MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0544e0fcb370f6d4e5691f820cbd673ef7d0e1a973dbe76e4956a514b0862566. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0544e0fcb370f6d4e5691f820cbd673ef7d0e1a973dbe76e4956a514b0862566
SHA3-384 hash: c85bbbd8c4d96560494fde2695a3591964d1d46e12da852a65ef729f5ed211df627321791a4e6bfebfbb50ffa7f39d2a
SHA1 hash: ee89638c5cf49c5affdcb6c8cd1c7b4a2df31738
MD5 hash: f2e9f1087256b13c1f3cf796bbbc6912
humanhash: romeo-wolfram-foxtrot-tennessee
File name:Setup.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:374'784 bytes
First seen:2022-11-28 07:24:18 UTC
Last seen:2022-11-28 08:37:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3f7efe3b4d94e5183ceea7403176c7cf (3 x RedLineStealer, 1 x ArkeiStealer)
ssdeep 6144:wyA7v3DX4zLii7e5PKH6hx9mMKRymqau0JcaNkXVWWIPbFN4+SRR49:Kz377BdzT9mMKRyrau0JcaNkXEbDgRR4
Threatray 1'164 similar samples on MalwareBazaar
TLSH T16B84BE037B1221D8D972E879A5B681F1E5FE492773E97089371F30BA771227913AA13C
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2022-11-28 07:27:22 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/4d3cee76-7c31-47ab-a571-ebbca1483857

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/339270/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.4450.14227.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Creating a window
Running batch commands
Creating a process with a hidden window
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6384624f559d07a06f47e740/reports/d39d3314-9953-4786-8f7e-aa7746d75645/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/7b0be473-30fd-40eb-9548-193401e50432
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1122268
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0544e0fcb370f6d4e5691f820cbd673ef7d0e1a973dbe76e4956a514b0862566/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-11-28 07:25:08 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=avcob7ftod3njzljd6bazplhh335bynjopn6o3sjk2srjmegevta._file
Verdict:
malicious
Similar samples:
08455b4a70ecb4f6ead66f078fd16257334d4afc6b72aaad13eb6617d7c1e1f6
ArkeiStealer
08c7eb81c268bbae91dedf391c1901461e786ee5cd401872100efad10812efc9
ArkeiStealer
2c993eb220436695d78783d2a6520951e4ce2b65311a96b904a063abdc088235
ArkeiStealer
6eaa17442216edf6c184c03e3b7468922c1b6d59fbf419f811552e2e86e0bcfe
ArkeiStealer
9cd59f476fd53c288245f63281a754b99d65d4198ffc5038e65a5285648d9dcd
ArkeiStealer
d7c42d1df0e957935b672b0633cf3dad39b5d8c85eec4631c62191915af02379
ArkeiStealer
f0527a6ecbe7892f48f746fe60c054681852295c5a897402f09a47e74c617956
ArkeiStealer
+ 1'154 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1375 spyware stealer
Link:
https://tria.ge/reports/221128-h8ypjaba5x/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Uses the VBS compiler for execution
Vidar
Malware Config
C2 Extraction:
https://t.me/headshotsonly
https://steamcommunity.com/profiles/76561199436777531
Unpacked files
SH256 hash:
26b22b791b3aaccff8e18b949b5d79b4294547bb18cb5ce8081db02428226dda
MD5 hash:
3476508993232ce072093edebe71de74
SHA1 hash:
d70b397f96d24586a1af359b9c226bfd237863ac
Link:
https://www.unpac.me/results/5c3f70b1-a24e-4251-816d-fc052242eefa/
SH256 hash:
0544e0fcb370f6d4e5691f820cbd673ef7d0e1a973dbe76e4956a514b0862566
MD5 hash:
f2e9f1087256b13c1f3cf796bbbc6912
SHA1 hash:
ee89638c5cf49c5affdcb6c8cd1c7b4a2df31738
Link:
https://www.unpac.me/results/5c3f70b1-a24e-4251-816d-fc052242eefa/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0544e0fcb370/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0544e0fcb370f6d4e5691f820cbd673ef7d0e1a973dbe76e4956a514b0862566

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/339270/

Comments