MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16a45c12b0517cb425d5c5af63fbb0b65b184ac1e36761755544d47bedb622b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 16a45c12b0517cb425d5c5af63fbb0b65b184ac1e36761755544d47bedb622b8
SHA3-384 hash: 0b41d6e6c88ab232cee09ac0f0a52133426e90de06fc07f572b6eef6845f4fb84e459b61f63e39fd2caa8f34e289b593
SHA1 hash: 07dc8d4dc9d8cc619e0ef48c6b8668a2e378f55b
MD5 hash: 01ad3a5de39f36b2eb518d5a6ee4ea8b
humanhash: stream-alpha-hamper-magazine
File name:01ad3a5de39f36b2eb518d5a6ee4ea8b
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'207'696 bytes
First seen:2022-03-24 21:40:13 UTC
Last seen:2022-03-24 23:43:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d5ae8cad999f1b389baf4b93b1db4fe5 (1 x ArkeiStealer)
ssdeep 24576:47aSTGQ/7QU9ASHAbguu6lDphD59l6m6hViSZK/cRgOnmq9g66B36rKX6r:47aLQMhSHAsuushD59l6mQsvcOU7m6i2
Threatray 5'484 similar samples on MalwareBazaar
TLSH T1174533CB03C96E16F8A4EDF51962CF87CB1EF20209C3E707A5C8249DBC55A15BA38569
File icon (PE):PE icon
dhash icon b270e2e0c0e070b2 (1 x ArkeiStealer, 1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
246
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/257404/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Launching a process
DNS request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Delayed writing of the file
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Stealing user critical data
Launching a tool to kill processes
Unauthorized injection to a system process
Forced shutdown of a browser
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/623ce547a19c64941289d5cb/reports/9f3f2b0b-1757-4054-bb48-ce3799635e64/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fc3fceaa-d90c-4cef-a425-e8ad65290126
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/964135
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file has nameless sections
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 596614 Sample: bqh4uFh85r Startdate: 24/03/2022 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 7 other signatures 2->44 8 bqh4uFh85r.exe 2->8         started        process3 signatures4 46 Writes to foreign memory regions 8->46 48 Allocates memory in foreign processes 8->48 50 Injects a PE file into a foreign processes 8->50 52 Contains functionality to detect sleep reduction / modifications 8->52 11 InstallUtil.exe 155 8->11         started        process5 dnsIp6 32 78.47.227.68, 49785, 80 HETZNER-ASDE Germany 11->32 34 stereodon.social 185.105.3.28, 443, 49784 GCOREAT Luxembourg 11->34 36 45.87.154.44, 49791, 80 ASN-POSTLTDRU Russian Federation 11->36 24 C:\Users\user\AppData\...\softokn3[1].dll, PE32 11->24 dropped 26 C:\Users\user\AppData\...\mozglue[1].dll, PE32 11->26 dropped 28 C:\Users\user\AppData\...\freebl3[1].dll, PE32 11->28 dropped 30 9 other files (none is malicious) 11->30 dropped 54 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->54 56 Tries to steal Mail credentials (via file / registry access) 11->56 58 Tries to harvest and steal browser information (history, passwords, etc) 11->58 60 Tries to steal Crypto Currency Wallets 11->60 16 cmd.exe 1 11->16         started        file7 signatures8 process9 process10 18 taskkill.exe 1 16->18         started        20 conhost.exe 16->20         started        22 timeout.exe 1 16->22         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/16a45c12b0517cb425d5c5af63fbb0b65b184ac1e36761755544d47bedb622b8/
Threat name:
Win32.Infostealer.Vidar
Create hunting rule
Status:
Malicious
First seen:
2022-03-24 21:41:23 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=c2sfyevqkf6lijovywxwh65qwznrqswb4ntwc5kvitkhx3nwek4a._file
Verdict:
malicious
Similar samples:
013d7d2e73fdd28f0af0b3e5a057461d6041b0a13f487802a181d8378cbbae3b
ArkeiStealer
2e71e3bcb39c87ae43d0019b5d62084b8eb2bb0ebe09c05d7cf2ad026082e527
ArkeiStealer
80cdfc120b7824e7cb5b34fc9ab1b6b43b84dfb435fd8f3e681ad4ae0ebd41de
ArkeiStealer
85d72f1ce124aec3b3c1491217801ad99b3727b48583dbcce3894205aea7f46d
ArkeiStealer
8cd01ec40879ae6aa2c34aeaf52c2074030351a7fc712e41b1519c84b0725ced
ArkeiStealer
abc7f395229f5f05074280e01c2e3726aa409d14c0a43ddf52a0368d53462747
ArkeiStealer
b0de3b3eb79e5291dcd933e0e8231c90208e2e11e894500fb7df6487ba259ba9
ArkeiStealer
eeb0c6a760a7c9d17c02dbacf4f4715917caf3d111209ce29b67b366dc8b9dd9
ArkeiStealer
+ 5'474 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:914 stealer
Link:
https://tria.ge/reports/220324-1jrh2aegd9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Vidar Stealer
Vidar
Malware Config
C2 Extraction:
https://stereodon.social/@samssal
https://climatejustice.social/@s4m7al
Unpacked files
SH256 hash:
226faecbe0257910df10c6379524fe75845ec71b7949e72b5e0693985751ec90
MD5 hash:
e66ec6d6ee2757d2b9927fad1c5f20f5
SHA1 hash:
6a85806b40fe0e480958e4708408eebb06a6dd38
Link:
https://www.unpac.me/results/f061b659-03aa-4a9e-9d9a-a68fc77f4dc6/
SH256 hash:
2f104a672d0dc078f38040160216c216661a28c0aea16837e77ce6a04a181e4a
MD5 hash:
c44f50a0765a751a98076801722b3217
SHA1 hash:
f8b33f539184f5edef39e3111993791355ed06ad
Link:
https://www.unpac.me/results/f061b659-03aa-4a9e-9d9a-a68fc77f4dc6/
SH256 hash:
16a45c12b0517cb425d5c5af63fbb0b65b184ac1e36761755544d47bedb622b8
MD5 hash:
01ad3a5de39f36b2eb518d5a6ee4ea8b
SHA1 hash:
07dc8d4dc9d8cc619e0ef48c6b8668a2e378f55b
Link:
https://www.unpac.me/results/f061b659-03aa-4a9e-9d9a-a68fc77f4dc6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/16a45c12b051/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/16a45c12b0517cb425d5c5af63fbb0b65b184ac1e36761755544d47bedb622b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:quakbot_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 16a45c12b0517cb425d5c5af63fbb0b65b184ac1e36761755544d47bedb622b8

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2114457/
Cape
Cape
https://www.capesandbox.com/analysis/257404/

Comments


Avatar
zbet commented on 2022-03-24 21:40:14 UTC

url : hxxp://37.120.222.60/mysite/catimages/224.exe