MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e3b72475d498216cafe499c5bafc0619ff596d45eef772007dbcfb242661bde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 5 File information Comments

SHA256 hash:	1e3b72475d498216cafe499c5bafc0619ff596d45eef772007dbcfb242661bde
SHA3-384 hash:	4ebae7841ead055a3c1a5d40aaae8fc123c8df110654706481930d7259bb69fbc95e8a5dcaad2ce555884fa5ce8e9733
SHA1 hash:	2286d96e9f37529733ae2d25207187fd1f4851d9
MD5 hash:	2d8863b9906bca5c08a1ae406d51d602
humanhash:	mockingbird-purple-solar-equal
File name:	file
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	433'664 bytes
First seen:	2023-01-11 11:24:14 UTC
Last seen:	2023-01-11 16:19:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	62f628538e3c61be2e3186663f4b6cfe (7 x Smoke Loader, 4 x RedLineStealer, 3 x ArkeiStealer)
ssdeep	6144:FxLofif0WwxZC86qL0rtK8QXyMhLSfUiqBwyyDqCFoNBupY6:FB50WwZP0rtK8WygEUU7OCQQpY
Threatray	1'866 similar samples on MalwareBazaar
TLSH	T18294D0017A919871C412FD318B19CBE42A7FB8319F64A767B3246B6F1FB12D1F672206
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	8ea1a1a1a18181ac (1 x RedLineStealer, 1 x ArkeiStealer)
Reporter	andretavare5
Tags:	ArkeiStealer exe

andretavare5

Sample downloaded from https://vk.com/doc712319849_659582580?hash=zk3NLSf2GQ2bIlQwiYcFzZ8gTz26qCYuTrKm6vRXC6z&dl=G4YTEMZRHE4DIOI:1673434694:Uqemlz2jGqKkhxH28gfDXqkaHjcKnPKocnMgZ6ofe4c&api=1&no_preview=1#build_g

Intelligence

File Origin

# of uploads :

# of downloads :

206

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

vidar

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-01-11 11:26:34 UTC

Tags:

trojan stealer vidar

Link:

https://app.any.run/tasks/5f4e0c2d-da35-4e0c-b056-6d4813ca5926

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/351909/

Detection(s):

Can't access file ERROR

Result

Verdict:

Clean

Maliciousness:

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/63be9c90a70bef46551e9038/reports/ad7531ee-d2b3-4107-84dd-c2ff9b935300/overview

Malware family:

Arkei Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fdc57ef8-5e03-4b92-89a2-f966dfc5c2d1

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1149537

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Self deletion via cmd or bat file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1e3b72475d498216cafe499c5bafc0619ff596d45eef772007dbcfb242661bde/

Threat name:

Win32.Trojan.Smokeloader

Status:

Malicious

First seen:

2023-01-11 11:25:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dy5xer25jgbbnsx6jgofxl6amgp7lfwul3xxoiah3ph3eqtgdppa._file

Verdict:

malicious

ArkeiStealer

2f2c73a52b2c9975df2b1f9ccde2a8eb77493bc5d3e91a16d5d0eb3eb3ca9942

ArkeiStealer

67d623696828f77a0c7b9c81960709579c7b95f4c26d569b420ab05bbdf0049d

ArkeiStealer

723f833a06244d7601591949fae724e0176ca30ae9582f86848d20ffe0e33b77

ArkeiStealer

740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2

ArkeiStealer

922260358cff0b48e0098db3eb36065cfae990c0bddb75b21e2fa8ed9c1edb3e

ArkeiStealer

a59ecf6ddd571f60cd71d50c44e6002da374c22de3ff910cafd40bc49659e50f

ArkeiStealer

ab9aa981e24b6dbe183fff66d17e38fbb7ac1fa54fd1dbf3c4878c65ff18efa4

ArkeiStealer

aded3194fe3b8734ee021f6e4ce81fc207b6e258c96ceb9bf2e1f77eccc4a87f

ArkeiStealer

f89ea963fcb584772f149a3c6a576d2a8cb037b3f956ac43dfc9ca0abe310956

ArkeiStealer

+ 1'856 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:560 discovery spyware stealer

Link:

https://tria.ge/reports/230111-njat3abh68/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Program crash

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Vidar

Malware Config

C2 Extraction:

https://t.me/travelticketshop
https://steamcommunity.com/profiles/76561199469016299

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/775ec2e9-eade-46ca-8b02-7c2e81adb04d

Unpacked files

SH256 hash:

cf28a05a370698e11f6ddd115f2f9fd6997afa52ffb88a2217a3e474ff6a0b9f

MD5 hash:

39749728056b1b2fc4629ebd91cb2399

SHA1 hash:

86192778f32158e2de1a4f2d23c5c43f182948e6

Link:

https://www.unpac.me/results/964444f9-2e4d-4a98-932f-bedeb346b4a3/

SH256 hash:

1e3b72475d498216cafe499c5bafc0619ff596d45eef772007dbcfb242661bde

MD5 hash:

2d8863b9906bca5c08a1ae406d51d602

SHA1 hash:

2286d96e9f37529733ae2d25207187fd1f4851d9

Link:

https://www.unpac.me/results/964444f9-2e4d-4a98-932f-bedeb346b4a3/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1e3b72475d49/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1e3b72475d498216cafe499c5bafc0619ff596d45eef772007dbcfb242661bde

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Telegram_Links Create hunting rule

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/351909/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample