MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f960b96c81f71d848a119d18aa4074ecaa71e39086a611f2dc637d579b9f6afa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f960b96c81f71d848a119d18aa4074ecaa71e39086a611f2dc637d579b9f6afa
SHA3-384 hash: 6d0c5103d88e995238d18b287cbee03e65817751660097e6c2f0d7083755a4343883110f1d0e56935e051c9b6f404efa
SHA1 hash: c461c6e6da306986d9f853729c5ed03af1ee325e
MD5 hash: 2d6eca88082c6abce764f8a54b9b9917
humanhash: oklahoma-juliet-johnny-alabama
File name:2d6eca88082c6abce764f8a54b9b9917
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'670'200 bytes
First seen:2022-01-10 04:26:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 690f2725a2fa40ff79738d73e090bb58 (1 x ArkeiStealer)
ssdeep 49152:vOgtnAdge/fTkxEBqzdrZi830nMWHfBfJZpN5e2v:W0AdlTgHdrgxMW//Jv
Threatray 8'502 similar samples on MalwareBazaar
TLSH T13775129A87288C03F3D455B5D5A8FBB887786EBC6E9FC01574B23CAA763CB855C42113
File icon (PE):PE icon
dhash icon 013369c0c7d9b801 (1 x ArkeiStealer)
Reporter zbetcheckin
Tags:ArkeiStealer exe signed

Code Signing Certificate

Organisation:Polaroid Candy One (PG-2004-01)
Issuer:Polaroid Candy One (PG-2004-01)
Algorithm:sha1WithRSAEncryption
Valid from:2022-01-07T22:06:33Z
Valid to:2032-01-08T22:06:33Z
Serial number: 2abf1bbefd4136934ab69e918f054fbd
Thumbprint Algorithm:SHA256
Thumbprint: 7050514aeb4e2b823748245a32229d4f20e414efa5cf2e691966e1ee1802400f
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
244
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2d6eca88082c6abce764f8a54b9b9917
Verdict:
Malicious activity
Analysis date:
2022-01-10 04:27:54 UTC
Tags:
loader stealer trojan
Link:
https://app.any.run/tasks/03a193be-3195-4d16-aab2-48d27105a23e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217944/
Detection(s):
Win.Malware.Generic-9934865-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for analyzing tools
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
exploit greyware overlay packed wacatac
Link:
https://www.filescan.io/uploads/61dbb59802e388f9fdbc9466/reports/6c8b8bf0-cec1-4d46-81b8-9b77d35863f4/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/917440
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides threads from debuggers
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Self deletion via cmd delete
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f960b96c81f71d848a119d18aa4074ecaa71e39086a611f2dc637d579b9f6afa/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-01-10 02:14:19 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
26 of 43 (60.47%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
12505bb6e3c63202f22db1d60afd4a0a386ddff8807bf0d1f8583ba57f6413ba
ArkeiStealer
25c212b01aed427cbe5c5e0f06e5edd0188f881551347aa20804b3da88da2af2
ArkeiStealer
2ff10148112933987a694ab813725a70ab580d7288acf3f58e4ce70ebaf5cc91
ArkeiStealer
8f9ff0227f4ce6ed3259d5f2f8bfd8c54496e9896ad5f522cdd768911be4b4bc
ArkeiStealer
9cae87b1118c6142f014a4a22be3a4489f40465a7de9e5cfa9aa019817e2dea4
ArkeiStealer
ae74fa3656db93c35b26ed229568607bb9c20684818ad072b95aefb585c63a08
ArkeiStealer
e03315664302a299233cf88fbe8792f36bf5c76c16a936270866e0ade1b72382
ArkeiStealer
f1aae79787fff8edd5f6769ebecf43eb5a94d392cb3723810a66dd9868ec2925
ArkeiStealer
f4664c5755201698e642717b53a4f091908cba27ee4750ca6be358567823822a
ArkeiStealer
fb8a2b78f0d3139d8192dbeb925e8e8d13bf370540f2c7853107a8e4b3beac38
ArkeiStealer
+ 8'492 additional samples on MalwareBazaar
Result
Malware family:
arkei
Create hunting rule
Score:
  10/10
Tags:
family:arkei discovery evasion spyware stealer trojan
Link:
https://tria.ge/reports/220110-e24enadha6/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Arkei Stealer Payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Arkei
Unpacked files
SH256 hash:
7f5c954d8ba4d342da2d5f69aa29791ee23ac6b1974dc77245acf77385c09d39
MD5 hash:
1fbfaa98f1128fbf5256da2285b3bd3f
SHA1 hash:
7ef06b58b8a51fe3b816bc7c9434d8a1646d38ab
Link:
https://www.unpac.me/results/bd329c8d-dcfa-4b3b-b9c7-5dfa47b743aa/
SH256 hash:
f960b96c81f71d848a119d18aa4074ecaa71e39086a611f2dc637d579b9f6afa
MD5 hash:
2d6eca88082c6abce764f8a54b9b9917
SHA1 hash:
c461c6e6da306986d9f853729c5ed03af1ee325e
Link:
https://www.unpac.me/results/bd329c8d-dcfa-4b3b-b9c7-5dfa47b743aa/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f960b96c81f7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.01
Link:
https://yomi.yoroi.company/submissions/f960b96c81f71d848a119d18aa4074ecaa71e39086a611f2dc637d579b9f6afa

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe f960b96c81f71d848a119d18aa4074ecaa71e39086a611f2dc637d579b9f6afa

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/217944/
  
URLhaus
https://urlhaus.abuse.ch/url/1961526/

Comments


Avatar
zbet commented on 2022-01-10 04:26:51 UTC

url : hxxp://data-host-coin-8.com/files/2150_1641729871_1812.exe