MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fcec85746f0f2a92b1268830d6d0b075eb9080707358b93ba5fbd917b1a0a8ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	fcec85746f0f2a92b1268830d6d0b075eb9080707358b93ba5fbd917b1a0a8ea
SHA3-384 hash:	c41f7fce0085345b2fea5cad9638328ef0053a1956ead5bc5bfc030e84a4984af970b45c825a5d131be09fa1733bcebf
SHA1 hash:	1dc62e3529aaafb20c3ca16697deb5cf6792d83f
MD5 hash:	caa1ddfbbe03a5a5daeb718605daacb0
humanhash:	echo-vermont-carpet-seventeen
File name:	MarsStealer8_cracked_by_LLCPPC.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	163'328 bytes
First seen:	2022-04-26 13:36:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4e06c011d59529bff8e1f1c88254b928 (29 x MarsStealer, 21 x ArkeiStealer)
ssdeep	3072:Um/E8k9ZjpIL+zNch12KbAwSaSbJSp8Bb8EG:N/E8k91zz6/t88EG
Threatray	410 similar samples on MalwareBazaar
TLSH	T1F4F31938C740F16AD4A200BAC97B8B75ED986B32138950CB93E5E88157355EDBE32C5F
TrID	38.0% (.EXE) Win64 Executable (generic) (10523/12/4) 23.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 16.3% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.EXE) OS/2 Executable (generic) (2029/13) 7.2% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	Anonymous
Tags:	ArkeiStealer exe mars stealer cracked 2022

Intelligence

File Origin

# of uploads :

# of downloads :

253

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

arkei

ID:

File name:

MarsStealer8_cracked_by_LLCPPC.exe

Verdict:

Malicious activity

Analysis date:

2022-04-23 10:15:15 UTC

Tags:

arkei

Link:

https://app.any.run/tasks/98105d55-4b0a-44cf-af8f-740f5c1ec36b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/266821/

Detection(s):

Win.Malware.Vidar-9940468-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

corebot packed vidar virus zusy

Link:

https://www.filescan.io/uploads/6267f55c16e18e7608f62011/reports/44745385-ec77-4900-a179-1e071da79d8f/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Oski Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1b9b77f3-56e2-428c-a374-36d0ff2e845f

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/983257

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Found evasive API chain (may stop execution after checking computer name)

Found evasive API chain (may stop execution after checking locale)

Found evasive API chain (may stop execution after checking mutex)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

PE file has nameless sections

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fcec85746f0f2a92b1268830d6d0b075eb9080707358b93ba5fbd917b1a0a8ea/

Threat name:

Win32.Trojan.MarsStealer

Status:

Malicious

First seen:

2022-04-06 22:42:00 UTC

File Type:

PE (Exe)

AV detection:

25 of 26 (96.15%)

Threat level:

5/5

Verdict:

malicious

ArkeiStealer

4bcff4386ce8fadce358ef0dbe90f8d5aa7b4c7aec93fca2e605ca2cbc52218b

ArkeiStealer

4f26b9b399e238579178958fc76c17ab1a605a33cb6bd6d47aac073596a2dee6

ArkeiStealer

5760219348f8e2b162a4ed4c764d9d8c7333b2af9e97e1d437ff21a3da0e1061

ArkeiStealer

5aefbefef1a5a2ee938f4d9c7705b6e38b375b858d21dae1efc137f36b29751d

ArkeiStealer

b92f4b4684951ff2e5abdb1280e6bff80a14b83f25e4f3de39985f188d0f3aad

ArkeiStealer

be6c6950834d40db4e6dc2eff56a914cd76062e23c361f87f55a8ca8afffd86f

ArkeiStealer

c40c4ad03430f7dc6718e0229b64bf3a515d1fabb042acc0a0fd69f82fd14867

ArkeiStealer

df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731

ArkeiStealer

+ 400 additional samples on MalwareBazaar

Result

Malware family:

arkei

Score:

10/10

Tags:

family:arkei botnet:default stealer

Link:

https://tria.ge/reports/220426-qws8aagfgm/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Arkei

Unpacked files

SH256 hash:

fcec85746f0f2a92b1268830d6d0b075eb9080707358b93ba5fbd917b1a0a8ea

MD5 hash:

caa1ddfbbe03a5a5daeb718605daacb0

SHA1 hash:

1dc62e3529aaafb20c3ca16697deb5cf6792d83f

Link:

https://www.unpac.me/results/70e99b5f-93d6-4fa0-8b5a-ef9e6b065ee4/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Mars Stealer

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fcec85746f0f2a92b1268830d6d0b075eb9080707358b93ba5fbd917b1a0a8ea

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/266821/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample