MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e45414a2f8f7ca67e5438949f1ae1b6e0470007bcd8a55eb058cf87f6b078639. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e45414a2f8f7ca67e5438949f1ae1b6e0470007bcd8a55eb058cf87f6b078639
SHA3-384 hash: e09106265c4eb6475e63e1023b161fa62454dd8b9d9bee2eef44a1cab642c96db8bbf1bb626362ef664eacb2a31f4dfd
SHA1 hash: b451e08f7d58118cf62c87f426dd95dda5aabd3e
MD5 hash: 09f2b519e22c52721d33d5c3c0ac1f5e
humanhash: one-four-winner-texas
File name:09f2b519e22c52721d33d5c3c0ac1f5e
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:2'669'040 bytes
First seen:2022-07-20 22:34:39 UTC
Last seen:2022-07-20 23:48:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2bd4b8620ae035f6bf279b34fa17fcf7 (23 x RedLineStealer, 2 x Formbook, 1 x RecordBreaker)
ssdeep 24576:P9DBZdm3DfvpZ0YzYqJ8Qs7hM42dDQ1D05Em8eMRBqgUwob8dl8LUye+jbQl3RuN:PfZU37vs3o5eeM6Twob8dl84l3A
TLSH T1CAC51A135A8B0D75DDD27BB4A1CB633AA734ED30CA3A9B7FB608C43959532C46C1A742
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
309
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/293020/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.19704.15425.16730.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/26889/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug arkei formbook overlay packed spyeye vidar
Link:
https://www.filescan.io/uploads/62d8831eef2b0e63a82b2815/reports/ee68a661-50bd-4f00-bdea-0bd05e090ddb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/31411e62-81fb-4823-a598-422d1a6c904e
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1038036
Signature
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e45414a2f8f7ca67e5438949f1ae1b6e0470007bcd8a55eb058cf87f6b078639/
Threat name:
Win32.Trojan.Redlinestealer
Create hunting rule
Status:
Malicious
First seen:
2022-07-14 00:52:36 UTC
File Type:
PE (Exe)
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4rkbjixy67fgpzkdrfe7dlq3nychaad3zwffl2yfrt4h62yhqy4q._file
Result
Malware family:
arkei
Create hunting rule
Score:
  10/10
Tags:
family:arkei botnet:default spyware stealer
Link:
https://tria.ge/reports/220720-2hphqaahe6/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Arkei
Unpacked files
SH256 hash:
bd83bc07909dc5ae9f5a22c9cc9144de36929091069d6e3ddaf3190d64d71557
MD5 hash:
ac56b347243e5555ae78d5fb1db79a37
SHA1 hash:
7490ecc4d584b3f4e826c963455a47488642c63f
Link:
https://www.unpac.me/results/4e1791ab-8021-454a-9b32-84d2e0dbec71/
SH256 hash:
7e6d5e7e8bb3ea84fda8180d8a725133c3e16ddba5e9ec47b2d5e8a2a555afa5
MD5 hash:
3ec8870fbc2051652db6ddf932a5b71b
SHA1 hash:
b7c19035e155aa9ffed6419d3e0174f8c0a3cb77
Link:
https://www.unpac.me/results/4e1791ab-8021-454a-9b32-84d2e0dbec71/
SH256 hash:
e45414a2f8f7ca67e5438949f1ae1b6e0470007bcd8a55eb058cf87f6b078639
MD5 hash:
09f2b519e22c52721d33d5c3c0ac1f5e
SHA1 hash:
b451e08f7d58118cf62c87f426dd95dda5aabd3e
Link:
https://www.unpac.me/results/4e1791ab-8021-454a-9b32-84d2e0dbec71/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e45414a2f8f7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e45414a2f8f7ca67e5438949f1ae1b6e0470007bcd8a55eb058cf87f6b078639

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe e45414a2f8f7ca67e5438949f1ae1b6e0470007bcd8a55eb058cf87f6b078639

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/293020/
  
URLhaus
https://urlhaus.abuse.ch/url/2259465/

Comments


Avatar
zbet commented on 2022-07-20 22:34:45 UTC

url : hxxp://185.104.114.24/cheat.exe