MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0249c64b8858a7ba84f14c058f7a10d41ef807eb4f015ee34c6b388a3a2f1804. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0249c64b8858a7ba84f14c058f7a10d41ef807eb4f015ee34c6b388a3a2f1804
SHA3-384 hash: 29ea2007dac03f3ee2a2a91107d8dc46bb9ace15958e17e9980a2a92886cfe7860a6af995fd3c367aeb51be11937330e
SHA1 hash: 249c107d10b2590bcae805663343723ad8f794bd
MD5 hash: 432385402013c4f7301767eff3d81929
humanhash: asparagus-august-wolfram-nineteen
File name:indicat.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'299'000 bytes
First seen:2023-09-26 06:37:21 UTC
Last seen:2023-09-26 07:36:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'737 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:V20lhvrCxcONV5EjvWkq9kqpK6dRE1Iu/zu0Gs9W5mq9N1YwmXnEPUozh0gd:Ighvuxccgb1qpK6dRozu0r4NZmX7+Zd
Threatray 7 similar samples on MalwareBazaar
TLSH T1E755010263A5CA22DBDA2234D4EB952847A2E6437633EB4B3F1D53582F533735E913C6
TrID 47.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
20.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.4% (.SCR) Windows screen saver (13097/50/3)
6.8% (.EXE) Win64 Executable (generic) (10523/12/4)
4.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon e4ac24e4e42ec43c (1 x ArkeiStealer)
Reporter r3dbU7z
Tags:ArkeiStealer exe vidar

Intelligence

File Origin
# of uploads :
2
# of downloads :
300
Origin country :
RU RU
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
indicat.exe
Verdict:
Malicious activity
Analysis date:
2023-09-26 06:38:00 UTC
Tags:
stealer vidar trojan arkei
Link:
https://app.any.run/tasks/84fdd5f3-dd95-4f13-8fa7-0e9c78c445d8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/451160/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.16123.26014.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a window
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lolbin msbuild net_reactor obfuscated overlay packed packed regasm replace
Link:
https://www.filescan.io/uploads/65127c4b32ffdb7a7a147ea3/reports/91ec1d1b-52ec-4d9d-9f12-ae7c713e7bb6/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/0249c64b8858a7ba84f14c058f7a10d41ef807eb4f015ee34c6b388a3a2f1804
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Arkei Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/74761c3f-90ba-454e-967a-7b1655ab954e
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1314287
Signature
.NET source code contains method to dynamically call methods (often used by packers)
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected AntiVM3
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0249c64b8858a7ba84f14c058f7a10d41ef807eb4f015ee34c6b388a3a2f1804/
Threat name:
Win32.Spyware.Vidar
Create hunting rule
Status:
Malicious
First seen:
2023-09-25 14:36:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
23 of 38 (60.53%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aje4ms4ilct3vbhrjqcy66qq2qppqb7lj4av5y2mnm4iuorpdaca._file
Verdict:
malicious
Similar samples:
34e9b76c568bed90396850a59f181edb5233a045c1042fec1e29a42d8449cd40
ArkeiStealer
379cdb7d5a170a6e0df0ae27939d662d1a6f1c5aa0cb76f98ea14e17cbda64d9
ArkeiStealer
5b4bced547eb17aa796a64c58e89f9d96e56edab6596e02ec13801bf5d452b97
ArkeiStealer
e0f76fec46d5a367fdec67bfef123cb3ab7c6d7edf2efd14ba4c9b635dc6e34b
ArkeiStealer
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:569c252f73517f386dcc9086d37bc4ab stealer
Link:
https://tria.ge/reports/230926-hd24gagd86/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Vidar
Malware Config
C2 Extraction:
https://steamcommunity.com/profiles/76561199555780195
https://t.me/solonichat
Unpacked files
SH256 hash:
fd56a07f2da75c84337cbf94e0acafc09fb909cfb187a0ae214827ce2c4708bb
MD5 hash:
d93c5f59ddc41313bf36f106a2f1fe17
SHA1 hash:
97c5cd9d0689c1cd74685bc979122a13eba3fcc9
Link:
https://www.unpac.me/results/700343b6-a6ad-41eb-b413-41aa0195fa75/
SH256 hash:
3135689ecbed02e07980f35959246c270f6dc84a707cefcf8a78885be53eccea
MD5 hash:
c761c93656ff80fe1bc4ce00b957b721
SHA1 hash:
5bff3bac1afba3beaa881b133298d7e1bd1f210e
Detections:
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/700343b6-a6ad-41eb-b413-41aa0195fa75/
SH256 hash:
0249c64b8858a7ba84f14c058f7a10d41ef807eb4f015ee34c6b388a3a2f1804
MD5 hash:
432385402013c4f7301767eff3d81929
SHA1 hash:
249c107d10b2590bcae805663343723ad8f794bd
Link:
https://www.unpac.me/results/700343b6-a6ad-41eb-b413-41aa0195fa75/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0249c64b8858/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0249c64b8858a7ba84f14c058f7a10d41ef807eb4f015ee34c6b388a3a2f1804

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_Links
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly,rony
Description:Vidar Payload
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.vidar.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 0249c64b8858a7ba84f14c058f7a10d41ef807eb4f015ee34c6b388a3a2f1804

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/451160/

Comments