MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9a3462171396b9d8b1dcdb301a6681938c54223ad4238a001354454eae38c0c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9a3462171396b9d8b1dcdb301a6681938c54223ad4238a001354454eae38c0c
SHA3-384 hash: cffe296e1fe44eac11b2656281671c672f4ed07cc806749018549f647d94955b48e43830801ef290b52750e20d2a9331
SHA1 hash: 2b43862350cb876bdd48d7c6efcfeb6c25e1ff2a
MD5 hash: 5ca50c8dbac2ecbe0b3c744dd554e70c
humanhash: march-emma-venus-pasta
File name:5ca50c8dbac2ecbe0b3c744dd554e70c
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:2'129'684 bytes
First seen:2021-11-28 21:15:08 UTC
Last seen:2021-11-28 23:32:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b68d5313410a9597c5737c0eeeeb4a49 (4 x ArkeiStealer)
ssdeep 49152:BaBQnOEg9lyX0IcP8Tspu8Zu/jgVvUhEt0/NUE1xAOQSqiiAeUZi:BaBQOLyX0DP8uu80kVc2toNbzttli
Threatray 7'705 similar samples on MalwareBazaar
TLSH T1CAA52350CAC0502AE84041BFC1E69B7EDCF85D69039C50D3F3CE989D1AAD9E99F2855F
File icon (PE):PE icon
dhash icon e49226c96d9bb4d8 (1 x ArkeiStealer)
Reporter zbetcheckin
Tags:32 ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5ca50c8dbac2ecbe0b3c744dd554e70c
Verdict:
Malicious activity
Analysis date:
2021-11-28 21:17:21 UTC
Tags:
loader stealer
Link:
https://app.any.run/tasks/9dd76f88-4609-49df-8c32-669874b6a77f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.31631.8066.13365.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
DNS request
Sending an HTTP GET request
Creating a file
Sending a custom TCP request
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Creating a window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
overlay packed vidar virus
Link:
https://www.filescan.io/uploads/61a3f196effcae2254f3c6a5/reports/488c38b1-5488-4ef5-af16-4bcd20ef9e9d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Oski Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/db5baf05-ea71-409b-87a2-092058e39f19
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/897531
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Self deletion via cmd delete
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9a3462171396b9d8b1dcdb301a6681938c54223ad4238a001354454eae38c0c/
Threat name:
Win32.Spyware.Mufila
Create hunting rule
Status:
Malicious
First seen:
2021-11-20 14:34:00 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
22 of 28 (78.57%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
0b3cbee1c71bcbeb15d46c14d63e8394331896b919b591fe69fa750a2d18684e
ArkeiStealer
18a0eae481037bf1603b9200e305f128d0fc824c0e21f21110ce00685206bbc5
ArkeiStealer
219503ea9a72bfecd77da975355ec88a16e8fea6d9a03ff7cb76c8f573db7a75
ArkeiStealer
2d45c9f984150cbeafd07b26b269baefdb497d6e5687e8a0633601e9083afed1
ArkeiStealer
3afb94af10e2fae81d10a10c089362e6eac18d1a84a2c24c5fb6003e402931a7
ArkeiStealer
90618d3aa5146d27b46476a4c7bfcc2e5323b74dcbcf2c0af6b4f00c4c2d9297
ArkeiStealer
b65b0ae08a0b84525ce65ea6ffa9f3cd3a0523b506135dacb1711b034bfb6f44
ArkeiStealer
b817002c69c6315e116f14d6fe64151577999eb773842f052fb17d9a7413a53c
ArkeiStealer
e558134f888d403ba60d7db59978502a9071951528cd4873bd4702921012d69e
ArkeiStealer
f1e4cf5b0fc8658f900febca637c9071fe7396f410015c41284768eac593ffa5
ArkeiStealer
+ 7'695 additional samples on MalwareBazaar
Result
Malware family:
arkei
Create hunting rule
Score:
  10/10
Tags:
family:arkei discovery evasion spyware stealer suricata themida trojan
Link:
https://tria.ge/reports/211128-z4f3csafgn/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Arkei Stealer Payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Arkei
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Unpacked files
SH256 hash:
f56787a3e0501b9aebedb7b84c2c362c20610649f8435bc75bd61d059da5187b
MD5 hash:
3947dc11cc12a415a27ea6f71446c95b
SHA1 hash:
d6c0fc3caab33c609eae80b6552ea1124c2bdcd8
Link:
https://www.unpac.me/results/c6b53f73-2182-4e15-9950-2c7037e1ef66/
SH256 hash:
f9a3462171396b9d8b1dcdb301a6681938c54223ad4238a001354454eae38c0c
MD5 hash:
5ca50c8dbac2ecbe0b3c744dd554e70c
SHA1 hash:
2b43862350cb876bdd48d7c6efcfeb6c25e1ff2a
Link:
https://www.unpac.me/results/c6b53f73-2182-4e15-9950-2c7037e1ef66/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/f9a3462171396b9d8b1dcdb301a6681938c54223ad4238a001354454eae38c0c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe f9a3462171396b9d8b1dcdb301a6681938c54223ad4238a001354454eae38c0c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1829830/

Comments


Avatar
zbet commented on 2021-11-28 21:15:11 UTC

url : hxxp://45.95.235.77/sg.exe