d46cb31f87ad6e1ea721abff9bc060e3e12
ArkeiStealer
ebcfd0fc3ecbf9281e9f42e858be21770fd7e3d92facd23d3dc589f01b1a1091
ArkeiStealer
+ 58 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/220730-rrvqzsbgb9/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks installed software on the system
Checks BIOS information in registry
Checks computer location settings
Deletes itself
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
dd6f1310c05b92a0d07bff4e394ac8250d07801d0b0735e483ee31c87d00745a
MD5 hash:
3b62804387708664fdcfab70db305875
SHA1 hash:
0596086c5d23054e5363cd2c750e6a8b5328ad8f
Link:
https://www.unpac.me/results/ae35a59b-9bd3-42da-94e8-2d787b864b8c/
SH256 hash:
e295a5ccbaa87c7487cf1060ad15e63e8389ba947937afabdf00919add065d88
MD5 hash:
425a0af58b27c014b59ae8af87e2eaff
SHA1 hash:
2236bf3de936b14124c6a84b8511eced0725e015
Link:
https://www.unpac.me/results/ae35a59b-9bd3-42da-94e8-2d787b864b8c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e295a5ccbaa87c7487cf1060ad15e63e8389ba947937afabdf00919add065d88

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe e295a5ccbaa87c7487cf1060ad15e63e8389ba947937afabdf00919add065d88

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2254670/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/295239/

Comments