MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d5bfe99b0e343aa66584a28af6000c39f8b9aacc7f304d13b7e2a8cc31d16eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d5bfe99b0e343aa66584a28af6000c39f8b9aacc7f304d13b7e2a8cc31d16eb
SHA3-384 hash: 792fe25498948b6936625bb4b916b3f164e5870d77b838b0c8a28b951cbd5720df6b70c10fcc8476bafb7a0ce540a1b0
SHA1 hash: 2a4622d6e4974d71862b3976309d38d51603052b
MD5 hash: ba041a9fc41225152308162ac9073707
humanhash: minnesota-friend-seventeen-saturn
File name:0d5bfe99b0e343aa66584a28af6000c39f8b9aacc7f304d13b7e2a8cc31d16eb
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:2'805'688 bytes
First seen:2022-05-16 08:18:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 37a87ba4c777dcd1db50684f6b029f1b (13 x RedLineStealer, 2 x ArkeiStealer, 1 x CoinMiner)
ssdeep 49152:3WyTwJ2fG+yThQNqBG5GcjvlIDvXZW1Q0WjVX3+RINaHdNnOV1abkRFtPu+mdMmd:3WyTwwfry1LG5GcjvlIDvXZkQ0WhX3+9
Threatray 5'092 similar samples on MalwareBazaar
TLSH T139D5D0BF9705D81ECB433475859F92A25002B671690FB5935F847AA9D32B0CEFF22B42
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter JAMESWT_WT
Tags:ArkeiStealer climatejustice-social exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0d5bfe99b0e343aa66584a28af6000c39f8b9aacc7f304d13b7e2a8cc31d16eb
Verdict:
Malicious activity
Analysis date:
2022-05-16 09:05:00 UTC
Tags:
trojan stealer
Link:
https://app.any.run/tasks/7aa338f4-5537-4da6-a375-3e5d3414826e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/270939/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Creating a window
Delayed writing of the file
Stealing user critical data
Unauthorized injection to a system process
Forced shutdown of a browser
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/17923/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe greyware overlay packed
Link:
https://www.filescan.io/uploads/628208d022b733139c1fde42/reports/7ec68286-385a-4527-aa83-f4041dedb804/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bcca8d71-3a77-4609-9da5-c98a45d703d2
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/994689
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Add file from suspicious location to autostart registry
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 627182 Sample: MzRn1YNrbz Startdate: 16/05/2022 Architecture: WINDOWS Score: 100 68 Snort IDS alert for network traffic 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Antivirus detection for dropped file 2->72 74 8 other signatures 2->74 10 MzRn1YNrbz.exe 1 2->10         started        process3 signatures4 84 Writes to foreign memory regions 10->84 86 Allocates memory in foreign processes 10->86 88 Injects a PE file into a foreign processes 10->88 13 AppLaunch.exe 150 10->13         started        18 conhost.exe 10->18         started        process5 dnsIp6 62 116.202.0.187, 49756, 80 HETZNER-ASDE Germany 13->62 64 objects.githubusercontent.com 185.199.108.133, 443, 49773 FASTLYUS Netherlands 13->64 66 2 other IPs or domains 13->66 50 C:\Users\user\AppData\...\Software[2].exe, PE32 13->50 dropped 52 C:\ProgramData\SRT2H1V9CYLP5LNSR3MB.exe, PE32 13->52 dropped 54 C:\ProgramData\vcruntime140.dll, PE32 13->54 dropped 56 5 other files (none is malicious) 13->56 dropped 92 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->92 94 May check the online IP address of the machine 13->94 96 Uses cmd line tools excessively to alter registry or file data 13->96 98 2 other signatures 13->98 20 SRT2H1V9CYLP5LNSR3MB.exe 1 13->20         started        23 cmd.exe 1 13->23         started        file7 signatures8 process9 signatures10 76 Multi AV Scanner detection for dropped file 20->76 78 Machine Learning detection for dropped file 20->78 80 Writes to foreign memory regions 20->80 82 2 other signatures 20->82 25 AppLaunch.exe 19 20->25         started        30 conhost.exe 20->30         started        32 taskkill.exe 1 23->32         started        34 conhost.exe 23->34         started        36 timeout.exe 1 23->36         started        process11 dnsIp12 58 api.telegram.org 149.154.167.220, 443, 49785, 49786 TELEGRAMRU United Kingdom 25->58 60 ipinfo.io 34.117.59.81, 49784, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 25->60 46 C:\Users\user\AppData\Local\...\OneDrive.exe, PE32+ 25->46 dropped 48 C:\Users\user\AppData\Local\...\Secur32.dll, PE32+ 25->48 dropped 90 Uses cmd line tools excessively to alter registry or file data 25->90 38 reg.exe 1 1 25->38         started        40 reg.exe 1 1 25->40         started        file13 signatures14 process15 process16 42 conhost.exe 38->42         started        44 conhost.exe 40->44         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0d5bfe99b0e343aa66584a28af6000c39f8b9aacc7f304d13b7e2a8cc31d16eb/
Threat name:
Win32.Trojan.PSWStealer
Create hunting rule
Status:
Malicious
First seen:
2022-05-12 20:56:05 UTC
File Type:
PE (Exe)
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
15581c22b60eae59d0e5e7c8a50f3d96d5d561dc417ef670098bb07226aca9b4
ArkeiStealer
24c19a1636d3587279d55be4fe5ff2921f8caf3698d6214fe4110bc3ca76fc16
ArkeiStealer
2d4e8ec435902700a1bc97cf6f5aad79891cbb6b0f3d6582dd9937755f8432d2
ArkeiStealer
4acab2cb128ba9c8a9f91d1f677ec1b6770b265b9d04e9efe3bf979a2327ce1a
ArkeiStealer
4f1a14769b149677a39c1d1074ca1c17fa38324a578c5125c2470a6603273f2c
ArkeiStealer
612840679bebc417813eb40902e8b29c3784c1698c79dc0e77b0141870f0e983
ArkeiStealer
edfbc84d096e286fb93b5a310b7b855a6e78da75e940ea6039d853142f7c2204
ArkeiStealer
+ 5'082 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1199 spyware stealer suricata
Link:
https://tria.ge/reports/220516-j7t6dsfgh2/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Vidar Stealer
Vidar
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
Malware Config
C2 Extraction:
https://t.me/verstappenf1r
https://climatejustice.social/@ronxik312
Unpacked files
SH256 hash:
982d63718fa9d9d5dd49032629ce229a54d5cda08d14924813bcfad7c98f78f2
MD5 hash:
e8c6919eeefb5c2f904a119c158fd43f
SHA1 hash:
632f7bc32ed91aab732115fb680ce67e39061d90
Link:
https://www.unpac.me/results/03e6c933-65ba-4070-8126-76e874e338b8/
SH256 hash:
0d5bfe99b0e343aa66584a28af6000c39f8b9aacc7f304d13b7e2a8cc31d16eb
MD5 hash:
ba041a9fc41225152308162ac9073707
SHA1 hash:
2a4622d6e4974d71862b3976309d38d51603052b
Link:
https://www.unpac.me/results/03e6c933-65ba-4070-8126-76e874e338b8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0d5bfe99b0e343aa66584a28af6000c39f8b9aacc7f304d13b7e2a8cc31d16eb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/270939/

Comments