MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f414b58167438e77909afa13c1e137874fb7aad4983d30cd9b769f205ace0078. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f414b58167438e77909afa13c1e137874fb7aad4983d30cd9b769f205ace0078
SHA3-384 hash: 89572ef3af47a0a4d3aaf2253da22c17f1b03e1ca94fa93c4c4697869b13e4ee0d06e53ce90ea56b884937e396be355c
SHA1 hash: 4fdf141fb23faed163f08058720d208ec616f432
MD5 hash: 6b1face6b1df57abdcdd51fdf3440e49
humanhash: arkansas-kitten-thirteen-sad
File name:6b1face6b1df57abdcdd51fdf3440e49.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:527'414 bytes
First seen:2022-10-20 02:09:18 UTC
Last seen:2022-10-20 03:14:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6bc000ab62302db8cd5a1f1db9d5badd (1 x ArkeiStealer, 1 x Smoke Loader)
ssdeep 12288:fOFiyeZBOh8SLy8pROrSqcoBtdCfTJY503hw2rNwAxYYUMH:iilZB6RBL0SvoBTCfCSTN1Uw
Threatray 710 similar samples on MalwareBazaar
TLSH T12BB4F130B940C13AE8A20CFB8DEEDBEC291D96B14F5570D321D9B78A89193D57F39198
TrID 54.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
18.3% (.EXE) Win64 Executable (generic) (10523/12/4)
8.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.8% (.EXE) Win32 Executable (generic) (4505/5/1)
3.5% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://69.161.221.169/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://69.161.221.169/ https://threatfox.abuse.ch/ioc/891839/

Intelligence

File Origin
# of uploads :
2
# of downloads :
214
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
ficker
Create hunting rule
ID:
1
File name:
e802bea8c9e7e665f35d38a88081b61147d53a6c449cba599fb192359889e2f2.exe
Verdict:
Malicious activity
Analysis date:
2022-10-17 18:06:44 UTC
Tags:
installer opendir loader evasion trojan ficker stealer raccoon recordbreaker
Link:
https://app.any.run/tasks/d9eb03a3-19cc-4ae9-b8d1-26031be4e601

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321876/
Detection(s):
SecuriteInfo.com.Variant.Ser.Zusy.3557.17999.32272.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Creating a window
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/43913/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug greyware overlay packed
Link:
https://www.filescan.io/uploads/6350adfcfdf6478a15af9fd5/reports/0c801761-6922-4d68-a926-555f21f3250c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f23ff418-d082-4251-8a8f-24699f56714b
Result
Threat name:
RedLine, Vidar, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1093873
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Self deletion via cmd or bat file
Sigma detected: Stop multiple services
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 726495 Sample: Qh2jNLL1bg.exe Startdate: 20/10/2022 Architecture: WINDOWS Score: 100 100 pool.hashvault.pro 2->100 120 Multi AV Scanner detection for domain / URL 2->120 122 Malicious sample detected (through community Yara rule) 2->122 124 Antivirus detection for URL or domain 2->124 126 11 other signatures 2->126 14 Qh2jNLL1bg.exe 2->14         started        17 punpun.exe 2->17         started        19 punpun.exe 2->19         started        signatures3 process4 signatures5 148 Detected unpacking (changes PE section rights) 14->148 150 Detected unpacking (overwrites its own PE header) 14->150 152 Self deletion via cmd or bat file 14->152 154 2 other signatures 14->154 21 Qh2jNLL1bg.exe 20 14->21         started        26 conhost.exe 17->26         started        28 conhost.exe 19->28         started        process6 dnsIp7 106 t.me 149.154.167.99, 443, 49699 TELEGRAMRU United Kingdom 21->106 108 45.15.156.60, 49701, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 21->108 110 69.161.221.169, 49700, 80 NETWORK-SOLUTIONS-HOSTINGUS United States 21->110 88 C:\Users\user\AppData\...\qwe22zdlAq[1].exe, PE32 21->88 dropped 90 C:\ProgramData\58950993230722532194.exe, PE32 21->90 dropped 128 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->128 130 Self deletion via cmd or bat file 21->130 132 Tries to harvest and steal browser information (history, passwords, etc) 21->132 134 Tries to steal Crypto Currency Wallets 21->134 30 58950993230722532194.exe 21->30         started        33 cmd.exe 1 21->33         started        file8 signatures9 process10 signatures11 156 Multi AV Scanner detection for dropped file 30->156 158 Machine Learning detection for dropped file 30->158 160 Writes to foreign memory regions 30->160 162 2 other signatures 30->162 35 RegSvcs.exe 1 17 30->35         started        39 taskkill.exe 1 33->39         started        41 conhost.exe 33->41         started        43 timeout.exe 1 33->43         started        process12 dnsIp13 102 79.137.196.121, 1488, 49702 PSKSET-ASRU Russian Federation 35->102 104 nanoplow.space 31.31.196.159, 443, 49703 AS-REGRU Russian Federation 35->104 82 C:\Users\user\AppData\Roaming\...\punpun.exe, PE32 35->82 dropped 84 C:\Users\user\AppData\...\InfoPacPac.exe, PE32 35->84 dropped 86 C:\Users\user\AppData\Local\...\zxc[1].exe, PE32 35->86 dropped 45 InfoPacPac.exe 1 35->45         started        file14 process15 signatures16 142 Writes to foreign memory regions 45->142 144 Injects a PE file into a foreign processes 45->144 48 vbc.exe 36 45->48         started        53 conhost.exe 45->53         started        process17 dnsIp18 94 79.137.192.6, 49704, 49706, 49708 PSKSET-ASRU Russian Federation 48->94 96 api.ip.sb 48->96 98 mamamiya137.ru 79.137.192.10, 443, 49707 PSKSET-ASRU Russian Federation 48->98 80 C:\Users\user\AppData\Local\...80ETSvc12.exe, PE32+ 48->80 dropped 112 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 48->112 114 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 48->114 116 Tries to harvest and steal browser information (history, passwords, etc) 48->116 118 Tries to steal Crypto Currency Wallets 48->118 55 NETSvc12.exe 48->55         started        59 conhost.exe 48->59         started        file19 signatures20 process21 file22 92 C:\Windows\System32\drivers\etc\hosts, data 55->92 dropped 136 Multi AV Scanner detection for dropped file 55->136 138 Modifies the hosts file 55->138 140 Adds a directory exclusion to Windows Defender 55->140 61 cmd.exe 55->61         started        64 powershell.exe 55->64         started        66 powershell.exe 55->66         started        signatures23 process24 signatures25 146 Uses cmd line tools excessively to alter registry or file data 61->146 68 conhost.exe 61->68         started        70 sc.exe 61->70         started        72 sc.exe 61->72         started        78 8 other processes 61->78 74 conhost.exe 64->74         started        76 conhost.exe 66->76         started        process26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f414b58167438e77909afa13c1e137874fb7aad4983d30cd9b769f205ace0078/
Threat name:
Win32.Trojan.Arkeistealer
Create hunting rule
Status:
Malicious
First seen:
2022-10-16 20:28:48 UTC
File Type:
PE (Exe)
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6qkllalhiohhpee27ij4dyjxq5h3pkwuta6tbtm3o2psawwoab4a._file
Verdict:
malicious
Similar samples:
1bd4abc21125d116ca1b721d180e1c36dd0bf7b78b69088a9b17c8445fdda085
ArkeiStealer
3af3279ede125805a47682382304f6b76af4e7c34c2bfeaa198e0dc38f3ad1b6
ArkeiStealer
9a7820f2d1ed7044c6f2892f2a1e6ce377f3bce1837601c8f9f499c7cde4670d
ArkeiStealer
aa2b5d5f5e91f673c6ad75dfdf35c33ebda273b5ca96d5d4897cb791ba23d16a
ArkeiStealer
dc603e5b83b3707a92b34f8d76c08fa494d6684080be06bd59111ea28f26188b
ArkeiStealer
f5d0c083bcd73094d1c995ce77f0730514f34e7ea0bb7e620127949dac19b6aa
ArkeiStealer
fd5b0792ea3837a3eb0b86a47e08d4ec52dda7f1fbe677326fbe31ac534d7340
ArkeiStealer
+ 700 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1636 discovery spyware stealer
Link:
https://tria.ge/reports/221020-clpv8aaab3/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Vidar
Malware Config
C2 Extraction:
https://t.me/dghzq
https://t.me/zjsqpz
https://t.me/fqwexzq
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d9d573b7-46ec-45ea-b583-72cd2faf6242
Unpacked files
SH256 hash:
d758cc43c607abbc38b2deb85b02fcf42abfe939617391a5846527cf2d1e13af
MD5 hash:
6251cf9d23396d8e57f1eb7ddd0c7eb4
SHA1 hash:
0ddd316dffe4d57d68f6ef93a09d1e513b8881fa
Detections:
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/50b8570b-bcbe-43af-adf6-080a33f94ea3/
Parent samples :
f414b58167438e77909afa13c1e137874fb7aad4983d30cd9b769f205ace0078
3519c802164ad7fbb26b86834083ecc83039f05fdd2915a8e54091461629b08a
SH256 hash:
ced886ff27a214623e642290b58bbd250bd4b19fdb44a555249dfb75037e921f
MD5 hash:
23d10fadf1300310081e9277f5ba5f2c
SHA1 hash:
3e5a7277c819200856954b6ba58bc1f872a11e2c
Link:
https://www.unpac.me/results/50b8570b-bcbe-43af-adf6-080a33f94ea3/
SH256 hash:
f414b58167438e77909afa13c1e137874fb7aad4983d30cd9b769f205ace0078
MD5 hash:
6b1face6b1df57abdcdd51fdf3440e49
SHA1 hash:
4fdf141fb23faed163f08058720d208ec616f432
Link:
https://www.unpac.me/results/50b8570b-bcbe-43af-adf6-080a33f94ea3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f414b5816743/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f414b58167438e77909afa13c1e137874fb7aad4983d30cd9b769f205ace0078

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Vidar
Create hunting rule
Author:kevoreilly,rony
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/321876/

Comments