MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc5759a7c228d99dbd12e085feb5d17d845320df9fcbf44cc55f1af25bd3d423. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc5759a7c228d99dbd12e085feb5d17d845320df9fcbf44cc55f1af25bd3d423
SHA3-384 hash: 38162ce0fe9f77d07641f506a188f17d129226e6766e83d2c9aa7b0fe343ba2011c62f6e299b6a3761b6f59b25f980de
SHA1 hash: 4243f87f63caf5a392ccb76e8a44cb47f7749a5b
MD5 hash: 9782d6e11d19845c54a868e16e05a6d5
humanhash: xray-crazy-shade-august
File name:9782d6e11d19845c54a868e16e05a6d5.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:97'280 bytes
First seen:2021-11-21 10:27:23 UTC
Last seen:2021-11-21 13:11:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4c665f81387442ad965e3f4eba69f083 (8 x MarsStealer, 4 x ArkeiStealer)
ssdeep 1536:shgXKd5hBU0JQYUoWfcQ5XQsuXeeSeEC7CKLTcyVDr1lVUC3jy0f:b6dHO03fWfF5gL557BTV1Pxj/f
Threatray 3'520 similar samples on MalwareBazaar
TLSH T15993F1C0B9E9BFE1D1A0653E54613B3AC08DDA6E8689C3926C4665CF1C29B9058F0BD3
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9782d6e11d19845c54a868e16e05a6d5.exe
Verdict:
Malicious activity
Analysis date:
2021-11-21 10:31:17 UTC
Tags:
loader stealer trojan
Link:
https://app.any.run/tasks/ba8739cc-476f-4766-b6a9-eaa253f392fb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Heur.Trickbot.3.2542.7549.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Creating a window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/619a1f36398e2553d2ffaddb/reports/e7f1bc23-662a-48ca-938a-1d00209e21ed/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Anubi NotBTCWare
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8efd7301-8ad9-4927-b1ab-46d3c484debd
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/893263
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to detect sleep reduction / modifications
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Self deletion via cmd delete
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fc5759a7c228d99dbd12e085feb5d17d845320df9fcbf44cc55f1af25bd3d423/
Threat name:
Win32.Infostealer.Vidar
Create hunting rule
Status:
Malicious
First seen:
2021-11-21 10:28:09 UTC
AV detection:
26 of 44 (59.09%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7rlvtj6cfdmz3pis4cc75norpwcfgig7t7f7itgfl4npew6t2qrq._file
Verdict:
malicious
Similar samples:
0778e27564421c72d9f098a2650d332146ce58a80b0e8c0a2351788dfaf561b8
ArkeiStealer
2e14b592904e292539d9fc9d57a06df31676d5645ebaa49ebe129044d2d3baa3
ArkeiStealer
8104ca049d63de80339bf38af00601a25405fcc84a7a1df39001d21f1c71f8eb
ArkeiStealer
a870249216a9fd48fa38faf197c7cad48a16b1c1f0d17f98b9b5de4c1a1b7cfb
ArkeiStealer
a9dea10c6d4d205faab1ac8db69384e9c3dc91fd5a718266957e4e164f76cd4a
ArkeiStealer
b944023d535bc8e5980173e203cee0d2fc2df9e865b4a06fc0694436ce5b6541
ArkeiStealer
bb1944681aa2fcfd5f372fd44e041a63569b46130540225afc1560a1650d4e37
ArkeiStealer
d7cdfb895940efd584c78b7e56f9ed720491234df489ee9eb9aa98c24714d530
ArkeiStealer
e255e88af9c588f6131ac8f1380db8e68b421c41d1974e57923c491ea97e9a08
ArkeiStealer
e9abbf811d367cf26f493d72ccd96749e534804ac27d36956dce0484b1440f25
ArkeiStealer
+ 3'510 additional samples on MalwareBazaar
Result
Malware family:
arkei
Create hunting rule
Score:
  10/10
Tags:
family:arkei discovery spyware stealer suricata
Link:
https://tria.ge/reports/211121-mhpq6adgcp/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
Unpacked files
SH256 hash:
f878495c9781b4a232cc4f8f01ddc60cc912197b3186133a018b1a4708420bc0
MD5 hash:
47c01c83c3471b30362cb1b7bf619ee1
SHA1 hash:
84b007df1e594898dbf9895f98440345993c0c24
Link:
https://www.unpac.me/results/d2a5bfab-fe6b-4305-9867-9b843b5a27ce/
SH256 hash:
fc5759a7c228d99dbd12e085feb5d17d845320df9fcbf44cc55f1af25bd3d423
MD5 hash:
9782d6e11d19845c54a868e16e05a6d5
SHA1 hash:
4243f87f63caf5a392ccb76e8a44cb47f7749a5b
Link:
https://www.unpac.me/results/d2a5bfab-fe6b-4305-9867-9b843b5a27ce/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/fc5759a7c228/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fc5759a7c228d99dbd12e085feb5d17d845320df9fcbf44cc55f1af25bd3d423

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe fc5759a7c228d99dbd12e085feb5d17d845320df9fcbf44cc55f1af25bd3d423

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1799813/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/207875/

Comments