MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97a0cdc140d31645bd20d5048e40c299c6c6a0497ca1de080b9a7e4e1eb5a139. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 97a0cdc140d31645bd20d5048e40c299c6c6a0497ca1de080b9a7e4e1eb5a139
SHA3-384 hash: d6cf590a04ac47d8b352f5fd333305d4dbb4652a55146a8bf69a3ed1a32f77a0c1ce63117091ecbda7670d14ffda91c6
SHA1 hash: 812734b417ca7df375c7fea0eae5ee76b62cea1b
MD5 hash: 5c3222c463dc3c4f83c37d340df92f98
humanhash: xray-tango-twelve-montana
File name:97a0cdc140d31645bd20d5048e40c299c6c6a0497ca1de080b9a7e4e1eb5a139
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:29'059'808 bytes
First seen:2022-06-10 07:28:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e81c04337118138a69c6d64241de5089 (1 x Amadey, 1 x ArkeiStealer)
ssdeep 786432:UfccPonEGicqyyx3O/3aqF5yoR8be+uwEfKN:UfrwnXicI3O/nke+uwEfKN
Threatray 2'595 similar samples on MalwareBazaar
TLSH T1935733735280BD93D1B643B62C268844DC29F5B24F06266BF19F5BE4C15268CDFF4B2A
TrID 75.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
15.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.0% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win32 Executable (generic) (4505/5/1)
1.1% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon 691a585859d898d4 (1 x ArkeiStealer)
Reporter crep1x
Tags:ArkeiStealer exe vidar

Intelligence

File Origin
# of uploads :
1
# of downloads :
432
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
97a0cdc140d31645bd20d5048e40c299c6c6a0497ca1de080b9a7e4e1eb5a139
Verdict:
Malicious activity
Analysis date:
2022-06-10 08:01:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9486cbb6-55ab-4394-bf55-2ed55f69aa9c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Enabling the 'hidden' option for recently created files
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% subdirectories
Running batch commands
Launching a process
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Reading critical registry keys
Changing a file
Creating a window
Unauthorized injection to a recently created process
Setting a single autorun event
Blocking the Windows Defender launch
Stealing user critical data
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware greyware overlay packed patcher predator shell32.dll wacatac
Link:
https://www.filescan.io/uploads/62a2f2fdaf217491b52b627a/reports/e568e4c5-0dc3-45a7-a812-e71b13c28177/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Babadeda, MicroClip, Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1010635
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Disables Windows Defender (deletes autostart)
Drops PE files to the user root directory
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Babadeda
Yara detected MicroClip
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 643131 Sample: 3ckaRGWhJq Startdate: 10/06/2022 Architecture: WINDOWS Score: 100 77 Multi AV Scanner detection for domain / URL 2->77 79 Malicious sample detected (through community Yara rule) 2->79 81 Antivirus detection for URL or domain 2->81 83 7 other signatures 2->83 8 3ckaRGWhJq.exe 6 2->8         started        12 svchost32.exe 2->12         started        process3 file4 39 C:\Users\user\themida_x64.exe, PE32 8->39 dropped 41 C:\Users\user\system32.exe, PE32 8->41 dropped 43 C:\Users\user\svchost32.exe, PE32 8->43 dropped 45 2 other malicious files 8->45 dropped 85 Drops PE files to the user root directory 8->85 14 system32.exe 8->14         started        19 service32.exe 8 8->19         started        21 svchost32.exe 8->21         started        23 2 other processes 8->23 signatures5 process6 dnsIp7 55 t.me 149.154.167.99, 443, 49755 TELEGRAMRU United Kingdom 14->55 57 116.202.185.47, 49757, 80 HETZNER-ASDE Germany 14->57 47 C:\ProgramData\vcruntime140.dll, PE32 14->47 dropped 49 C:\ProgramData\softokn3.dll, PE32 14->49 dropped 51 C:\ProgramData\nss3.dll, PE32 14->51 dropped 53 3 other files (none is malicious) 14->53 dropped 59 Detected unpacking (changes PE section rights) 14->59 61 Detected unpacking (creates a PE file in dynamic memory) 14->61 63 Detected unpacking (overwrites its own PE header) 14->63 75 4 other signatures 14->75 65 Multi AV Scanner detection for dropped file 19->65 67 Machine Learning detection for dropped file 19->67 25 cmd.exe 1 19->25         started        69 Query firmware table information (likely to detect VMs) 23->69 71 Hides threads from debuggers 23->71 73 Tries to detect sandboxes / dynamic malware analysis system (registry check) 23->73 28 conhost.exe 23->28         started        file8 signatures9 process10 signatures11 87 Uses cmd line tools excessively to alter registry or file data 25->87 89 Uses schtasks.exe or at.exe to add and modify task schedules 25->89 30 reg.exe 25->30         started        33 conhost.exe 25->33         started        35 reg.exe 25->35         started        37 3 other processes 25->37 process12 signatures13 91 Disables Windows Defender (deletes autostart) 30->91
Gathering data
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-06-07 09:21:42 UTC
File Type:
PE (Exe)
Extracted files:
29
AV detection:
26 of 41 (63.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s6qm3qka2mlelpja2uci4qgcthdmnicjpsq54caltj7e4hvvue4q._file
Verdict:
malicious
Similar samples:
26daeb4b3896f5e87c0b6888fe6417a8e70fefadd85436c382aa53189296b23b
ArkeiStealer
62b357aed86fcfc27e822851e3cae300e9dbbb533ec43c3eaaa076acb1a7fb29
ArkeiStealer
6e1137447376815e733c74ab67f202be0d7c769837a0aaac044a9b2696a8fa89
ArkeiStealer
a8cf239166b5764d61fac2971ce6e013a6ee98b3b4af734f13941f2deb1f8ac3
ArkeiStealer
a8eed171fdcb2a872865620fc2234e0b07201d927abcb65344846f6d4a7b75f5
ArkeiStealer
c247a5f323cd82c55da02753f02bfe2fe3d29140d4e00d75c7b0bddd673bcc5c
ArkeiStealer
d3e69a33913507c80742a2d7a59c889efe7aa8f52beef8d172764e049e03ead5
ArkeiStealer
+ 2'585 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1163 bootkit discovery evasion persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/220610-ja8yaaggam/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Writes to the Master Boot Record (MBR)
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
Modifies security service
Vidar
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
Malware Config
C2 Extraction:
https://t.me/tg_randomacc
https://indieweb.social/@ronxik333
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/97a0cdc140d31645bd20d5048e40c299c6c6a0497ca1de080b9a7e4e1eb5a139

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_PS2EXE
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with PS2EXE

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments