MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e940d0dd87d66b1d1f01364278d5f38c65ca1f9a9d2fb776f4e393c2951ab50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e940d0dd87d66b1d1f01364278d5f38c65ca1f9a9d2fb776f4e393c2951ab50
SHA3-384 hash: e380f0ccf539762f384fd58bd01d4e2dc718e7fe62d58bd09dd00f11419a7e910486ea20da3efcdce36bace97ab83628
SHA1 hash: 2e6aedae84a2d11cee4ef9175c67f14f02037294
MD5 hash: 2d58659598b31e3ea519f1bddff5638c
humanhash: uranus-nine-double-oregon
File name:doc 0034893475678000238_9843.xll
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:633'344 bytes
First seen:2022-05-04 16:36:47 UTC
Last seen:Never
File type:Excel file xll
MIME type:application/x-dosexec
imphash a31761b5a590c4c499d5f4a347d75c12 (23 x Formbook, 17 x AgentTesla, 6 x RedLineStealer)
ssdeep 12288:Wn/zDvGHAykH8vLW/4+8bzbBSreMdaBY4ZyrE7K3yl8PeVooA/AB2LEJZ+QQThkn:EzbGHAzHKjX1dBY4ZyrE7K3yl8PeVooP
Threatray 102 similar samples on MalwareBazaar
TLSH T147D49F57F7C7F6B0E6BE827A82F2991C52B774660250A78F664072886D23392453DF0F
TrID 58.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
34.3% (.OCX) Windows ActiveX control (116521/4/18)
3.0% (.EXE) Win64 Executable (generic) (10523/12/4)
1.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.3% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter Anonymous
Tags:ArkeiStealer vidar xll


Avatar
Anonymous
xll sample via malspam

Intelligence

File Origin
# of uploads :
1
# of downloads :
208
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
doc 0034893475678000238_9843.xll
Verdict:
No threats detected
Analysis date:
2022-05-04 13:45:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b10286cc-9873-4f6f-99e0-8cedb721eef9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Artemis4EBC548DF517.17970.15145.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Office Add-Ins - Suspicious
Link:
https://app.docguard.net/0e940d0dd87d66b1d1f01364278d5f38c65ca1f9a9d2fb776f4e393c2951ab50/results/dashboard
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6272abb02b32b1c37c937da9/reports/9597cc7c-b577-4aef-90a9-d126b4b01d73/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/987937
Signature
Creates and opens a fake document (probably a fake document to hide exploiting)
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Office process drops PE file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 620433 Sample: doc 0034893475678000238_9843.xll Startdate: 04/05/2022 Architecture: WINDOWS Score: 100 44 uylab.org 2->44 46 t.me 2->46 54 Snort IDS alert for network traffic 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 7 other signatures 2->60 10 cmd.exe 4 2 2->10         started        signatures3 process4 process5 12 EXCEL.EXE 225 65 10->12         started        17 conhost.exe 10->17         started        dnsIp6 52 uylab.org 172.67.223.74, 443, 49757 CLOUDFLARENETUS United States 12->52 42 C:\Users\Public\fcfm2ww2.exe, PE32 12->42 dropped 70 Document exploit detected (creates forbidden files) 12->70 72 Creates and opens a fake document (probably a fake document to hide exploiting) 12->72 19 fcfm2ww2.exe 162 12->19         started        24 EXCEL.EXE 36 22 12->24         started        file7 signatures8 process9 dnsIp10 48 95.217.246.15, 49764, 80 HETZNER-ASDE Germany 19->48 50 t.me 149.154.167.99, 443, 49763 TELEGRAMRU United Kingdom 19->50 34 C:\ProgramData\vcruntime140.dll, PE32 19->34 dropped 36 C:\ProgramData\softokn3.dll, PE32 19->36 dropped 38 C:\ProgramData\nss3.dll, PE32 19->38 dropped 40 3 other files (none is malicious) 19->40 dropped 62 Detected unpacking (changes PE section rights) 19->62 64 Detected unpacking (creates a PE file in dynamic memory) 19->64 66 Detected unpacking (overwrites its own PE header) 19->66 68 4 other signatures 19->68 26 cmd.exe 1 19->26         started        file11 signatures12 process13 process14 28 taskkill.exe 1 26->28         started        30 conhost.exe 26->30         started        32 timeout.exe 1 26->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0e940d0dd87d66b1d1f01364278d5f38c65ca1f9a9d2fb776f4e393c2951ab50/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-05-04 11:28:29 UTC
File Type:
PE+ (Dll)
Extracted files:
2
AV detection:
10 of 26 (38.46%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
044233e16f3e3ff7dcdeab11bfa49a9e99c943f2f97ee293705e45b9558c2bbb
ArkeiStealer
983ffa1a7513ab6d015e1c4785bda2a2f20a47bf6091773db9341ebcdaf84e93
ArkeiStealer
aaa77ce4b5341185c016e9cc4f28c16b5e3f8e544f3dff6a66e33718c2775088
ArkeiStealer
b3f6afb079d5d25bea3a043d033091d5a0a8fde399c900a6337bc5e1dd65d279
ArkeiStealer
c7ecbd646727c85760706a61c2283909c13cb5cd80f51f3ce5af83ed438d293d
ArkeiStealer
cdac614b0ddd13a7de4b73ae76b8d351b63114677c1d40c70bf0d921ff1f6861
ArkeiStealer
d340898f14aaa9f884b022b4be1b849eae4be5e275432348dc6bcb1fa09e28cb
ArkeiStealer
dba5353ab99e0d16f30cf5ee5f1f160493b9a9b6364c71197e573f81e4145e75
ArkeiStealer
e5013497a297e36f89cc5dc3e369faf27bb9b88684cad53accad8b006433a6c5
ArkeiStealer
e8ec7dcf12edf07c6099157c32557f41ebd74ddee6b125d1e34dcc4259dc10a7
ArkeiStealer
+ 92 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1324 discovery spyware stealer suricata
Link:
https://tria.ge/reports/220504-t4shhaecc4/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Vidar Stealer
Vidar
suricata: ET MALWARE Possible MalDoc Payload Download Nov 11 2014
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0e940d0dd87d66b1d1f01364278d5f38c65ca1f9a9d2fb776f4e393c2951ab50

File information

The table below shows additional information about this malware sample such as delivery method and external references.

ArkeiStealer

Excel file xll 0e940d0dd87d66b1d1f01364278d5f38c65ca1f9a9d2fb776f4e393c2951ab50

(this sample)

df46afaddffedab5fb0c37d07f9d22fc1d0ffcc2e68c1fea73356534ff300ca1

  
Link
https://uylab.org/blog/doc%200034893475678000238_9843.xll
  
Dropping
SHA256 df46afaddffedab5fb0c37d07f9d22fc1d0ffcc2e68c1fea73356534ff300ca1
  
Delivery method
Distributed via e-mail link
  
URLhaus
https://urlhaus.abuse.ch/url/2179237/

Comments