MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 117f4d1a22c7e9776a86ce878d5eaf21665e78de6c7eb6997af103b72b9784d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 117f4d1a22c7e9776a86ce878d5eaf21665e78de6c7eb6997af103b72b9784d7
SHA3-384 hash: ced1f224fd9ece967d5e616fa5541dbe3b1f6ffd9636cd50f5f4e7263238dd2916773205dae482ad89df732aadd14b3d
SHA1 hash: f473dca9e601a27ff3df0891679bc77223ba9d13
MD5 hash: 3865c9cf8a8e3b65b676562496e48164
humanhash: fanta-wisconsin-oklahoma-spaghetti
File name:3865c9cf8a8e3b65b676562496e48164.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:518'144 bytes
First seen:2021-08-29 15:09:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 065a584d0d50807005a7c41fcb9adea6 (6 x RaccoonStealer, 2 x RedLineStealer, 1 x DanaBot)
ssdeep 6144:tR9xGuN8Oa8cOjxFqILz1/AYMhjJDKycWMkJXVYYvs3s0u6eOQRhQ0d2dCDTbsIh:nj8PSFqItIXnJBvs3s6/8hQZ8sc
Threatray 626 similar samples on MalwareBazaar
TLSH T153B412453430D673D5CBA4B18499B1A4526BB9326E22C68F2B48477E3E712E0193F7FB
dhash icon 4839b2b0e8c38890 (105 x RaccoonStealer, 38 x Smoke Loader, 33 x RedLineStealer)
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://www.google.com
Verdict:
Malicious activity
Analysis date:
2021-08-29 10:53:47 UTC
Tags:
trojan loader rat redline stealer vidar evasion opendir
Link:
https://app.any.run/tasks/10004576-5bda-4a32-85f8-9becfdde9a94

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/183269/
Detection(s):
Win.Packed.Generic-9889004-0
Create hunting rule

Win.Dropper.Fragtor-9889135-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Deleting a recently created file
Replacing files
Reading critical registry keys
Sending a UDP request
Creating a window
Delayed writing of the file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Launching a process
Stealing user critical data
Launching a tool to kill processes
Forced shutdown of a browser
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a0deba26-5404-41c4-a8ee-fd87611ae4ca
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/841072
Signature
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/117f4d1a22c7e9776a86ce878d5eaf21665e78de6c7eb6997af103b72b9784d7/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-08-28 21:15:22 UTC
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cf7u2grcy7uxo2ugz2dy2xvpeftf46g6nr7lngl26eb3ok4xqtlq._file
Verdict:
malicious
Similar samples:
077ac4018bc25a85796c54e06872071d561df272188dde34daca7e5d01e950fd
ArkeiStealer
39326cdd0c863e1766ecc3d119ec18fdaa93ef886cfbc887f76784f745df73e4
ArkeiStealer
54619b816d64d1a770ef510c94d06d4cee747ca885188c80f71fd69434d057c4
ArkeiStealer
607b9c1a8aee003955b0715d05e9a044ec8937e6f169b5d166bef5ce8d269d39
ArkeiStealer
8acc169eac0f47377ad2a34a4fe277b73431f26cf3b262728bc1a8f17020c3e8
ArkeiStealer
bda2b27d917dc919d2df7f2768a5d20f4f554e6f0eeb687f5ac45b53aecbb2f3
ArkeiStealer
c14ef442698e3a613e47deb6a6fb477235a88f857ce3f5a8f5cfcbe43c4f7742
ArkeiStealer
+ 616 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1002 discovery spyware stealer suricata
Link:
https://tria.ge/reports/210829-nttfewt2yx/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Vidar Stealer
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
https://eduarroma.tumblr.com/
Unpacked files
SH256 hash:
0de7c515caacb723699d3cba76d7f80ac30e5895895245057ed3ef14f6de63b2
MD5 hash:
c5241aaf68793b396a06a908dfad38d2
SHA1 hash:
6d13ac192a942dda309553d0317370cfd1e42c23
Link:
https://www.unpac.me/results/0820e2ae-b0c2-4454-b2c3-4bf9d7da0f10/
SH256 hash:
117f4d1a22c7e9776a86ce878d5eaf21665e78de6c7eb6997af103b72b9784d7
MD5 hash:
3865c9cf8a8e3b65b676562496e48164
SHA1 hash:
f473dca9e601a27ff3df0891679bc77223ba9d13
Link:
https://www.unpac.me/results/0820e2ae-b0c2-4454-b2c3-4bf9d7da0f10/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/117f4d1a22c7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/117f4d1a22c7e9776a86ce878d5eaf21665e78de6c7eb6997af103b72b9784d7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 117f4d1a22c7e9776a86ce878d5eaf21665e78de6c7eb6997af103b72b9784d7

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/183269/
  
URLhaus
https://urlhaus.abuse.ch/url/1549208/
  
Delivery method
Distributed via web download

Comments