MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0334c599a15d0b9991a2a7ae2c8d30e6c4736b60d6b756133bb2bda95c745245. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0334c599a15d0b9991a2a7ae2c8d30e6c4736b60d6b756133bb2bda95c745245
SHA3-384 hash: 8125bd1c816453a3dab39e3f49abfa347607eb8a2a4465a5a1335ab8a1d76f833c139d7901708450cde6c58e662ad9cf
SHA1 hash: c47f35b32820660995664e6b05cf3049a2ab751c
MD5 hash: b9360d46c5f87721a1eaf44bdf3765ff
humanhash: angel-fourteen-neptune-ohio
File name:file
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:7'109'120 bytes
First seen:2022-11-20 11:54:09 UTC
Last seen:2022-11-20 20:38:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 17c6fc9e2b30d9ab00a9b4ca79badd29 (1 x ArkeiStealer)
ssdeep 98304:LSedjzB7kWb53dcYhzzTJwNtgwXwSnO1P5r1bdxXQpE8l3Ih2p/2HY3CKpUq:hdjNVNmYhzzVZwgSnWPRVQmyM28uCeR
Threatray 1'140 similar samples on MalwareBazaar
TLSH T14A6601123D1CC881D8814935CDAADEF872A18ED6E94166F712BB7FEFE035740A11E762
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 686c76f4c2e8e4e0 (1 x ArkeiStealer)
Reporter andretavare5
Tags:ArkeiStealer exe


Avatar
andretavare5
Sample downloaded from https://vk.com/doc760750097_656463056?hash=zjPmBUlRWOjzmcEjZfDKS5xOMqqbCBIGepsddS9R73g&dl=G43DANZVGAYDSNY:1668944611:TXjsg0H0ghV6nMX37M1SZ2zDj75gmM0cHqntvXBAkST&api=1&no_preview=1#dif1

Intelligence

File Origin
# of uploads :
199
# of downloads :
268
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-20 11:55:35 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/539353ce-5f09-49f1-9a0c-82b9c362ff93

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/336379/
Detection(s):
SecuriteInfo.com.Generic.ML.PUA.18141.28866.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Creating a window
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
evasive packed
Link:
https://www.filescan.io/uploads/637a15985f223762e6edf4e7/reports/9d5c71a3-a682-4b24-a819-73d10a0a3b4c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a5ce634e-3d34-46e3-a32f-84601986f734
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1117558
Signature
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Self deletion via cmd or bat file
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0334c599a15d0b9991a2a7ae2c8d30e6c4736b60d6b756133bb2bda95c745245/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-11-20 11:55:19 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=am2mlgnblufztencu6xczdjq43chg23a223vmez3wk62sxdukjcq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
30eb1174412010512f13dd33bbad41e759c75f3f9cc96146ab2661bd723b246f
ArkeiStealer
3a289614d73c4260ae0cb5be146a0642f8a269dc0320b141d823aeed35209a56
ArkeiStealer
58ae170573fd183ada1906291ca170724608a6a6217d84a6e5f0e400c3b1f481
ArkeiStealer
ae0f564dcf94cd6492d29ebfc3d797d45dacd146c40218ed8c87076d5775bbbe
ArkeiStealer
cec50bf34d70097c1ca3bff6dc6cc52c45ed98b6e3f4a098a4eaaf5abde3540e
ArkeiStealer
e438b0686e14786fa975d2d724c0fb8615e868a1210c57e0323d537cbb08c665
ArkeiStealer
+ 1'130 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1696 stealer
Link:
https://tria.ge/reports/221120-n3fjnabh52/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Vidar
Malware Config
C2 Extraction:
https://t.me/hkjkkiiioo
https://t.me/asndmadas19
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b1ec18f5-8fb6-49f0-bd84-975ee39bd44e
Unpacked files
SH256 hash:
abcf04337cbc9aadd4fc9858af75ccbc6ac8974ac5f81a166fc9ec8fe0a7ef09
MD5 hash:
1fafd8d3944a19816ccbde73b7c05599
SHA1 hash:
8233ce23777ae07fc66d2fa163be16361916f788
Link:
https://www.unpac.me/results/e83f6c6a-f272-47af-9dbe-3b36dda56893/
SH256 hash:
0334c599a15d0b9991a2a7ae2c8d30e6c4736b60d6b756133bb2bda95c745245
MD5 hash:
b9360d46c5f87721a1eaf44bdf3765ff
SHA1 hash:
c47f35b32820660995664e6b05cf3049a2ab751c
Link:
https://www.unpac.me/results/e83f6c6a-f272-47af-9dbe-3b36dda56893/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0334c599a15d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/336379/

Comments