MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ffd10221005211f090f34086ba86a046bf7e44410e6f0163dd5bb82ecdadecb1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	ffd10221005211f090f34086ba86a046bf7e44410e6f0163dd5bb82ecdadecb1
SHA3-384 hash:	af4fa11fceea6f6c522cb6bcece8f5ddcb3c7f095b6f6800f23bd239b1044a8064d2039984b1a16b46dfcb89fbd4b798
SHA1 hash:	ffe9c51879cfec70c7338a6d476c912cc39b2e72
MD5 hash:	2b81d58a3cd42c7163254616fcc4a394
humanhash:	sad-magazine-sink-crazy
File name:	2b81d58a3cd42c7163254616fcc4a394.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	313'856 bytes
First seen:	2021-11-23 20:03:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6762d92a3e24838e5da051dd2a6d017d (12 x RedLineStealer, 4 x ArkeiStealer, 1 x RaccoonStealer)
ssdeep	6144:7Qebh6pUpHsVeRg/maKbCSuHfQVhhBzPO:7rV66pskg/maKb7uAhhNW
Threatray	646 similar samples on MalwareBazaar
TLSH	T1D664AF0477A0C839F1B713F899B993A9793E7DA16B28A0CB62D527EE46356D0DC30347
File icon (PE):
dhash icon	e0e8e8e8aa66a499 (32 x RaccoonStealer, 23 x RedLineStealer, 14 x ArkeiStealer)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

212

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2b81d58a3cd42c7163254616fcc4a394.exe

Verdict:

Malicious activity

Analysis date:

2021-11-23 20:48:44 UTC

Tags:

loader trojan stealer

Link:

https://app.any.run/tasks/95dba859-44d5-4a4f-959f-10ddb411f8ed

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

DNS request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

azorult greyware packed

Link:

https://www.filescan.io/uploads/619d4937f36138de3f37e38f/reports/07992e91-4410-4f79-a7b6-ab6ee6427c25/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7eb97bc4-6850-4195-815b-4177d11cc60e

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/895051

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ffd10221005211f090f34086ba86a046bf7e44410e6f0163dd5bb82ecdadecb1/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-11-23 18:02:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Verdict:

malicious

ArkeiStealer

3566d28df861bb64f0043fbe5c1a96a07d64908579228d612a730d990c4fe0f9

ArkeiStealer

39a1abb4c73aa504755ac605a4b2de275c550dafb5fe8d8637f0257ce3030075

ArkeiStealer

55a2ca622ba64868fdc97aa1cc4ff5c84f56949341721e2c393e235dc6fda9bb

ArkeiStealer

55bea97718d10ad6dde683d1316015e4ed475558d725ee34858b15ce8b434afb

ArkeiStealer

8fb96e8afa9860305c821d8f4c516f90263c6353286cfa0707e1dbca1cc61930

ArkeiStealer

b0e9f6ede4c6442ffed1ae5c650474ae10582945c9ec689d5ac4650f81ee0fdf

ArkeiStealer

bb1944681aa2fcfd5f372fd44e041a63569b46130540225afc1560a1650d4e37

ArkeiStealer

cef4988a84b4bbc30960dfb652e3a41fc2f63fc599ae0ce916358c9550ab432b

ArkeiStealer

d7cdfb895940efd584c78b7e56f9ed720491234df489ee9eb9aa98c24714d530

ArkeiStealer

+ 636 additional samples on MalwareBazaar

Result

Malware family:

arkei

Score:

10/10

Tags:

family:arkei botnet:default discovery spyware stealer

Link:

https://tria.ge/reports/211123-ytabdsecg7/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Arkei Stealer Payload

Arkei

Malware Config

C2 Extraction:

http://advanceddiplomaaviation.com/processings.php

Unpacked files

SH256 hash:

db073014cc201844eab3b6e326b7c2d0012a1fe298deb3d6b446e8f9a09f25bd

MD5 hash:

0116c6eae725fbd1d03538350db4092a

SHA1 hash:

7e3e6c37f886bd2150e40e4f2d64dfe5cb55095e

Link:

https://www.unpac.me/results/e1bfdfd7-e094-4c33-98d3-8f6389ff982d/

SH256 hash:

ffd10221005211f090f34086ba86a046bf7e44410e6f0163dd5bb82ecdadecb1

MD5 hash:

2b81d58a3cd42c7163254616fcc4a394

SHA1 hash:

ffe9c51879cfec70c7338a6d476c912cc39b2e72

Link:

https://www.unpac.me/results/e1bfdfd7-e094-4c33-98d3-8f6389ff982d/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/ffd102210052/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ffd10221005211f090f34086ba86a046bf7e44410e6f0163dd5bb82ecdadecb1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

exe ffd10221005211f090f34086ba86a046bf7e44410e6f0163dd5bb82ecdadecb1

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1808350/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/208806/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample