MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 138186892d63fe3b0d5f8c62bd3b11737392e22fd5fd68f32dd5612e78a6407c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 138186892d63fe3b0d5f8c62bd3b11737392e22fd5fd68f32dd5612e78a6407c
SHA3-384 hash: 05125518dd22664abe54a310b50fef39a7af2c7725f67dfaee9c13065594918c9e0e68b1fb6be2b7053f10b59e503409
SHA1 hash: 198f001072707b90af18bf3cf37d4558ae026118
MD5 hash: 183ed8bd9edd06f4e9243e6d48061461
humanhash: black-hamper-november-golf
File name:SecuriteInfo.com.Variant.Razy.666259.18961.14144
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:3'177'472 bytes
First seen:2020-05-10 03:08:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9d6b988ee2ff900bb46f7b1ad8162182 (3 x ArkeiStealer)
ssdeep 49152:jvE/Y54xzq1Z20ySEBKaLb4tY41bOTuwbRwnLfPJ+H5o987RQ:DsLm1ZaXBKaLb+9dw+IHuytQ
Threatray 188 similar samples on MalwareBazaar
TLSH 9DE53304F86A5791D8CF78F1E3A0D5E6E27D4E0F312983251AB17291547ED23CC2BAAD
Reporter SecuriteInfoCom
Tags:ArkeiStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.Razy.666259.18961.14144.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2020-05-09 21:20:28 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
27 of 31 (87.10%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
08c31318d635778eaaf19c55440ed58570e764db28339f3061d927d9f3643ce3
ArkeiStealer
32c17a6caeed78f79e06de58d5229927f77bc8c6b4865b41289d4da886a07df4
ArkeiStealer
341847d9c11face1487ab04072d6ddc5065a379011c6684e56e1f4fa8d8ab3f3
ArkeiStealer
470f7e4b374c37aeb60ce012b83d1da04899dbeda81f6a1799aadefc7789f5e6
ArkeiStealer
6fae048e4ff41fdf6b3183d0a6f3fbe5b07d42544694c4b6ff5b76be292a1615
ArkeiStealer
a437c93953253872a09714152f0230bb9e62eeb306cd8c772295cfd84ac14cec
ArkeiStealer
c158b8ed8c9a0221bfeb3dea8d026d5bb9bade9ecfd19191ada59c51c8eb4089
ArkeiStealer
daac1aafd4f0f7b1e1e0112e913285543d73179216bc42cdf67036dae67955f0
ArkeiStealer
db8d3e1f805b2f6219f99004258e23b3dd379a2dcc76338e3fb368ad23112a3b
ArkeiStealer
f1a10725589836a8b8959f7ceb298f84b1e5a9736fe97f32a816028aaff55001
ArkeiStealer
+ 178 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar discovery evasion spyware stealer trojan
Link:
https://tria.ge/reports/201109-6t8n37sjqj/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses 2FA software files, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_vidar_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 138186892d63fe3b0d5f8c62bd3b11737392e22fd5fd68f32dd5612e78a6407c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/360230/
  
Delivery method
Distributed via web download

Comments