MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b9e99da4b12b612062039c318ecb8a60a75dae6cdf44504d9fdcc5c46a8e7bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0b9e99da4b12b612062039c318ecb8a60a75dae6cdf44504d9fdcc5c46a8e7bf
SHA3-384 hash: 8602d97c4fe885a473c7ab62d3808dbeee87666b5b5e1dd04d6fe58074810982d4eca462ddf95f6e5d6aef246f4488b9
SHA1 hash: c546196ec671d9bba68563b5b9bb88f7d557e92c
MD5 hash: d6f3667808d57f177f1861eb86522837
humanhash: comet-early-eight-alanine
File name:d6f3667808d57f177f1861eb86522837.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'534'976 bytes
First seen:2021-09-23 11:03:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c32368f78c61cf2d9d6654d89861a9fe (36 x ArkeiStealer)
ssdeep 24576:HBuzcdGnDDf1EX9uOJwQ5No04Hoawhb5BJnXvxWmmq0LBPdchd:H2DNvgwQ5C04Ibb5BJXIVqMBPdY
Threatray 2'947 similar samples on MalwareBazaar
TLSH T14F65E0259281F437D1B3FA78DD969B7F9B3C7E103910080B6EE82D691B2A3C0B518767
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d6f3667808d57f177f1861eb86522837.exe
Verdict:
Malicious activity
Analysis date:
2021-09-23 11:05:20 UTC
Tags:
trojan stealer vidar loader
Link:
https://app.any.run/tasks/3618251c-bb94-411e-9d7c-40adee8e400f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/190726/
Detection(s):
SecuriteInfo.com.Adware.Generic4.AANW.UNOFFICIAL
Create hunting rule

Win.Dropper.Zusy-9895684-0
Create hunting rule

Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/99e23ec3-a34d-4429-8156-f5a7b786e341
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/856803
Signature
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 489245 Sample: lN9V0yyxkc.exe Startdate: 23/09/2021 Architecture: WINDOWS Score: 100 48 Multi AV Scanner detection for domain / URL 2->48 50 Found malware configuration 2->50 52 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->52 54 5 other signatures 2->54 6 lN9V0yyxkc.exe 75 2->6         started        process3 dnsIp4 42 159.69.203.58, 49788, 49808, 80 HETZNER-ASDE Germany 6->42 44 mas.to 88.99.75.82, 443, 49744 HETZNER-ASDE Germany 6->44 46 192.168.2.1 unknown unknown 6->46 20 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 6->20 dropped 22 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 6->22 dropped 24 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 6->24 dropped 26 9 other files (none is malicious) 6->26 dropped 56 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 6->56 58 Tries to harvest and steal browser information (history, passwords, etc) 6->58 60 Tries to steal Crypto Currency Wallets 6->60 11 WerFault.exe 9 6->11         started        14 WerFault.exe 9 6->14         started        16 WerFault.exe 9 6->16         started        18 6 other processes 6->18 file5 signatures6 process7 file8 28 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 11->28 dropped 30 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 14->30 dropped 32 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->32 dropped 34 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->34 dropped 36 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->36 dropped 38 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->38 dropped 40 2 other malicious files 18->40 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0b9e99da4b12b612062039c318ecb8a60a75dae6cdf44504d9fdcc5c46a8e7bf/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-09-23 11:04:12 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0f0da1d14f83ff61c448df9161c01d1ee11cf4dccbbc48df79fff89f2fd18454
ArkeiStealer
68057c01ea50c5514b856ded8170ba2285ad782f71c27bcc87cb9aaf91da3166
ArkeiStealer
69fb7b86d91b3770791529e3edab3aa7ed335c7cc66c8027f401fd4cd4088034
ArkeiStealer
9f7b738f2ff2ae60844f22c5b4e6e6b42312c2f5f32b3992dc65e5ac6d7a177b
ArkeiStealer
a30652e56f30468e942474a7fc74fd07ee5f298a3156cde5a54c3ced630f7159
ArkeiStealer
ac6210c624a515206e040bf5d24757993ae6975b884f74bf00685cd33145fbbb
ArkeiStealer
e063c47dce8d2f1121ceb4cf4b20688e975646ac831c0e5843d4536d7e1dfbce
ArkeiStealer
e9c16d954e11dae123f981ec7477975abbca8fcbbdbf0a4104eb79ead96ad8c1
ArkeiStealer
f2962bc483f62e359dca3b911e2b422bf057dec9a14c4863992ea063d5d960da
ArkeiStealer
f35bc946ea6919fa86ef778e39ee36e8b6c2c4e335cd82394ed9a29211779ce8
ArkeiStealer
+ 2'937 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar discovery spyware stealer
Link:
https://tria.ge/reports/210923-m6axxaabb6/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Vidar Stealer
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Unpacked files
SH256 hash:
0b9e99da4b12b612062039c318ecb8a60a75dae6cdf44504d9fdcc5c46a8e7bf
MD5 hash:
d6f3667808d57f177f1861eb86522837
SHA1 hash:
c546196ec671d9bba68563b5b9bb88f7d557e92c
Link:
https://www.unpac.me/results/a573cdbb-1bfe-4ed9-81d5-1c9c21136781/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.67
Link:
https://yomi.yoroi.company/submissions/0b9e99da4b12b612062039c318ecb8a60a75dae6cdf44504d9fdcc5c46a8e7bf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 0b9e99da4b12b612062039c318ecb8a60a75dae6cdf44504d9fdcc5c46a8e7bf

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1627241/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/190726/

Comments