MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc9798033acae0b57c451c67d6466da13cddd4206639d4231c80a6e274099619. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc9798033acae0b57c451c67d6466da13cddd4206639d4231c80a6e274099619
SHA3-384 hash: 6761469093af0a5c296c79a47b441442a1554e6a20c8b45d27eb0a3ae2e4410730ec8da53e596162e12a572b12302c6c
SHA1 hash: d198d9d1a9eed6b9bf007911f3b3f447630b59ca
MD5 hash: ac4bad16e06be9521123e24602a59768
humanhash: golf-california-rugby-colorado
File name:ac4bad16e06be9521123e24602a59768.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:367'104 bytes
First seen:2022-12-25 23:50:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 01fe77ead213bccf750c05851a809fd9 (2 x ArkeiStealer, 1 x RecordBreaker, 1 x Tofsee)
ssdeep 6144:8MRLLo13UWVXPeCbKuRW1SvFkRZ6Lu7k6W85s392ZeRu4:8Gv0UQPeCGu8svFWeZwY8
Threatray 1'556 similar samples on MalwareBazaar
TLSH T17874E010FAC4D06FC35309326D2ECAF56A2DBC9399244B8F3744FF0F6A7119156AA61B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9a9acececee6eee6 (23 x Smoke Loader, 10 x RedLineStealer, 3 x Amadey)
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://88.198.137.61/

Intelligence

File Origin
# of uploads :
1
# of downloads :
231
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
ac4bad16e06be9521123e24602a59768.exe
Verdict:
Malicious activity
Analysis date:
2022-12-25 23:54:29 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/4b670dd2-dd36-4be2-bd22-02a0bbc5272c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Pwsx-9980703-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Searching for analyzing tools
Searching for the window
Creating a file in the %AppData% subdirectories
Stealing user critical data
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
anti-vm greyware packed
Link:
https://www.filescan.io/uploads/63a8e1e740e878e304200da3/reports/d0b3ceb8-4912-493a-bbf1-875a41a4bb37/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3915f2a1-aa42-4453-a806-3c88a7897c49
Result
Threat name:
Laplas Clipper, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1140964
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Laplas Clipper
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 773694 Sample: oDlMNBO6rA.exe Startdate: 26/12/2022 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Antivirus detection for URL or domain 2->57 59 6 other signatures 2->59 8 oDlMNBO6rA.exe 19 2->8         started        13 kRTHxJQKyr.exe 1 2->13         started        process3 dnsIp4 37 t.me 149.154.167.99, 443, 49695 TELEGRAMRU United Kingdom 8->37 39 88.198.137.61, 49696, 80 HETZNER-ASDE Germany 8->39 41 cdn.discordapp.com 162.159.135.233, 443, 49697 CLOUDFLARENETUS United States 8->41 31 C:\Users\user\AppData\Local\...\ONLINE[1].exe, PE32 8->31 dropped 33 C:\ProgramData\32330246800325928437.exe, PE32 8->33 dropped 61 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 8->61 63 Self deletion via cmd or bat file 8->63 65 Tries to harvest and steal browser information (history, passwords, etc) 8->65 67 Tries to steal Crypto Currency Wallets 8->67 15 32330246800325928437.exe 2 8->15         started        19 cmd.exe 1 8->19         started        43 104.193.254.40, 49699, 80 HOSTING-SOLUTIONSUS United States 13->43 69 Antivirus detection for dropped file 13->69 71 Query firmware table information (likely to detect VMs) 13->71 73 Tries to detect sandboxes and other dynamic analysis tools (window names) 13->73 75 2 other signatures 13->75 file5 signatures6 process7 file8 35 C:\Users\user\AppData\...\kRTHxJQKyr.exe, PE32 15->35 dropped 45 Query firmware table information (likely to detect VMs) 15->45 47 Hides threads from debuggers 15->47 49 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->49 21 cmd.exe 1 15->21         started        51 Uses schtasks.exe or at.exe to add and modify task schedules 19->51 23 conhost.exe 19->23         started        25 timeout.exe 1 19->25         started        signatures9 process10 process11 27 conhost.exe 21->27         started        29 schtasks.exe 1 21->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fc9798033acae0b57c451c67d6466da13cddd4206639d4231c80a6e274099619/
Threat name:
Win32.Trojan.RaStealer
Create hunting rule
Status:
Malicious
First seen:
2022-12-22 07:32:00 UTC
File Type:
PE (Exe)
Extracted files:
61
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7slzqaz2zlqlk7cfdrt5mrtnue6n3vbamy45iiy4qctoe5ajsymq._file
Verdict:
malicious
Similar samples:
031e53d6d4fa8c8a2ef63cbcd1f698f2428e5c803bd44ac0f75784dfb21045d8
ArkeiStealer
12011e7abf1ae84f14c158817f7c8b888ccf45a3103eed8367463c97d9fc8d46
ArkeiStealer
346ae48c6de340510a3db1fcf1a60d8c1b1b6892ef5242ed2e25c70097ed1e68
ArkeiStealer
611ad3e4ed3e0961e1904108c0481468017d9035d3c3f9d7757b01da901067ea
ArkeiStealer
8132103c6a32666bdab39d48053640e4d4cfa5d368d5506b733e5f80565536c0
ArkeiStealer
a05b12806135be357756f9bfed4e77836f44919a56351a2aa127ae8eecf54c1c
ArkeiStealer
b817002c69c6315e116f14d6fe64151577999eb773842f052fb17d9a7413a53c
ArkeiStealer
dc1d7f4ca1fc8217390f2f58971a2e695fb293b49d0ceda0bc962c72a12139bd
ArkeiStealer
e9abbf811d367cf26f493d72ccd96749e534804ac27d36956dce0484b1440f25
ArkeiStealer
+ 1'546 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/221225-3v5k5scc66/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Program crash
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
361a5953a328ee18da482882d70a0fb405bd9c7cdc74c21947a8fc36aa18f7d1
MD5 hash:
825c8db1acee072738256cee368a71d9
SHA1 hash:
fb49e477486fc9ff8432b2f4f790fa8191a38080
Link:
https://www.unpac.me/results/ae8877ba-77bf-46c8-bcd3-443d1a893831/
SH256 hash:
fc9798033acae0b57c451c67d6466da13cddd4206639d4231c80a6e274099619
MD5 hash:
ac4bad16e06be9521123e24602a59768
SHA1 hash:
d198d9d1a9eed6b9bf007911f3b3f447630b59ca
Link:
https://www.unpac.me/results/ae8877ba-77bf-46c8-bcd3-443d1a893831/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fc9798033acae0b57c451c67d6466da13cddd4206639d4231c80a6e274099619

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments