MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 149d9555994e5930d863674a2c55d295d5a19446bed86ef1079ccbbbdae9975f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	149d9555994e5930d863674a2c55d295d5a19446bed86ef1079ccbbbdae9975f
SHA3-384 hash:	32f3e88181300c7475a2318b66112171ef5fee62012f495d7da09a7a5f00ca67b27d65ebb21c33cafe723e55111e3dc8
SHA1 hash:	dafd4a5f1924eca548e6b8ff7f88fd8826eb2584
MD5 hash:	ba0022a82e893e3478af3d3e4ea8d33e
humanhash:	winter-oscar-hotel-bacon
File name:	mixshop_20211014-230224
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	681'984 bytes
First seen:	2021-10-14 21:26:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b5be897698085ea8cfb89dc856c9bdbe (3 x RaccoonStealer, 2 x ArkeiStealer, 1 x DanaBot)
ssdeep	12288:hdG/geQ+pUaQdn1QneYi7b1PuhJc5KbnlHvDxFJbHIjJQlEexW5S:hgghwgn18ez1WJc5KblHbVcV88
Threatray	3'352 similar samples on MalwareBazaar
TLSH	T1DCE412313262C4B6D4674A708830BAA99E3A7DF0DF71934B77ECDA1E1EB52908761317
File icon (PE):
dhash icon	fcfc94d4d4dcd8c0 (2 x ArkeiStealer, 2 x Tofsee, 2 x RaccoonStealer)
Reporter	benkow_
Tags:	ArkeiStealer exe vidar

Intelligence

File Origin

# of uploads :

# of downloads :

361

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

mixshop_20211014-230224

Verdict:

Suspicious activity

Analysis date:

2021-10-14 21:30:45 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/74b57fb1-989d-4508-9b95-5c42937b3529

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/197646/

Detection(s):

Win.Trojan.Generic-9902487-0

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Connection attempt to an infection source

Sending a TCP request to an infection source

Launching the default Windows debugger (dwwin.exe)

Query of malicious DNS domain

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f0a35015-29b3-4748-9b2a-90a8f2654a61

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/870799

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Self deletion via cmd delete

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Vidar

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

vidar

Link:

https://mwdb.cert.pl/sample/149d9555994e5930d863674a2c55d295d5a19446bed86ef1079ccbbbdae9975f/

Threat name:

Win32.Trojan.Fragtor

Status:

Malicious

First seen:

2021-10-14 21:27:04 UTC

AV detection:

20 of 45 (44.44%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=csozkvmzjzmtbwddm5fcyvossxk2dfcgx3mg54ihttf3xwxjs5pq._file

Verdict:

malicious

ArkeiStealer

1fbbaa6cfa20d6e11a3e5e4ba0702f608d474cbf5a86eef891fb57a671c684be

ArkeiStealer

3893dc157f444a1b98d11a33630f78a45579b826f3ce83c08bb7b176cbfa2418

ArkeiStealer

7a5444f5316764d3960132052abe097784a29b7390e0ece10c86b804c125100f

ArkeiStealer

90618d3aa5146d27b46476a4c7bfcc2e5323b74dcbcf2c0af6b4f00c4c2d9297

ArkeiStealer

9fefd930a1cc7b257fe5a65bc3eda3167bc0f82895f288fc34eaca3411b2688b

ArkeiStealer

d202d7bf72a9cbe6d6358875bce8cd9d32b9519a547c9339e725e21bf86ece12

ArkeiStealer

+ 3'342 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:1015 discovery spyware stealer

Link:

https://tria.ge/reports/211014-1aqv5sacf7/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Kills process with taskkill

NTFS ADS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

Vidar Stealer

Vidar

Malware Config

C2 Extraction:

https://mas.to/@sslam

Unpacked files

SH256 hash:

f74f4998f02e42420e41bf0fdab9ff5de54c8807668e49c98c362854e5836f8e

MD5 hash:

563b28f1191b3cfa2cb490c5b252f801

SHA1 hash:

bd6fec0fb42bf2bd43a3cd81c28eca51e30dc1bf

Link:

https://www.unpac.me/results/f00b3841-6786-4f1b-9050-9ac9a7f79649/

SH256 hash:

149d9555994e5930d863674a2c55d295d5a19446bed86ef1079ccbbbdae9975f

MD5 hash:

ba0022a82e893e3478af3d3e4ea8d33e

SHA1 hash:

dafd4a5f1924eca548e6b8ff7f88fd8826eb2584

Link:

https://www.unpac.me/results/f00b3841-6786-4f1b-9050-9ac9a7f79649/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/149d9555994e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/149d9555994e5930d863674a2c55d295d5a19446bed86ef1079ccbbbdae9975f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing potential Windows Defender anti-emulation checks

Rule name:	MALWARE_Win_Vidar Create hunting rule
Author:	ditekSHen
Description:	Detects Vidar / ArkeiStealer

Rule name:	Vidar Create hunting rule
Author:	kevoreilly
Description:	Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

GCleaner

Cape

https://www.capesandbox.com/analysis/197646/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample