MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1912d659af4fedbc9e143eff5e666ce460a710fd84c83f7a4c4d8170356e578a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 1912d659af4fedbc9e143eff5e666ce460a710fd84c83f7a4c4d8170356e578a
SHA3-384 hash: aacbef486df64d89e8acc28b8e7d8fcc08a432272f6869c315a5cc74f2a766f8dcd722b941f4ca8585db0692e2902af8
SHA1 hash: cf8fdfb81265fa4ec264f787dedcc2d52c782a36
MD5 hash: 7b0f78e83f4027c6b6bd15af68b68af2
humanhash: double-xray-cat-lamp
File name:7b0f78e83f4027c6b6bd15af68b68af2.exe
Download: download sample
Signature ArkeiStealer
File size:609'349 bytes
First seen:2020-07-31 11:01:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f
ssdeep 12288:pANwRo+mv8QD4+0V16GlO4/4+4jSbyJ1qml8JwGlQR/jpyXpk0Jq:pAT8QE+kblj9Bml8JwqejYXpW
TLSH B6D4F135B6818576C1210E36984BE375B579BB046B7C84CFBBDD0E2C8D3334A2E653A6
Reporter @abuse_ch
Tags:ArkeiStealer exe


Twitter
@abuse_ch
ArkeiStealer C2:
http://lawrencemaths.com/

KPOTStealer C2:
http://89.249.67.27/bUjyAvgAIgcicUbB/util.php

Intelligence


File Origin
# of uploads :
1
# of downloads :
29
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Result
Threat name:
Vidar
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Signature
Binary contains a suspicious time stamp
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses ping.exe to check the status of other devices and networks
Uses regedit.exe to modify the Windows registry
Yara detected Vidar stealer
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 255310 Sample: JgOcWHJMdD.exe Startdate: 31/07/2020 Architecture: WINDOWS Score: 92 63 g.msn.com 2->63 65 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->65 81 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->81 83 Yara detected Vidar stealer 2->83 85 Machine Learning detection for dropped file 2->85 87 4 other signatures 2->87 9 JgOcWHJMdD.exe 18 23 2->9         started        signatures3 process4 file5 41 C:\Program Files (x86)\...\wotsuper1.exe, PE32 9->41 dropped 43 C:\Program Files (x86)\...\wotsuper.exe, PE32 9->43 dropped 45 C:\Windows\wotsuper.reg, Little-endian 9->45 dropped 47 2 other files (1 malicious) 9->47 dropped 12 wotsuper1.exe 16 9->12         started        17 wotsuper.exe 27 9->17         started        19 iexplore.exe 14 83 9->19         started        21 regedit.exe 9->21         started        process6 dnsIp7 73 kduck.emc 89.45.4.239, 49737, 49739, 80 M247GB Romania 12->73 75 scgadvexmail19mn.xyz 5.61.33.129, 49744, 80 LEASEWEB-DE-FRA-10DE United Kingdom 12->75 49 C:\Users\user\AppData\Local\...\8c43c233..exe, PE32 12->49 dropped 51 C:\Users\user\AppData\Local\...\atx111[1].exe, PE32 12->51 dropped 93 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->93 95 Tries to steal Mail credentials (via file access) 12->95 23 8c43c233..exe 12->23         started        26 cmd.exe 12->26         started        77 lawrencemaths.com 78.142.29.223, 49738, 80 VERDINABZ Bulgaria 17->77 53 C:\Users\user\AppData\...\mozglue[1].dll, PE32 17->53 dropped 55 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 17->55 dropped 57 C:\Users\user\AppData\...\freebl3[1].dll, PE32 17->57 dropped 59 2 other files (none is malicious) 17->59 dropped 79 iplogger.org 19->79 29 iexplore.exe 35 19->29         started        file8 signatures9 process10 dnsIp11 89 Detected unpacking (changes PE section rights) 23->89 91 Machine Learning detection for dropped file 23->91 31 8c43c233..exe 23->31         started        69 127.0.0.1 unknown unknown 26->69 34 PING.EXE 26->34         started        37 conhost.exe 26->37         started        71 iplogger.org 88.99.66.31, 443, 49740, 49741 HETZNER-ASDE Germany 29->71 39 ssvagent.exe 501 29->39         started        signatures12 process13 dnsIp14 61 C:\Users\user\AppData\Local\Temp\D47F.tmp, PE32 31->61 dropped 67 192.168.2.1 unknown unknown 34->67 file15
Threat name:
Win32.Infostealer.Vidar
Status:
Malicious
First seen:
2020-07-31 10:25:51 UTC
AV detection:
27 of 31 (87.10%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware evasion trojan
Behaviour
Modifies system certificate store
Checks processor information in registry
Modifies data under HKEY_USERS
Modifies Internet Explorer settings
Runs ping.exe
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Runs .reg file with regedit
Suspicious use of WriteProcessMemory
Checks whether UAC is enabled
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Checks processor information in registry
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Modifies Control Panel
Kills process with taskkill
Runs .reg file with regedit
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Runs ping.exe
Drops file in Program Files directory
Drops file in Windows directory
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
JavaScript code in executable
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks whether UAC is enabled
JavaScript code in executable
Checks installed software on the system
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Loads dropped DLL
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Executes dropped EXE
Threat name:
Tinba
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 1912d659af4fedbc9e143eff5e666ce460a710fd84c83f7a4c4d8170356e578a

(this sample)

  
Delivery method
Distributed via web download

Comments