MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1732053a4bd2bd25d10b29a0e67fccce76df847635fe14a123eb1fae05ee7540. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 10 File information Comments

SHA256 hash:	1732053a4bd2bd25d10b29a0e67fccce76df847635fe14a123eb1fae05ee7540
SHA3-384 hash:	96cc1f5eea1a6965e9d350c468d7a4ba8918a2db6824470f47a43d7fc739724327cfad156f572906327d8100a058fc6d
SHA1 hash:	04ef65c642d78ca80043a3e26e800c3565ca3159
MD5 hash:	cb8899f49bbe9d2ede35c85fae52c8c1
humanhash:	bulldog-six-charlie-oregon
File name:	cb8899f49bbe9d2ede35c85fae52c8c1.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	534'016 bytes
First seen:	2023-07-13 07:44:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	86c47702e68c17088ae94614621346cc (1 x ArkeiStealer)
ssdeep	12288:JKFbgfxiiDY95+IUH7wHcpgzPmiNT1TCy:Tfoy6jAUHcvA1TC
Threatray	10 similar samples on MalwareBazaar
TLSH	T1D5B45C13D2E33D45EA66CB769E1EC7ECB64DF2508F4A7B6922189E1F04B11B2C163721
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	000031c180742415 (1 x ArkeiStealer)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

269

Origin country :

Vendor Threat Intelligence

Malware family:

arkei

ID:

File name:

cb8899f49bbe9d2ede35c85fae52c8c1.exe

Verdict:

Malicious activity

Analysis date:

2023-07-13 07:53:39 UTC

Tags:

arkei stealer vidar trojan

Link:

https://app.any.run/tasks/eb1a883c-6127-449e-ac7c-21178f18fe0b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/417297/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

86%

Tags:

greyware packed xpack

Link:

https://www.filescan.io/uploads/64afab7f58d62e49a2fd5313/reports/788823a3-f53a-498b-b156-1a7be8adac2a/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/1732053a4bd2bd25d10b29a0e67fccce76df847635fe14a123eb1fae05ee7540

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/4a5c765a-4011-4adf-b493-ff3886a7b081

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1272290

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Searches for specific processes (likely to inject)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1732053a4bd2bd25d10b29a0e67fccce76df847635fe14a123eb1fae05ee7540/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2023-07-12 19:44:26 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 37 (62.16%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=c4zakosl2k6sluilfgqom76mzz3n7bdwgx7bjijd5mp24bpoovaa._file

Verdict:

malicious

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:https://t.me/eagl3z discovery spyware stealer

Link:

https://tria.ge/reports/230713-jldxaagg2y/

Behaviour

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Vidar

Malware Config

C2 Extraction:

https://t.me/eagl3z
https://steamcommunity.com/profiles/76561199159550234

Unpacked files

SH256 hash:

bff1ea7a400618bc907be40125a20e58e2a2a34cc0a195c383289b2458e30c8b

MD5 hash:

18d456773e822dae964ba76602ef44d2

SHA1 hash:

e514afdd477bc8c17fed0c7bd06593024893b4bd

Link:

https://www.unpac.me/results/ad651bca-336e-4008-a735-fef832cbaab7/

SH256 hash:

34298fa71196f73f673685db366a4528782fc1c5dd625aeb2d1c3505e651dfa4

MD5 hash:

7a0da91a4c11c9e8eb6b66138f727abc

SHA1 hash:

a05a934825677eb267a06753b2dee7e57ed0dd8f

Link:

https://www.unpac.me/results/ad651bca-336e-4008-a735-fef832cbaab7/

SH256 hash:

1732053a4bd2bd25d10b29a0e67fccce76df847635fe14a123eb1fae05ee7540

MD5 hash:

cb8899f49bbe9d2ede35c85fae52c8c1

SHA1 hash:

04ef65c642d78ca80043a3e26e800c3565ca3159

Link:

https://www.unpac.me/results/ad651bca-336e-4008-a735-fef832cbaab7/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	has_telegram_urls Create hunting rule
Author:	Aaron DeVera<aaron@backchannel.re>
Description:	Detects Telegram URLs

Rule name:	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs Create hunting rule
Author:	ditekSHen
Description:	Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Telegram_Links Create hunting rule

Rule name:	Vidar Create hunting rule
Author:	kevoreilly,rony
Description:	Vidar Payload

Rule name:	win_vidar Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detection of Vidar Stealer and Variants via strings present in final unpacked payloads

Rule name:	win_vidar_strings_jun_2023 Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detection of Vidar Stealer and Variants via strings present in final unpacked payloads