MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28872a0bc2beb8b68f8d2c8a144f741d56bfcb0c82b6862c3020ccc2ae17a1ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	28872a0bc2beb8b68f8d2c8a144f741d56bfcb0c82b6862c3020ccc2ae17a1ea
SHA3-384 hash:	a034213cd1ff70142f7be9e6a272544606c168cdbe942b31223df5139752dae09987711b54a5da227e61c61d9ebf2501
SHA1 hash:	b02ccf9f1dc92edb2f2e41be2782ad8369416080
MD5 hash:	7ffdcac11f24119c6a33b9d512fa2feb
humanhash:	yankee-music-pizza-vermont
File name:	Unlimited_Ver.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	504'832 bytes
First seen:	2022-12-10 15:29:05 UTC
Last seen:	2022-12-10 17:28:56 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ad10745b89ba2c9da13045deb2a050dd (1 x ArkeiStealer)
ssdeep	12288:krHsj+d/kCthRw8rs6ziJ4xLw8WoCWTqXH5SxF:kzflkOrY2WrQq3gD
Threatray	1'819 similar samples on MalwareBazaar
TLSH	T1C0B4DF0AB2A640FBCC7224F465D857F72BED7AF54E9C482B334C972E4E60A9DC704619
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

181

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/345009/

Detection(s):

SecuriteInfo.com.Variant.Lazy.274062.20769.29253.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Launching a process

Searching for synchronization primitives

Сreating synchronization primitives

DNS request

Launching the default Windows debugger (dwwin.exe)

Sending an HTTP GET request

Searching for the window

Creating a file

Reading critical registry keys

Creating a window

Running batch commands

Creating a process with a hidden window

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed shell32.dll

Link:

https://www.filescan.io/uploads/6394a5fe04e0e79bdf420d3e/reports/b15d51f2-e641-4050-abd0-43101f17740b/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ca93f5b2-bb26-4fe5-9b7a-aec0c7efc01c

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1131971

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/28872a0bc2beb8b68f8d2c8a144f741d56bfcb0c82b6862c3020ccc2ae17a1ea/

Threat name:

Win32.Trojan.Vidar

Status:

Malicious

First seen:

2022-12-10 15:30:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fcdsuc6cx24lnd4nfsfbit3udvll7symqk3imlbqedgmflqxuhva._file

Verdict:

malicious

ArkeiStealer

1f411086d94da3c1e9ec9ef281b490ff06302ad0c2df328f0e08f73d00fea025

ArkeiStealer

33e42124fdaefc1ac55558e0a4d2e6f25e2923c3616d88cb9bfdb8dec4d9a5f3

ArkeiStealer

5551ce7c571a221c2851b8a610e659ea4c302c903e98bad28c867ca9aaced81c

ArkeiStealer

5866f921e4e7d2eef8693f9fefb19ccd46224c02bb46dd51639d8680de185a40

ArkeiStealer

5d8e70acefcbcc2eff05078efbea2c82d7a051edaabfa4caaf6d48fc9d6644e3

ArkeiStealer

8933d067b619ca799bababb246a9e88a28ee81caeb235dfbe12f9d891b043de5

ArkeiStealer

99cb9ea998d774a077d760f6a767660a520bc882a73195b3cd0282c2e967fb13

ArkeiStealer

b9a5baff0f229012b8ffc075c392a0e3f787a40d9c33889a049c4502b2687268

ArkeiStealer

bc376ec9587207d00b9af28189d47c0341a430c93167b732be851a0725f4a37f

ArkeiStealer

+ 1'809 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:1842 spyware stealer

Link:

https://tria.ge/reports/221210-sxgxraad6x/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Loads dropped DLL

Uses the VBS compiler for execution

Vidar

Malware Config

C2 Extraction:

https://t.me/dishasta
https://steamcommunity.com/profiles/76561199441933804

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/88e5667e-ceb8-4489-ab38-af25dd8b7309

Unpacked files

SH256 hash:

31aaa6001e98cc2fe811c4d6893086ca0d5969b02568a64c7086aaba77f3fad1

MD5 hash:

dedf47991a94aeead72e84f05b99adec

SHA1 hash:

ca45a51a187764affb9098cbc424c02666cdd0fe

Link:

https://www.unpac.me/results/72bdfc0b-87f8-445e-8e25-7603f64ea953/

SH256 hash:

28872a0bc2beb8b68f8d2c8a144f741d56bfcb0c82b6862c3020ccc2ae17a1ea

MD5 hash:

7ffdcac11f24119c6a33b9d512fa2feb

SHA1 hash:

b02ccf9f1dc92edb2f2e41be2782ad8369416080

Link:

https://www.unpac.me/results/72bdfc0b-87f8-445e-8e25-7603f64ea953/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/28872a0bc2be/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/28872a0bc2beb8b68f8d2c8a144f741d56bfcb0c82b6862c3020ccc2ae17a1ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/345009/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample