MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 078a1454758249c9ee1016a0ee2e9c149965a9e3a50345287f3086cceccd4442. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 5 File information Comments

SHA256 hash:	078a1454758249c9ee1016a0ee2e9c149965a9e3a50345287f3086cceccd4442
SHA3-384 hash:	50a03224fc27d552f95872d9b2c2a98d4bb33e39cc397c18c2e8db89692d1cfece867093080a2568147acbb1ec1005c5
SHA1 hash:	4414492f2c16674b57e98d7529f191fa01c754ee
MD5 hash:	e9135139ddd4ba4c876aad5745f5a1b3
humanhash:	robert-ack-louisiana-carpet
File name:	078a1454758249c9ee1016a0ee2e9c149965a9e3a50345287f3086cceccd4442
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	2'784'736 bytes
First seen:	2022-05-16 08:17:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9de116a58a6964e888a644a836e6e83f (15 x RedLineStealer, 1 x Formbook, 1 x TVRat)
ssdeep	49152:f2ENDjoOpIv2pZyq6ZnvX+1O6zFdNCpufscoAdhd7eC//y7FMKmGhrRxyF:f2ENDjoOq2pZyq6ZnvX+1O6zFdNCpufR
Threatray	5'094 similar samples on MalwareBazaar
TLSH	T1A5D5BF738301C36AD793703A81CF9D25720A5671662FBCC267056BA8DB172EE5624FE3
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	JAMESWT_WT
Tags:	ArkeiStealer climatejustice-social exe

Intelligence

File Origin

# of uploads :

# of downloads :

198

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

078a1454758249c9ee1016a0ee2e9c149965a9e3a50345287f3086cceccd4442

Verdict:

Malicious activity

Analysis date:

2022-05-16 09:17:07 UTC

Tags:

trojan stealer

Link:

https://app.any.run/tasks/94b7bb86-acde-4d33-91bd-723eb489ffec

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/270938/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Creating a window

Delayed writing of the file

Stealing user critical data

Unauthorized injection to a system process

Forced shutdown of a browser

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/17922/overview

Behaviour

MalwareBazaar

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe greyware overlay packed

Link:

https://www.filescan.io/uploads/628208ce6c85fb249699c2b4/reports/339211a5-87e3-48a9-b4ca-950be07397de/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Vidar

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6b1d0492-bf9f-4880-910c-fd2aa8f48232

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/994690

Signature

Allocates memory in foreign processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/078a1454758249c9ee1016a0ee2e9c149965a9e3a50345287f3086cceccd4442/

Threat name:

Win32.Trojan.SpyStealer

Status:

Malicious

First seen:

2022-05-10 19:09:35 UTC

File Type:

PE (Exe)

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=a6fbivdvqje4t3qqc2qo4lu4csmwlkpduubukkd7gcdmz3gnirba._file

Verdict:

malicious

ArkeiStealer

15581c22b60eae59d0e5e7c8a50f3d96d5d561dc417ef670098bb07226aca9b4

ArkeiStealer

2d4e8ec435902700a1bc97cf6f5aad79891cbb6b0f3d6582dd9937755f8432d2

ArkeiStealer

4acab2cb128ba9c8a9f91d1f677ec1b6770b265b9d04e9efe3bf979a2327ce1a

ArkeiStealer

4f1a14769b149677a39c1d1074ca1c17fa38324a578c5125c2470a6603273f2c

ArkeiStealer

612840679bebc417813eb40902e8b29c3784c1698c79dc0e77b0141870f0e983

ArkeiStealer

edfbc84d096e286fb93b5a310b7b855a6e78da75e940ea6039d853142f7c2204

ArkeiStealer

+ 5'084 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:1199 spyware stealer suricata

Link:

https://tria.ge/reports/220516-j69jpaadbn/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Loads dropped DLL

Downloads MZ/PE file

Executes dropped EXE

Vidar Stealer

Vidar

suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved

suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer

Malware Config

C2 Extraction:

https://t.me/verstappenf1r
https://climatejustice.social/@ronxik312

Unpacked files

SH256 hash:

982d63718fa9d9d5dd49032629ce229a54d5cda08d14924813bcfad7c98f78f2

MD5 hash:

e8c6919eeefb5c2f904a119c158fd43f

SHA1 hash:

632f7bc32ed91aab732115fb680ce67e39061d90

Link:

https://www.unpac.me/results/a723a8e2-a7bf-4bcf-8f39-60ea18d1a17b/

SH256 hash:

078a1454758249c9ee1016a0ee2e9c149965a9e3a50345287f3086cceccd4442

MD5 hash:

e9135139ddd4ba4c876aad5745f5a1b3

SHA1 hash:

4414492f2c16674b57e98d7529f191fa01c754ee

Link:

https://www.unpac.me/results/a723a8e2-a7bf-4bcf-8f39-60ea18d1a17b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/078a1454758249c9ee1016a0ee2e9c149965a9e3a50345287f3086cceccd4442

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing potential Windows Defender anti-emulation checks

Rule name:	MALWARE_Win_Vidar Create hunting rule
Author:	ditekSHen
Description:	Detects Vidar / ArkeiStealer

Rule name:	Vidar Create hunting rule
Author:	kevoreilly
Description:	Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/270938/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample