MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f106e2e0fa9b292f28808409cdc7a363f3c9310fbb547d896fdadcde4e8ea660. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	f106e2e0fa9b292f28808409cdc7a363f3c9310fbb547d896fdadcde4e8ea660
SHA3-384 hash:	27fdb88562482a70e4abc72efebee3d0b4327ddf012d06308d5c0628250183c7067cd7befa97b76f63d9a31e635e9c88
SHA1 hash:	fa2de8445dd7275c31568756c731fab58adf14e0
MD5 hash:	4d5b4f886995716e343d14b9fbaf6299
humanhash:	montana-violet-carbon-pluto
File name:	SecuriteInfo.com.Trojan.MalPack.GS.21189.1019
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	322'560 bytes
First seen:	2022-02-19 13:01:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2c3d21882f5ca8acb29bf5dc0942efbd (2 x ArkeiStealer, 2 x RedLineStealer)
ssdeep	3072:sks/saI2+lcwNEiJkTW9xLrUXVPVcUQ7Md+yKaF5uk4uC9k6NoxqJ5eoTusxkgaS:asSheEYAarKGxwd+D1k7f6KAhXigaSJ
TLSH	T19F64CF0176A1CC32F5215E764825C2BD8A3BBCF65D35A647FFD0A75EAE313929B21302
File icon (PE):
dhash icon	81bcdcac9c8cb484 (7 x RaccoonStealer, 5 x RedLineStealer, 2 x ArkeiStealer)
Reporter	SecuriteInfoCom
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

313

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/242660/

Detection(s):

SecuriteInfo.com.Trojan.MalPack.GS.21189.1019.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

DNS request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Changing a file

Creating a file in the %AppData% subdirectories

Creating a window

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Launching a process

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/6671/overview

Behaviour

MalwareBazaar

SystemUptime

CPUID_Instruction

MeasuringTime

EvasionGetTickCount

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

exploit greyware

Link:

https://www.filescan.io/uploads/6210ea50ac8ad0468b562c76/reports/c8f68ea3-a166-424d-bfa1-85aaf64f6da8/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

FickerStealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fb6232ff-7949-45ae-9139-1772c846f16d

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/942606

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after checking computer name)

Found evasive API chain (may stop execution after checking locale)

Found evasive API chain (may stop execution after checking mutex)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Self deletion via cmd delete

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f106e2e0fa9b292f28808409cdc7a363f3c9310fbb547d896fdadcde4e8ea660/

Threat name:

Win32.Trojan.CrypterX

Status:

Malicious

First seen:

2022-02-19 13:02:14 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Result

Malware family:

arkei

Score:

10/10

Tags:

family:arkei botnet:default discovery spyware stealer suricata

Link:

https://tria.ge/reports/220219-p9twasbdhm/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Windows directory

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Arkei

Suspicious use of NtCreateProcessExOtherParentProcess

suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil

Malware Config

C2 Extraction:

http://woor.link/548152.php

Unpacked files

SH256 hash:

95877edc01e9b4f4d239062ef0de52bb17b1c8ce375a6743503210fb4256020c

MD5 hash:

84fab8313958f2f6207444bb07862ad0

SHA1 hash:

0094623fc5f042eff4239dc9f5694d0ef6a742e7

Link:

https://www.unpac.me/results/a1282669-7987-4978-8e9a-52131d1b0ab1/

SH256 hash:

f106e2e0fa9b292f28808409cdc7a363f3c9310fbb547d896fdadcde4e8ea660

MD5 hash:

4d5b4f886995716e343d14b9fbaf6299

SHA1 hash:

fa2de8445dd7275c31568756c731fab58adf14e0

Link:

https://www.unpac.me/results/a1282669-7987-4978-8e9a-52131d1b0ab1/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/f106e2e0fa9b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f106e2e0fa9b292f28808409cdc7a363f3c9310fbb547d896fdadcde4e8ea660

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

exe f106e2e0fa9b292f28808409cdc7a363f3c9310fbb547d896fdadcde4e8ea660

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2048557/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/242660/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample