MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28481cfb09fe12acea1347b45a6f5e71f9442ef13a5c4e77ab226a4eb135db5b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28481cfb09fe12acea1347b45a6f5e71f9442ef13a5c4e77ab226a4eb135db5b
SHA3-384 hash: a324918119e3400a61045384987fb2967b4e149814af2d9ba0a2d8c48d1790ab3f988b8d55940c964cbdd221a4dd4e38
SHA1 hash: 56964c3e1a9145221d871e2a48ac438487f4f5f9
MD5 hash: 9ceb1034d47927a247f594c36271bf37
humanhash: solar-bacon-eleven-oven
File name:file
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:3'137'536 bytes
First seen:2023-01-27 18:09:24 UTC
Last seen:2023-01-27 20:30:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9cbefe68f395e67356e2a5d8d1b285c0 (58 x LummaStealer, 49 x AuroraStealer, 35 x Vidar)
ssdeep 49152:5blU8XCc3k+ouoecE2GnDQB357UuYLVtvtwflHaduDYz1o:5bjkNuoQ+5U/VMflHad
Threatray 1'738 similar samples on MalwareBazaar
TLSH T105E5BE41F8E754B2E9025572096BA2FF2320AD091F31CBC7E644BF6EED366E11E32255
gimphash b5c3cae980621786b117548f005325cb83cc52c1b4d59d6ebcb85dd3d2aafa21
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter andretavare5
Tags:ArkeiStealer exe


Avatar
andretavare5
Sample downloaded from https://cyberaya.com/TyrlNickh89535665.exe

Intelligence

File Origin
# of uploads :
39
# of downloads :
232
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2023-01-27 18:11:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/63af7f5f-aa26-4eef-bdfa-1d59153de374

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/357586/
Detection(s):
SecuriteInfo.com.W32.PossibleThreat.25197.29802.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Launching a process
Creating a window
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
golang greyware packed
Link:
https://www.filescan.io/uploads/63d4137c2d4f6d560e234d7a/reports/122487b9-24cc-4ff6-9c1e-acc75799856d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Titan Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cdb8bcdf-3ae3-4065-ac3f-9d44758d60eb
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1160506
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/28481cfb09fe12acea1347b45a6f5e71f9442ef13a5c4e77ab226a4eb135db5b/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-01-27 18:10:09 UTC
File Type:
PE (Exe)
AV detection:
13 of 26 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fbebz6yj7yjkz2qti62fu326oh4uilxrhjoe455lejve5mjv3nnq._file
Verdict:
malicious
Similar samples:
08f22af3870c81cf0f903d784abecd650003adfff360ff0529540091f277d057
ArkeiStealer
6511d09ada2bc11a95c06bd20abb66f450b9b2a6ed1f00c723401884ce7a2e61
ArkeiStealer
9912686813808d82b520fda65ccc9646413803ac12e3ef5a53f7c9c952b8c240
ArkeiStealer
a7b698f479cb724c56e1125d93bbbaf21ca360aff063e822f7e6fae08dd9c33e
ArkeiStealer
c37e19ba7ca31d3984004ec6534551197c1e4ab710bf26f822924168f17cbe7e
ArkeiStealer
ceb3007d4015dd96043315cd91f6c4ff82da1b206921311c8833d76947e92702
ArkeiStealer
e8ce6cee6554f2699605da7a59abe4ff81d96c5f2e4066e2314ddac92363fdd3
ArkeiStealer
+ 1'728 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar stealer
Link:
https://tria.ge/reports/230127-wr1z8adh4s/
Behaviour
Suspicious use of WriteProcessMemory
Vidar
Unpacked files
SH256 hash:
28481cfb09fe12acea1347b45a6f5e71f9442ef13a5c4e77ab226a4eb135db5b
MD5 hash:
9ceb1034d47927a247f594c36271bf37
SHA1 hash:
56964c3e1a9145221d871e2a48ac438487f4f5f9
Link:
https://www.unpac.me/results/fbac78fe-17ac-4831-9b9c-d0e062dab6e5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/28481cfb09fe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/28481cfb09fe12acea1347b45a6f5e71f9442ef13a5c4e77ab226a4eb135db5b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_Links
Create hunting rule
Rule name:Windows_Trojan_Donutloader_f40e3759
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/357586/
  
URLhaus
https://urlhaus.abuse.ch/url/2520160/

Comments