MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 292234b4e44187b5549566ead6297f05dc6b40310e4f1b1384ce190a79891117. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 292234b4e44187b5549566ead6297f05dc6b40310e4f1b1384ce190a79891117
SHA3-384 hash: f5d6a63ef4aea13749fffaa25adc5eebb8d7c12d1c9185ae5966c2ebc1cf8c06ee726d20496b6258d6c0f776369c8e2b
SHA1 hash: 37670412f4b98641407944b86df43f40bc23a67f
MD5 hash: b222f2f0919a0ac896e3f83f3b9b6003
humanhash: burger-six-mobile-pip
File name:file
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:638'624 bytes
First seen:2022-12-03 13:38:55 UTC
Last seen:2022-12-03 18:52:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:FsJ5/WfL8JGhhC7OiTa8g5MdNXLSR6ESvzY:Fw+8JGOac909CY
Threatray 735 similar samples on MalwareBazaar
TLSH T1CBD4F1D07E0D5A0BC16DD1B796D722FA2FD4DED259FEC9C0D295126280A36F13032B6A
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 7cc2ccfcecf8faec (1 x ArkeiStealer, 1 x PrivateLoader)
Reporter andretavare5
Tags:ArkeiStealer exe signed

Code Signing Certificate

Organisation:Toshiba MQ01ABMxx 2.5 MQ01ABD060
Issuer:Toshiba MQ01ABMxx 2.5 MQ01ABD060
Algorithm:sha1WithRSAEncryption
Valid from:2022-10-07T20:43:17Z
Valid to:2032-10-08T20:43:17Z
Serial number: 3053fbc3229a9ead47c1258a04a009c8
Intelligence: 12 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: a6b737647756976617d1beedd3ac4713b5dec9e4d34d9f599a044aac073f1133
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from https://vk.com/doc760750097_657348467?hash=q2uiLZn5w2h14j4azzTzYnSNJ8KvzHmMlS39e0d2WMH&dl=G43DANZVGAYDSNY:1670064549:JTWLhGelwWJ7mztBNs6llEkzAV9dH2zNAPwbLzVcN9X&api=1&no_preview=1#vidww2

Intelligence

File Origin
# of uploads :
10
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2022-12-03 13:41:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7f773b82-59d4-4bfc-bd1b-3ae26e4a3073

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/342264/
Detection(s):
SecuriteInfo.com.Win64.TrojanX-gen.6587.26478.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Launching a process
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Running batch commands
Creating a process with a hidden window
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/638b517704e0e79bdf408cd8/reports/1ec4afb6-5efa-40e8-8013-54c3851a6c16/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8a8997da-456d-47df-ab89-8267357d1740
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1127085
Signature
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/292234b4e44187b5549566ead6297f05dc6b40310e4f1b1384ce190a79891117/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2022-12-03 13:39:09 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
7
AV detection:
10 of 40 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ferdjnheigd3kvevm3vnmkl7axogwqbrbzhrwe4ezymqu6mjcelq._file
Verdict:
malicious
Similar samples:
03c8ae088d9b5ed64de0ac1782f3b2a9ee31ebd3597d03f285a0c31b9e6ef25f
ArkeiStealer
0c8296da5ca468087ecaeac3bb9b4475f075ae0ba654c9cc05a017f96d974d98
ArkeiStealer
26e9c2f05c547a575d40b66a4feb317af53b65062611eea7ed6005e0ed88d1e9
ArkeiStealer
58fd04fe003160c5aca2e839d8588bd86b9a2b3ddcd8e3ddd5616182e9d9c45f
ArkeiStealer
7a3d9a2e7fbcdd35fa3c5c195892b4c7940c669cde48def4832aa7e91736d532
ArkeiStealer
80a71a90b99f4518e5f98a419975d93caeefb87b8c76c3e42f59565174b5ca53
ArkeiStealer
8530384fa6b45ff0c2b2ea199c016f81b60fe8b7c846a7103f90b06691a4e01d
ArkeiStealer
866056e13d99c7a721a0e66aef8c2526dd2b8b6cecc90b0583699a175eeb66b7
ArkeiStealer
a6f687d95308fd4d110ee7f8b07d3992e35802042f2d68c6216a5606b9ef8ab8
ArkeiStealer
f161040af3fb9580715153cf18fab2993f4d16a71ddc99cf14c641772dfbf0ac
ArkeiStealer
+ 725 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1679 spyware stealer
Link:
https://tria.ge/reports/221203-qxyjdsed44/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Vidar
Malware Config
C2 Extraction:
https://t.me/asifrazatg
https://steamcommunity.com/profiles/76561199439929669
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fdf8a673-347d-476f-be88-a378dd94999f
Unpacked files
SH256 hash:
292234b4e44187b5549566ead6297f05dc6b40310e4f1b1384ce190a79891117
MD5 hash:
b222f2f0919a0ac896e3f83f3b9b6003
SHA1 hash:
37670412f4b98641407944b86df43f40bc23a67f
Link:
https://www.unpac.me/results/8436582d-b3c9-4217-a1f0-95bbc696acdd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/292234b4e44187b5549566ead6297f05dc6b40310e4f1b1384ce190a79891117

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_EXE_Packed_Babel
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Babel
Rule name:INDICATOR_EXE_Packed_Dotfuscator
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Dotfuscator
Rule name:INDICATOR_EXE_Packed_Goliath
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Goliath
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/342264/

Comments