MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b3ab7f49de6a6f299f4ba0acfa832f3ba7a65258afcfa6ee92b0ad584a6e403. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0b3ab7f49de6a6f299f4ba0acfa832f3ba7a65258afcfa6ee92b0ad584a6e403
SHA3-384 hash: be5ef3d1279d8cfab9564c8f9d0d8dce53b24b67a6559cd71602a6f6cf370157312e8002356a3ac05d68601e7d32b68b
SHA1 hash: a4c38910d60c9229189198121c53de8f6c3a4478
MD5 hash: 85f5bb8d7a44bb9ca334726c1b372790
humanhash: high-lithium-illinois-table
File name:85f5bb8d7a44bb9ca334726c1b372790
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:660'992 bytes
First seen:2021-12-11 22:53:12 UTC
Last seen:2021-12-12 01:36:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f95947646bf522c556d1447d99f5d644 (1 x DanaBot, 1 x ArkeiStealer, 1 x RedLineStealer)
ssdeep 12288:L/fw1SDAq3jZ5DOMRBhSdpNy5Xz3aiRkfTBl1sS6e7:L/4M/j/iM0N0Xz6eS
Threatray 3'532 similar samples on MalwareBazaar
TLSH T123E412D0F5B2C076C4A2397C88208BD18D3B7851E6B4954BB2781BAB6F726D01F3675B
File icon (PE):PE icon
dhash icon fcfcf4d4d4d4d8c0 (41 x RedLineStealer, 30 x RaccoonStealer, 9 x Smoke Loader)
Reporter zbetcheckin
Tags:32 ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
85f5bb8d7a44bb9ca334726c1b372790
Verdict:
Malicious activity
Analysis date:
2021-12-11 22:56:28 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/aa5a4689-93a4-4bcb-a726-fdf88437e2a8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/213372/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.49068.15448.22931.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending an HTTP GET request
DNS request
Creating a file
Reading critical registry keys
Delayed writing of the file
Sending a UDP request
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Query of malicious DNS domain
Sending a TCP request to an infection source
Stealing user critical data
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Forced shutdown of a browser
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/1681/overview
Behaviour
MalwareBazaar
SystemUptime
CPUID_Instruction
MeasuringTime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61b52c0d2a069372660c9766/reports/dc378f29-698c-4cf0-8e40-0229ba68b371/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3a87432f-d273-47c0-ba76-73568017e369
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/905868
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0b3ab7f49de6a6f299f4ba0acfa832f3ba7a65258afcfa6ee92b0ad584a6e403/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-12-11 20:22:07 UTC
File Type:
PE (Exe)
Extracted files:
39
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bm5lp5e542tpfgpuxifm7kbs6o5huzjfrl6pu3xjfmfnlbfg4qbq._file
Verdict:
malicious
Similar samples:
0a039e8c98e4ef49236437881eed171e3f84b4826e78f484202df5de5f88b51b
ArkeiStealer
16a5e36b40b0906b94cdf9a96731842d7b9a2a50828d5b1a9a33eb0601518f99
ArkeiStealer
33817c0fd591e7d5d52586f3ad936f366cb1b9473a8a12c80890bd20048b9400
ArkeiStealer
63b24987e11f1b4180f9385e61deb3be8644a12f9bd586a5f71931f4d738e427
ArkeiStealer
6abcfcf5d46cf092d6c11e874ab9211c37511c825af9990b79fa38e8c2a3c1b0
ArkeiStealer
a3e668096ab424f233fc8090774f39537ca9638099fd72ed1ee9099d06e4a5c9
ArkeiStealer
c008e2eee0063a71fe6436aafbf79a91161d436d6300fe3f6bb2cbbd932a2f4f
ArkeiStealer
d1061d18dc4ceceeba9947137e84e68d689e7befb6f038b467a64c474d0c51d0
ArkeiStealer
+ 3'522 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1002 discovery spyware stealer
Link:
https://tria.ge/reports/211211-2vjs1abfh7/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Vidar Stealer
Vidar
Malware Config
C2 Extraction:
https://mstdn.social/@sergeev43
https://koyu.space/@sergeev45
Unpacked files
SH256 hash:
5d4e7e6f99d3a2b7f0be24aef53bed638219f52ab1b9c219ef1c547e58f605d9
MD5 hash:
1926f705f3456a608fbc1443229a2d32
SHA1 hash:
30d04c567ce1d51cb5d8113b86ce3b7bae20f59f
Link:
https://www.unpac.me/results/204e5571-5976-42a8-9968-2dd3506848e0/
SH256 hash:
0b3ab7f49de6a6f299f4ba0acfa832f3ba7a65258afcfa6ee92b0ad584a6e403
MD5 hash:
85f5bb8d7a44bb9ca334726c1b372790
SHA1 hash:
a4c38910d60c9229189198121c53de8f6c3a4478
Link:
https://www.unpac.me/results/204e5571-5976-42a8-9968-2dd3506848e0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0b3ab7f49de6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0b3ab7f49de6a6f299f4ba0acfa832f3ba7a65258afcfa6ee92b0ad584a6e403

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 0b3ab7f49de6a6f299f4ba0acfa832f3ba7a65258afcfa6ee92b0ad584a6e403

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/213372/
  
URLhaus
https://urlhaus.abuse.ch/url/1876455/

Comments


Avatar
zbet commented on 2021-12-11 22:53:13 UTC

url : hxxp://coin-coin-data-6.com/files/5600_1639245791_509.exe