MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19362eda54d5c1f090d95cddc7207d1263e376f2f58db1fa17d587136f41b1ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 11 File information Comments

SHA256 hash:	19362eda54d5c1f090d95cddc7207d1263e376f2f58db1fa17d587136f41b1ac
SHA3-384 hash:	26dd4ceb47f50f9c4df74d6f9ddb95e4321d005c995255e8e7cc1483ad804e06e4596385ede0bb50186f604512415fe9
SHA1 hash:	d0bb46718be0aad1d7027f94cc4662b0af5e4f97
MD5 hash:	3cf2a64c798b9ff91473b1644933f99c
humanhash:	johnny-equal-earth-ink
File name:	19362eda54d5c1f090d95cddc7207d1263e376f2f58db1fa17d587136f41b1ac
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	23'592'128 bytes
First seen:	2023-07-03 12:00:37 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e569e6f445d32ba23766ad67d1e3787f (262 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep	393216:rcDwhcRP3aspro1RM78rsZXGC4zZakt/qLYoDUXWhdazMQFKvayUmZy7MVqfKm5G:iwSRPas+JMGC4zx/IhqMQFGUmPUK5
Threatray	181 similar samples on MalwareBazaar
TLSH	T14737333FF1A4B03FD49A1B3145B396509877BB51651A8C0B07FC389ECF6A2B05E3A616
TrID	50.4% (.EXE) Inno Setup installer (109740/4/30) 19.7% (.EXE) InstallShield setup (43053/19/16) 19.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 4.8% (.EXE) Win64 Executable (generic) (10523/12/4) 2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter	adrian__luca
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

304

Origin country :

Vendor Threat Intelligence

Malware family:

vidar

ID:

File name:

https://crackedpc.org/adobe-photoshop-cc-april-2023-crack/

Verdict:

Malicious activity

Analysis date:

2023-06-18 21:36:15 UTC

Tags:

stealer vidar trojan arkei

Link:

https://app.any.run/tasks/2318c0eb-29c3-4a1a-a827-08db156d96ea

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.FileRepPup.27110.30478.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for synchronization primitives

Searching for the window

Moving a file to the %temp% subdirectory

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Behavior that indicates a threat

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/95304/overview

Behaviour

MalwareBazaar

CheckNumberOfProcessor

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control installer lolbin overlay packed setupapi shell32

Link:

https://www.filescan.io/uploads/64a2b882305ba46e8acf2ae0/reports/43ce9109-14d3-4bcd-bb9a-a1b920768ac2/overview

Verdict:

Malicious

Link:

https://www.hybrid-analysis.com/sample/19362eda54d5c1f090d95cddc7207d1263e376f2f58db1fa17d587136f41b1ac

Result

Verdict:

MALICIOUS

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1265849

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win32.Spyware.Vidar

Status:

Suspicious

First seen:

2023-06-18 22:44:59 UTC

File Type:

PE (Exe)

Extracted files:

718

AV detection:

13 of 37 (35.14%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=de3c5wsu2xa7begzlto4oid5cjr6g5xs6wg3d6qx2wdrg32bwgwa._file

Verdict:

malicious

ArkeiStealer

539a3681579af9e5c6cfb68628557212083173acd09719c7077c00ea37f91b2f

ArkeiStealer

87f58956937f84708706f515675d0b48125ace13ede701886e433cc8b336720d

ArkeiStealer

906774638a383308ce21011b3dbce87721ee4f0e5764b6470a273671bbddaa18

ArkeiStealer

9e9e150d6ff9170caa0ffaab65332ddf4a849b0a5cee015f8a2f7b94d7e4fbf3

ArkeiStealer

a1840b15c1cb1a7da67a23c2f83ec9a6378a91813fe9a95ec5c2304142f236d4

ArkeiStealer

c4db7d1e957d2225520705672e86d4ee9d14cb8df62248c26d5442fd414d48a2

ArkeiStealer

f92695f29c11eed7607949e15ed40c2d6de909adbf3e04dc75b6b34f44ad07f9

ArkeiStealer

+ 171 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:3f87d3d03da1768042eb415a0caf9cc1 stealer

Link:

https://tria.ge/reports/230703-n6w1tahf2y/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Vidar

Malware Config

C2 Extraction:

https://steamcommunity.com/profiles/76561199514261168
https://t.me/kamaprimo

Malware family:

Vidar.A

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/19362eda54d5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	has_telegram_urls Create hunting rule
Author:	Aaron DeVera<aaron@backchannel.re>
Description:	Detects Telegram URLs

Rule name:	INDICATOR_KB_CERT_62e745e92165213c971f5c490aea12a5 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Telegram_Links Create hunting rule

Rule name:	Vidar Create hunting rule
Author:	kevoreilly,rony
Description:	Vidar Payload

Rule name:	win_vidar Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detection of Vidar Stealer and Variants via strings present in final unpacked payloads

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample