MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25f17d615e6ccbf3de2297fe28ba2c78b8db878d5609cf70baf4202e5fea90eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 25f17d615e6ccbf3de2297fe28ba2c78b8db878d5609cf70baf4202e5fea90eb
SHA3-384 hash: f3cf86a57f98f4bb48fb167c27fe2c290f2b258ed2ed6488c25fcd894c0034703355a6485a84f0cbbd9944e640343d8c
SHA1 hash: 436637991950728a5217ba44338976eb65ef13cd
MD5 hash: 2cc4e1e1de9400f12f4e8d85c0a02435
humanhash: seven-georgia-michigan-missouri
File name:2cc4e1e1de9400f12f4e8d85c0a02435
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:397'312 bytes
First seen:2023-05-28 06:10:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d302e4ac3406067f8ed838633897aebb (4 x Smoke Loader, 3 x Glupteba, 2 x ArkeiStealer)
ssdeep 6144:ug8FnVPv2ietghs764HC6cq8/w90sbxslOqlepGQO:uVFVPPet0s7RHbcq8I3mEqlesQ
Threatray 31 similar samples on MalwareBazaar
TLSH T10D848E03D6E2BC54ED668B729F2FEAEC761EF1518E09376A26185A1F04702B2C173717
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0626020a02261600 (1 x ArkeiStealer)
Reporter zbetcheckin
Tags:32 ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
arkei
Create hunting rule
ID:
1
File name:
2cc4e1e1de9400f12f4e8d85c0a02435
Verdict:
Malicious activity
Analysis date:
2023-05-28 06:13:35 UTC
Tags:
stealer arkei vidar
Link:
https://app.any.run/tasks/79b63201-e844-4396-8c99-6523e7000270

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/392706/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a window
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/88291/overview
Behaviour
MalwareBazaar
SystemUptime
CPUID_Instruction
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6472f167349fb4d497260d7a/reports/ad68dfbc-30a3-4cf1-8e48-9d2e4f6272ed/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/25f17d615e6ccbf3de2297fe28ba2c78b8db878d5609cf70baf4202e5fea90eb
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f5b39e87-b423-4c6b-844e-6164fe432d35
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1243959
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/25f17d615e6ccbf3de2297fe28ba2c78b8db878d5609cf70baf4202e5fea90eb/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-05-28 06:11:05 UTC
File Type:
PE (Exe)
Extracted files:
48
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=exyx2yk6ntf7hxrcs77crormpc4nxb4nkye464f26qqc4x7ksdvq._file
Verdict:
malicious
Similar samples:
0d3ef6b4cf3172125dc208808d24392b8a3ff9a55b00b86608c3bc692cd15cec
ArkeiStealer
3d107b134ad4b3c700db4e842a5e825350abe65275efd2b5e69519b2c74ea5b2
ArkeiStealer
4e8c752b8a016e8d4fc9723ada1498af8a3b3f46e89f3388782f4082575d3218
ArkeiStealer
537c3e56e01ced9e64abbe83dd28f0a74a8ad634e46de55b62556fd5006be206
ArkeiStealer
73157ee8d240700d07209acb69539e3814313582253246d7550024281b91b07a
ArkeiStealer
b37ec988b2a33b8da250f693d73a8eeda60965bec127db92b4298cbc6dd9efb2
ArkeiStealer
bb178f666699a5eba12b4e6eb3386cba3ccb030839252eb3cf2e6fb10140c6d7
ArkeiStealer
bc995cf9cc10d39e6ec3917325798ef6f5e4f8805210b1b8416c1eef6c4fd31c
ArkeiStealer
c786c65835185eebe21e9f742dc3af4df14af8b79081d8137b703bbce6b1c790
ArkeiStealer
fbbf2c1d05028da86e946dadf417a6992d5eef4eb4c4f030f11d9d32e81670bd
ArkeiStealer
+ 21 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:cd561e19a995c4a976b3fe0bdd3b0cad discovery spyware stealer
Link:
https://tria.ge/reports/230528-gxledseh4t/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Program crash
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Vidar
Malware Config
C2 Extraction:
https://steamcommunity.com/profiles/76561199508624021
https://t.me/looking_glassbot
Gathering data
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/25f17d615e6c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/25f17d615e6ccbf3de2297fe28ba2c78b8db878d5609cf70baf4202e5fea90eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Telegram_Links
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly,rony
Description:Vidar Payload
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 25f17d615e6ccbf3de2297fe28ba2c78b8db878d5609cf70baf4202e5fea90eb

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2643215/
Cape
Cape
https://www.capesandbox.com/analysis/392706/

Comments


Avatar
zbet commented on 2023-05-28 06:10:41 UTC

url : hxxp://212.224.86.199/dWssvZasqwFFAcZ.dll