MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f3752cdf6653a331205269e6bd6ca4e265247847eed5be677bf758f29235d08. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f3752cdf6653a331205269e6bd6ca4e265247847eed5be677bf758f29235d08
SHA3-384 hash: 6f69f3b8c3a0e2f0b3778d4a8716cf9decfbc37bd7fad0263b851009f17ca77a681c7a7b30bbd5d2be9b93d94a6838b7
SHA1 hash: da30b182d738ba13522a47dcacafde6c95fd4c81
MD5 hash: ef35dc59b9fa276abf18124fe027d531
humanhash: eleven-music-network-july
File name:Wed191029a419a6.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:622'592 bytes
First seen:2022-07-23 02:33:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f6ee633166e72a1d10f4f54440093ac0 (4 x RaccoonStealer, 2 x FickerStealer, 2 x ArkeiStealer)
ssdeep 12288:a1WQx7flEHm6JvlwfEttnh3XbyQqdPrl2mQmJWW/1duNeduiafb4:H6flGyfEbBLq5h2JkWWddugduiaj4
Threatray 715 similar samples on MalwareBazaar
TLSH T15BD4E030A6A1C034F4B311F885A693BCB93A7A716B7440CF52D66AED4B386E5EC30757
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon ead8a89cc6e68ee0 (43 x RaccoonStealer, 31 x RedLineStealer, 20 x Smoke Loader)
Reporter T9O4TsWMWYLLeXs
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-08-26 02:25:37 UTC
Tags:
trojan stealer vidar evasion loader opendir rat redline raccoon
Link:
https://app.any.run/tasks/9df58aae-29e0-4636-b20f-beca09d090b9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/293534/
Detection(s):
Win.Malware.Generic-9888454-0
Create hunting rule

Win.Malware.Fragtor-9888533-0
Create hunting rule

Win.Packed.Generic-9888540-0
Create hunting rule

Win.Packed.Generic-9888543-0
Create hunting rule

Win.Packed.Generic-9888547-0
Create hunting rule

Win.Packed.Raccoon-9888527-1
Create hunting rule

Win.Packed.Raccoon-9888532-1
Create hunting rule

Win.Dropper.Raccoon-9892961-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Query of malicious DNS domain
Sending a TCP request to an infection source
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/27092/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/62db5e5e0e298a94f3f0d742/reports/44228b0d-2735-4167-8292-a1016c20e3ad/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0f5095e7-bace-4e28-a4aa-2068f729c176
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1039557
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0f3752cdf6653a331205269e6bd6ca4e265247847eed5be677bf758f29235d08/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-08-25 22:50:43 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b43vftpwmu5dgeqfe2pgxvwkjytfer4ep3wvxztxx52y6kjdluea._file
Verdict:
malicious
Similar samples:
0931826deaf2d247bbd4bf0f9db8b9ec4b1b1830f5763155487afc8dec645c5d
ArkeiStealer
659784641effc7de35c04bd4ca5e1a343d23047827cc57166fbb26fd39484767
ArkeiStealer
afac7896cf21983233c533eeaec870610856969d98218b0ffdfa11c6f57a8420
ArkeiStealer
cbe35192c04f83d4d3b179a8c229047ade740aac3785e198cd0fdb00c2bf91e5
ArkeiStealer
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
ArkeiStealer
+ 705 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:706 stealer
Link:
https://tria.ge/reports/220723-c2fbqabfen/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
Program crash
Vidar Stealer
Vidar
Malware Config
C2 Extraction:
https://eduarroma.tumblr.com/
Unpacked files
SH256 hash:
a18e5d223da775448e2e111101fe1f4ab919be801fd435d3a278718aa5e6ccba
MD5 hash:
0c6cae115465a83f05d3ff391fd009ac
SHA1 hash:
066ea93bb540ae4be0d2e522d4bb59eec74053ad
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/46704491-8738-4827-9ad2-50e7e887a147/
Parent samples :
7755e890ecb6b60a9cbed072a609fbe099968b1fbda51f1d1f940bbc581c9f70
fc2e04d392ab5e508fdf6c90ce456bfd0af6def1f10a2074f82df8f58079d5e4
f29a3cecd0efa7f1f0c45c8572048c942090dcebdd968b9fcf4cce4380c01824
ddeebc8cccc58e25ce1709b0e9a519b2bd46472e928606bc4b0eee2553303203
22275b7c5a57111aca919f6bbfae171e5e99f5ef777d1043802deb672f5136a0
d1f610af3c46fff6c857be0136c696604eb8e7466b4a7e40f6b459cfa8339422
8f9cdf75c272fda7df367232756ea065600077804b16506ee5a4203571328217
0a7d966e66cbd260c909de1d79038c86a071f2f10a810f5890a150b67c4fd954
1b4c7144874551beb52bc3e864822c0b803d0967531addf9612f61898cf2394d
090f1369dc856e37b73969d22799341b1d328a235470ee608d3e32dd34df7022
4879803b6326f27bb8b68448fe7394b2358c2eeb25ec2c4c6a176313d003c29a
7227c5067dc82a381a3c7485a21c64b702f7e987a46d1349f95e269399e862eb
54bcd3308c140c8ec030f98697cc7f0e9d4585d54334a2eb77c58879510d5c8c
47e9b75457446a3b3c86622dd282065b0f88603e2c009670c1f7eaf00183a407
ada6977abf5caa24a75f0db17220267f6b05f11ed949757e8fc8beab3c720fc1
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
0f3752cdf6653a331205269e6bd6ca4e265247847eed5be677bf758f29235d08
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
93ac84d519edb6350cf53736449330985fe1cb52eff043857daf6cca916d6fa3
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
0f3752cdf6653a331205269e6bd6ca4e265247847eed5be677bf758f29235d08
MD5 hash:
ef35dc59b9fa276abf18124fe027d531
SHA1 hash:
da30b182d738ba13522a47dcacafde6c95fd4c81
Link:
https://www.unpac.me/results/46704491-8738-4827-9ad2-50e7e887a147/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0f3752cdf6653a331205269e6bd6ca4e265247847eed5be677bf758f29235d08

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.vidar.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/293534/

Comments