MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0616ca38ef4871e10a43a27a1c8a0277f0dcd92326679d03663cd00da3f1d8b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	0616ca38ef4871e10a43a27a1c8a0277f0dcd92326679d03663cd00da3f1d8b1
SHA3-384 hash:	c66724ef933355e352263815741415271edbde76ea441f128363b85407a4604f212e2c4d01c87423caca832ebd4b3c87
SHA1 hash:	f5a04bb95cfe59e17ccde0bed656607a79380a89
MD5 hash:	b8f22fbcb1d579d4b03639090559aaa7
humanhash:	stream-king-arkansas-romeo
File name:	b8f22fbcb1d579d4b03639090559aaa7.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	634'880 bytes
First seen:	2022-03-23 20:08:03 UTC
Last seen:	2022-05-16 08:42:58 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2ac742258504eaabd5a3bfa9d9f95939 (5 x Stop, 1 x Smoke Loader, 1 x RedLineStealer)
ssdeep	12288:rgHND/aVb0ilrjpk8xoN2/v+wAGfdSisZAKTkh3pT/fabC6s:AiJL1pk8qN2/mUSxkys
Threatray	3'832 similar samples on MalwareBazaar
TLSH	T12FD4F110B7A0D035E5BB15F44879D7B9B81E7DA1AB2464CB62D51BEE4639BE0EC3030B
File icon (PE):
dhash icon	b6dacabecee6baa6 (72 x Stop, 68 x RedLineStealer, 55 x Smoke Loader)
Reporter	abuse_ch
Tags:	ArkeiStealer climatejustice-social exe stereodon-social

Intelligence

File Origin

# of uploads :

# of downloads :

195

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/256883/

Detection(s):

Win.Dropper.Generickdz-9939781-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Creating a window

Delayed writing of the file

Sending a UDP request

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Launching a process

Stealing user critical data

Launching a tool to kill processes

Forced shutdown of a browser

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/10994/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

CPUID_Instruction

EvasionGetTickCount

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/623b7e61b94fb38cb4db7eef/reports/3b1855ca-b839-49ad-adad-64fc457c82e1/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Vidar

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/37e68992-76d2-42b8-8168-59bb4f773d92

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/963173

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0616ca38ef4871e10a43a27a1c8a0277f0dcd92326679d03663cd00da3f1d8b1/

Threat name:

Win32.Trojan.Chapak

Status:

Malicious

First seen:

2022-03-23 18:59:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Verdict:

malicious

ArkeiStealer

248589577d59e0e29966b7d196a8b4910955a506bfb508825f0054c387620235

ArkeiStealer

33ac0ea43c425209053f9360bd243e68deca0eb5cb4e638c6da557eb36f78935

ArkeiStealer

8cd01ec40879ae6aa2c34aeaf52c2074030351a7fc712e41b1519c84b0725ced

ArkeiStealer

abc7f395229f5f05074280e01c2e3726aa409d14c0a43ddf52a0368d53462747

ArkeiStealer

+ 3'822 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:770 discovery spyware stealer

Link:

https://tria.ge/reports/220323-ywlr7saed7/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Vidar Stealer

Vidar

Malware Config

C2 Extraction:

https://stereodon.social/@samssal
https://climatejustice.social/@s4m7al

Unpacked files

SH256 hash:

4c532ad823f6d5d35e11b38c347cb4f5960c60908358ca4c65e91ff66bc7a58b

MD5 hash:

4e2c4c05133f17d5f695b353e4cc8f83

SHA1 hash:

dfad351c8a9eeb1ebd4465a57a9ac8f264653742

Link:

https://www.unpac.me/results/75163f16-0492-4a5e-a551-ef15b0673068/

SH256 hash:

0616ca38ef4871e10a43a27a1c8a0277f0dcd92326679d03663cd00da3f1d8b1

MD5 hash:

b8f22fbcb1d579d4b03639090559aaa7

SHA1 hash:

f5a04bb95cfe59e17ccde0bed656607a79380a89

Link:

https://www.unpac.me/results/75163f16-0492-4a5e-a551-ef15b0673068/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/0616ca38ef48/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0616ca38ef4871e10a43a27a1c8a0277f0dcd92326679d03663cd00da3f1d8b1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

exe 0616ca38ef4871e10a43a27a1c8a0277f0dcd92326679d03663cd00da3f1d8b1

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2101467/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/256883/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample