MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11760869d023db67e292f9efc9b02dc0f3f08624c5ec409290f4357d300f5bfa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 11760869d023db67e292f9efc9b02dc0f3f08624c5ec409290f4357d300f5bfa
SHA3-384 hash: 4e0f661a822916f2c3f9cec21aee46fc55a919f5cda60ab423e1a252c6691bfee20f27ebdd355c29435d035cc2540eb0
SHA1 hash: b1e722d526bc2a71b1496a1b23dc4b0ab9afe021
MD5 hash: 36fe75457be5610c8cb50a61a5f062f7
humanhash: floor-west-harry-potato
File name:file
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:432'640 bytes
First seen:2023-01-11 05:52:10 UTC
Last seen:2023-01-12 04:33:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 23dff981b91df1879141d9140cd71ef9 (10 x Smoke Loader, 5 x RedLineStealer, 4 x Tofsee)
ssdeep 12288:VmqeOUMGNPi2gjdSXHfSyM7TBwOCM7p7hVG:VmqeOU5fOdG/SyM7n
Threatray 1'863 similar samples on MalwareBazaar
TLSH T1CC94DF317A919872C116FE714F09CFE06A3F78A09B64A767B32457DF1FB0390B6A2215
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon fcbc949484a484c0 (1 x ArkeiStealer)
Reporter andretavare5
Tags:ArkeiStealer exe


Avatar
andretavare5
Sample downloaded from http://45.84.0.83/2825.exe

Intelligence

File Origin
# of uploads :
285
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-01-11 05:53:43 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/73a9a3e2-03d8-4676-9690-c627603e13ff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/351803/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63be4ec083a5ae8cb4a86d49/reports/88ddc026-40b2-44c5-964b-27a705b2e87d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Arkei Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a57ceb62-3fdb-472d-ad70-ad20eb622f99
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1149373
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
PE file has nameless sections
Self deletion via cmd or bat file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 782105 Sample: file.exe Startdate: 11/01/2023 Architecture: WINDOWS Score: 100 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus detection for URL or domain 2->38 40 Antivirus detection for dropped file 2->40 42 6 other signatures 2->42 7 file.exe 22 2->7         started        process3 dnsIp4 28 142.132.168.13, 49699, 80 UNIVERSITYOFWINNIPEG-ASNCA Canada 7->28 30 t.me 149.154.167.99, 443, 49698 TELEGRAMRU United Kingdom 7->30 32 45.84.0.83, 49700, 80 ALEXHOSTMD Russian Federation 7->32 24 C:\Users\user\AppData\Local\...\mn1[1].exe, PE32 7->24 dropped 26 C:\ProgramData\88232302167976891598.exe, PE32 7->26 dropped 44 Detected unpacking (changes PE section rights) 7->44 46 Detected unpacking (creates a PE file in dynamic memory) 7->46 48 Detected unpacking (overwrites its own PE header) 7->48 50 4 other signatures 7->50 12 88232302167976891598.exe 15 2 7->12         started        16 cmd.exe 1 7->16         started        file5 signatures6 process7 dnsIp8 34 transfer.sh 144.76.136.153, 443, 49701 HETZNER-ASDE Germany 12->34 52 Antivirus detection for dropped file 12->52 54 Multi AV Scanner detection for dropped file 12->54 56 Machine Learning detection for dropped file 12->56 18 WerFault.exe 24 9 12->18         started        20 conhost.exe 16->20         started        22 timeout.exe 1 16->22         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/11760869d023db67e292f9efc9b02dc0f3f08624c5ec409290f4357d300f5bfa/
Threat name:
Win32.Ransomware.Stop
Create hunting rule
Status:
Malicious
First seen:
2023-01-11 05:53:09 UTC
File Type:
PE (Exe)
Extracted files:
72
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cf3aq2oqepnwpyus7hx4tmbnydz7bbreyxwebeuq6q2x2maplp5a._file
Verdict:
malicious
Similar samples:
09ac5364fbafca4c7c9ad6f04fed82c2bedf9550e7690c8bbdacb8705a6921c9
ArkeiStealer
2f2c73a52b2c9975df2b1f9ccde2a8eb77493bc5d3e91a16d5d0eb3eb3ca9942
ArkeiStealer
67d623696828f77a0c7b9c81960709579c7b95f4c26d569b420ab05bbdf0049d
ArkeiStealer
723f833a06244d7601591949fae724e0176ca30ae9582f86848d20ffe0e33b77
ArkeiStealer
740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2
ArkeiStealer
922260358cff0b48e0098db3eb36065cfae990c0bddb75b21e2fa8ed9c1edb3e
ArkeiStealer
a59ecf6ddd571f60cd71d50c44e6002da374c22de3ff910cafd40bc49659e50f
ArkeiStealer
ab9aa981e24b6dbe183fff66d17e38fbb7ac1fa54fd1dbf3c4878c65ff18efa4
ArkeiStealer
aded3194fe3b8734ee021f6e4ce81fc207b6e258c96ceb9bf2e1f77eccc4a87f
ArkeiStealer
f89ea963fcb584772f149a3c6a576d2a8cb037b3f956ac43dfc9ca0abe310956
ArkeiStealer
+ 1'853 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:24 discovery spyware stealer
Link:
https://tria.ge/reports/230111-gla5aaed3v/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Vidar
Malware Config
C2 Extraction:
https://t.me/travelticketshop
https://steamcommunity.com/profiles/76561199469016299
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e0b61dea-f176-467f-af6a-a98904bdb347
Unpacked files
SH256 hash:
3a538ff926f6fe2aee5d740540ffd698debf137078f07c7988f532067c9e3145
MD5 hash:
233ccfa678f47672ab414861c4391744
SHA1 hash:
1a2a842a27e81c7ef7d49e1f4974f0ef660bce68
Link:
https://www.unpac.me/results/fe4c2413-d7cc-4ce8-8329-b9c4d56f90b1/
SH256 hash:
11760869d023db67e292f9efc9b02dc0f3f08624c5ec409290f4357d300f5bfa
MD5 hash:
36fe75457be5610c8cb50a61a5f062f7
SHA1 hash:
b1e722d526bc2a71b1496a1b23dc4b0ab9afe021
Link:
https://www.unpac.me/results/fe4c2413-d7cc-4ce8-8329-b9c4d56f90b1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/11760869d023/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/11760869d023db67e292f9efc9b02dc0f3f08624c5ec409290f4357d300f5bfa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Telegram_Links
Create hunting rule
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/351803/
  
URLhaus
https://urlhaus.abuse.ch/url/2485201/

Comments