MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 08c7eb81c268bbae91dedf391c1901461e786ee5cd401872100efad10812efc9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	08c7eb81c268bbae91dedf391c1901461e786ee5cd401872100efad10812efc9
SHA3-384 hash:	aca0400bd156161c495379b2652acd1136aa8538e6e8ab2cc593518b2a4da86a7d9e629a27967a63c6997bf2b4d6d57a
SHA1 hash:	28af3123624492942bcb8e975d9b5d626068eb5c
MD5 hash:	0eab9c7f56af720d1b98b982b396b1e3
humanhash:	bravo-venus-artist-arkansas
File name:	setup.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	380'928 bytes
First seen:	2022-11-28 07:07:44 UTC
Last seen:	2022-11-28 08:37:15 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7e5c77a7c15b493a77818bd2e91bede0 (2 x RedLineStealer, 1 x ArkeiStealer)
ssdeep	6144:TXD3sDz93DX4zLyi7e5fS7KZywOoy9ARue0JgaNcQl2WBXbFrCSR3xQpPrw:Dyz937LB1/AwOoy9AIe0JgaNcQPbPRe
Threatray	1'162 similar samples on MalwareBazaar
TLSH	T19384CF02B35132D5E862E4F2D696C2B1E4EE8E3673C97086331F38B6772467953A613D
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

227

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

vidar

ID:

File name:

setup.exe

Verdict:

Malicious activity

Analysis date:

2022-11-28 07:08:50 UTC

Tags:

trojan stealer vidar

Link:

https://app.any.run/tasks/deafe6a1-a9a6-4c81-828b-2081fbd829a4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/339268/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.24941.22582.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Searching for synchronization primitives

Сreating synchronization primitives

Launching the default Windows debugger (dwwin.exe)

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Searching for the window

Creating a window

Running batch commands

Creating a process with a hidden window

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/63845e549c57db591d88f10b/reports/ff82689d-e36d-4727-9a2c-0459d4b457b5/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/b5f632b1-fb4a-4de9-8f94-969f34b2e385

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1122264

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/08c7eb81c268bbae91dedf391c1901461e786ee5cd401872100efad10812efc9/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2022-11-28 07:08:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bdd6xaocnc525eo6344rygibiyphq3xfzvabq4qqb35nccas57eq._file

Verdict:

malicious

ArkeiStealer

2c993eb220436695d78783d2a6520951e4ce2b65311a96b904a063abdc088235

ArkeiStealer

6eaa17442216edf6c184c03e3b7468922c1b6d59fbf419f811552e2e86e0bcfe

ArkeiStealer

9cd59f476fd53c288245f63281a754b99d65d4198ffc5038e65a5285648d9dcd

ArkeiStealer

d7c42d1df0e957935b672b0633cf3dad39b5d8c85eec4631c62191915af02379

ArkeiStealer

f0527a6ecbe7892f48f746fe60c054681852295c5a897402f09a47e74c617956

ArkeiStealer

+ 1'152 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:1375 spyware stealer

Link:

https://tria.ge/reports/221128-hx815aea28/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Loads dropped DLL

Uses the VBS compiler for execution

Vidar

Malware Config

C2 Extraction:

https://t.me/headshotsonly
https://steamcommunity.com/profiles/76561199436777531

Unpacked files

SH256 hash:

06b3c3e621183e9a66fa8daac597b88bb9c95d20440be8afe47a511493491058

MD5 hash:

650f37f3149b470cd435ab5d8d22742e

SHA1 hash:

866e7e2809a01210937389096285a96e26e4c318

Link:

https://www.unpac.me/results/e87c9558-37b6-48a7-8009-33895dcd56af/

SH256 hash:

08c7eb81c268bbae91dedf391c1901461e786ee5cd401872100efad10812efc9

MD5 hash:

0eab9c7f56af720d1b98b982b396b1e3

SHA1 hash:

28af3123624492942bcb8e975d9b5d626068eb5c

Link:

https://www.unpac.me/results/e87c9558-37b6-48a7-8009-33895dcd56af/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/08c7eb81c268/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/08c7eb81c268bbae91dedf391c1901461e786ee5cd401872100efad10812efc9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/339268/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample