MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d6f77529ee406ef7d5e980a35d58553026e35548bd45e7dfb2d0d10b02c8f79. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d6f77529ee406ef7d5e980a35d58553026e35548bd45e7dfb2d0d10b02c8f79
SHA3-384 hash: fcc1991d2a3cff8d2d33c23e2ca93d0f94b373e278366b6add666b33edc3714e126147ef0d315610a44ad7bba87a19f0
SHA1 hash: 3d4b17b486890f6a553ecd678a316c7344376584
MD5 hash: 64f8364d155ea39366f7a636118e3bc0
humanhash: steak-may-kilo-october
File name:file
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'362'432 bytes
First seen:2022-11-27 14:49:40 UTC
Last seen:2022-11-27 18:53:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:LtlVDnXqR+2aT64pZ/Y8fItCDAdCuAW0umxZC9uqoE07g:LtlVD7tZ/Y8ZZAuq+
Threatray 1'149 similar samples on MalwareBazaar
TLSH T173550123BBA14E21C2C94776D1DB590167E69952B227FB0E358903DA4D033FE6C1DACB
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:ArkeiStealer exe


Avatar
andretavare5
Sample downloaded from https://vk.com/doc760750097_656960958?hash=Z1pdoVPT5Lg7oVOzVfAQl4Ezt7hi4yHehzUCOHjraUk&dl=G43DANZVGAYDSNY:1669560350:XO2Zz9NpRWOor5gX2seaTbxZqdGYLZZGIES1UOOkMQT&api=1&no_preview=1#123_1

Intelligence

File Origin
# of uploads :
123
# of downloads :
263
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-27 14:50:41 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/e94bd4b5-546d-4fd7-b82d-914886292a2c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/339063/
Detection(s):
SecuriteInfo.com.Variant.Tedy.229715.28968.5746.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Running batch commands
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6383791c5be128ac718f204a/reports/95a2a52f-2880-476b-a27f-7304558edeb4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MassLogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cac6f735-3377-40e2-90b4-c48970d90069
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1121947
Signature
.NET source code contains method to dynamically call methods (often used by packers)
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Self deletion via cmd or bat file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 754664 Sample: file.exe Startdate: 27/11/2022 Architecture: WINDOWS Score: 96 46 Malicious sample detected (through community Yara rule) 2->46 48 Yara detected Vidar stealer 2->48 50 .NET source code contains method to dynamically call methods (often used by packers) 2->50 52 3 other signatures 2->52 8 file.exe 4 2->8         started        process3 file4 38 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 8->38 dropped 54 Encrypted powershell cmdline option found 8->54 56 Self deletion via cmd or bat file 8->56 58 Injects a PE file into a foreign processes 8->58 12 file.exe 19 8->12         started        16 cmd.exe 1 8->16         started        18 powershell.exe 7 8->18         started        20 2 other processes 8->20 signatures5 process6 dnsIp7 40 t.me 149.154.167.99, 443, 49704 TELEGRAMRU United Kingdom 12->40 42 194.4.49.90, 49705, 80 FIRSTDC-ASRU Russian Federation 12->42 44 192.168.2.1 unknown unknown 12->44 60 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->60 62 Self deletion via cmd or bat file 12->62 64 Tries to harvest and steal browser information (history, passwords, etc) 12->64 66 Tries to steal Crypto Currency Wallets 12->66 22 cmd.exe 1 12->22         started        68 Encrypted powershell cmdline option found 16->68 24 powershell.exe 19 16->24         started        26 conhost.exe 16->26         started        28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        signatures8 process9 process10 32 conhost.exe 22->32         started        34 timeout.exe 1 22->34         started        36 conhost.exe 28->36         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0d6f77529ee406ef7d5e980a35d58553026e35548bd45e7dfb2d0d10b02c8f79/
Threat name:
ByteCode-MSIL.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-11-27 14:50:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bvxxouu64qdo67k6tafdlvmfkmbg4nkurpkf47p3fugrbmbmr54q._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
1e4e62fe9bbe9a19978b3dc4f7b7ef41bbd555e6e78db4407545b9a845061e24
ArkeiStealer
60724da01de35adee6cb34317cd2947fbcb791a8381386d79072857a19a58708
ArkeiStealer
6eaa17442216edf6c184c03e3b7468922c1b6d59fbf419f811552e2e86e0bcfe
ArkeiStealer
ca325db87d417d1b142fc76c5f8e6c093dab172458e89c456b7f4bb374c02d82
ArkeiStealer
d7c42d1df0e957935b672b0633cf3dad39b5d8c85eec4631c62191915af02379
ArkeiStealer
db701c4c2b8a1a5f336b3039ac0e643a8e5105941d413f7fbbe85f3764ee8278
ArkeiStealer
+ 1'139 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1696 discovery spyware stealer
Link:
https://tria.ge/reports/221127-r7kwqaeg68/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
.NET Reactor proctector
Vidar
Malware Config
C2 Extraction:
https://t.me/hkjkkiiioo
https://t.me/asndmadas19
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9cee8b09-b8d9-46d2-97b6-c70b674a1401
Unpacked files
SH256 hash:
ad1fa3133e2886cb562a4c86e616590c052929294e86aa23644d012a839a87d9
MD5 hash:
eba8e50da4798e4565009357a7bf3efc
SHA1 hash:
239050a42dd8bbed55ed66cc57b9d905fc6fc2e9
Link:
https://www.unpac.me/results/f8b51053-c612-47dd-a4ec-4de6af8db44f/
SH256 hash:
0d6f77529ee406ef7d5e980a35d58553026e35548bd45e7dfb2d0d10b02c8f79
MD5 hash:
64f8364d155ea39366f7a636118e3bc0
SHA1 hash:
3d4b17b486890f6a553ecd678a316c7344376584
Link:
https://www.unpac.me/results/f8b51053-c612-47dd-a4ec-4de6af8db44f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0d6f77529ee4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0d6f77529ee406ef7d5e980a35d58553026e35548bd45e7dfb2d0d10b02c8f79

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/339063/

Comments