MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ffdaca4131c43ef1d43ee56d464caef8331e0fd6ab41b0381645d9546c9ae28c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	ffdaca4131c43ef1d43ee56d464caef8331e0fd6ab41b0381645d9546c9ae28c
SHA3-384 hash:	4be821f0c92520334f0b99c6ef91fbe30358c928fb74e318e1cfebc879870749eb6bfe7cc6d4777e13815581db769d9d
SHA1 hash:	0bc1b7353d5cb180aa9bf2bd279ad5acc6d2e605
MD5 hash:	f6bc4b576a55c93921580bd5354d8f3e
humanhash:	mountain-emma-music-fish
File name:	f6bc4b576a55c93921580bd5354d8f3e.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	288'256 bytes
First seen:	2022-02-21 18:49:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	56046f485ab533b128b31921ba255f72 (4 x RaccoonStealer, 1 x ArkeiStealer)
ssdeep	3072:Zt4RiPSAV7J03dSYs305fv+UZlqGuAch90/muYtVQ1sxkgaBCh2ni0TZyqsQzRv4:j4Sf4M3dPh90e4Kiga3nvZndz
Threatray	414 similar samples on MalwareBazaar
TLSH	T1A054D0017692D032CD920E714879BBE5563FF8A24B20929BFA496B5F2F713A04F63357
File icon (PE):
dhash icon	a1bcdcac9cccb48c (9 x RaccoonStealer, 6 x ArkeiStealer, 3 x Loki)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

217

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/243028/

Detection(s):

Win.Packed.Filerepmalware-9938574-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

DNS request

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/6886/overview

Behaviour

MalwareBazaar

SystemUptime

CPUID_Instruction

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-vm greyware

Link:

https://www.filescan.io/uploads/6213def3a2660f3bb91d82f3/reports/d5c2c29b-7518-4bf1-84d7-586c1ecd292b/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/87877c02-98c6-4dee-892c-bb6952d9df17

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/943435

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Found evasive API chain (may stop execution after checking computer name)

Found evasive API chain (may stop execution after checking locale)

Found evasive API chain (may stop execution after checking mutex)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ffdaca4131c43ef1d43ee56d464caef8331e0fd6ab41b0381645d9546c9ae28c/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2022-02-21 06:54:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=77nmuqjryq7pdvb64vwumtfo7azr4d6wvna3aoawixmvi3e24kga._file

Verdict:

malicious

ArkeiStealer

4fb9f08b1053d49ff58f30aa0016beefcd85041435ba9bb4b0402d99feb6df5e

ArkeiStealer

5c5d9711ea8ddb520646c0ac33e540c3860b795914749ee377040d8626ecc93b

ArkeiStealer

61b00eaf8df198caa3cbc58ca74b748538c88f55cbe7c7a702a7d4fb29879e9b

ArkeiStealer

8ab7cd42f6b90e250f69f4c96efb32d36135bb1479acfec28344a4910a3a329b

ArkeiStealer

9566b358245b9df4740c0c8b23518199f8fce7684ec3d6011f6ea2218c95763b

ArkeiStealer

b4058f1b77d3a8ab16e9ff091afb08cb41e7f789e0d2f6573deee3fc5d34ed40

ArkeiStealer

c9513adf4fa12a4f707667571b5ca11aef6ba70d5896eea4854b185d417925fa

ArkeiStealer

e507a57e055eb555aeb3a36da0e47544dcee994bd4d625e16668d55b350bc108

ArkeiStealer

+ 404 additional samples on MalwareBazaar

Result

Malware family:

arkei

Score:

10/10

Tags:

family:arkei botnet:default stealer

Link:

https://tria.ge/reports/220221-xg1gdaage3/

Behaviour

Suspicious use of AdjustPrivilegeToken

Drops file in Windows directory

Arkei

Malware Config

C2 Extraction:

http://woor.link/548152.php

Unpacked files

SH256 hash:

95877edc01e9b4f4d239062ef0de52bb17b1c8ce375a6743503210fb4256020c

MD5 hash:

84fab8313958f2f6207444bb07862ad0

SHA1 hash:

0094623fc5f042eff4239dc9f5694d0ef6a742e7

Link:

https://www.unpac.me/results/c913653c-65f3-4edb-8b2a-5df1f2fd3094/

SH256 hash:

ffdaca4131c43ef1d43ee56d464caef8331e0fd6ab41b0381645d9546c9ae28c

MD5 hash:

f6bc4b576a55c93921580bd5354d8f3e

SHA1 hash:

0bc1b7353d5cb180aa9bf2bd279ad5acc6d2e605

Link:

https://www.unpac.me/results/c913653c-65f3-4edb-8b2a-5df1f2fd3094/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/ffdaca4131c4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ffdaca4131c43ef1d43ee56d464caef8331e0fd6ab41b0381645d9546c9ae28c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

exe ffdaca4131c43ef1d43ee56d464caef8331e0fd6ab41b0381645d9546c9ae28c

(this sample)

Cape

https://www.capesandbox.com/analysis/243028/

URLhaus

https://urlhaus.abuse.ch/url/2048557/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample