MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1feb43725e49f700154098a4db30a9a699e8e1b7433aae2eaac52f62b3329b62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1feb43725e49f700154098a4db30a9a699e8e1b7433aae2eaac52f62b3329b62
SHA3-384 hash: 7c7b5af837e209a363f3274fe881df8cf56ceec2b7d25048948d537e76a7addc6027810a53b081f232eadc7f2d227577
SHA1 hash: f958dde2eb7f4458e8dde313a31882964bb762ea
MD5 hash: 739099e94c93394aa0a030d0731a19ac
humanhash: charlie-mississippi-thirteen-harry
File name:SecuriteInfo.com.Variant.Razy.666259.24381.9628
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:3'023'872 bytes
First seen:2020-05-08 21:55:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9d6b988ee2ff900bb46f7b1ad8162182 (3 x ArkeiStealer)
ssdeep 49152:FZU+C0tsCVloWvYIeK4r70ghXzHTGxV6J+H8hS6XPlKfwY/:FZHwCPDerPFHiZedKIY/
Threatray 170 similar samples on MalwareBazaar
TLSH A1E523337AA89BE8DE4576FA24898CEDB6277E054611521A2D74BFF1463119FCC30C8E
Reporter SecuriteInfoCom
Tags:ArkeiStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Predatorthethief
Create hunting rule
Link:
https://www.capesandbox.com/analysis/3095/
Detection(s):
SecuriteInfo.com.Variant.Razy.666259.24381.9628.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Occamy
Create hunting rule
Status:
Malicious
First seen:
2020-05-08 20:33:33 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
27 of 31 (87.10%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
2116630a84b913da34b2f2cb2a5d7f357a9c95c648d2ceeb582c6728e2fca9dc
ArkeiStealer
23b916e5bb30f814e9819cf3499fe56820380b827b20f595022eabbd47267374
ArkeiStealer
664b69b27e77e1458d7fff94e384830b0e6e63b29d3ca5a3babf07c942333b5f
ArkeiStealer
7e72084065a862db54cde005432cbced6d6955d9d67380befbc5aa1a0eaa8247
ArkeiStealer
8db94c701d86fc9561720f228e619635a3c695be78e23024715053a38b263808
ArkeiStealer
97877280bba9500fb1cb5d466a66337ff281c278339b089bcb661bbb342adcf1
ArkeiStealer
99b9b649c59745f1544c91ffe35dad1e1529c9cb6715325c95ee396bbe3db2ab
ArkeiStealer
c30feebc86f3a83c66c8ef49ef5d9b4a48f462f62545f2e7038d36a0005bb983
ArkeiStealer
d3e66e348953a589c9852de7f1b10516f6f7cd1287f33ea12cc6ff44a96e1419
ArkeiStealer
e41ee8ef8e196d80c1db94848c6dd31eb8737b6f77d7bf63537138e110f79120
ArkeiStealer
+ 160 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar discovery evasion spyware stealer trojan
Link:
https://tria.ge/reports/201109-ftnr41aphx/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses 2FA software files, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_vidar_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 1feb43725e49f700154098a4db30a9a699e8e1b7433aae2eaac52f62b3329b62

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/360230/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/3095/
Cape
Cape
https://www.capesandbox.com/analysis/3093/

Comments