MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29dc4071c3232c5cd82186be9155bd7288bc4eb4013159ceaed06da36ef29607. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29dc4071c3232c5cd82186be9155bd7288bc4eb4013159ceaed06da36ef29607
SHA3-384 hash: 230200e34668df59b83a6469daa89aefea9da90c405f243320c1b3c7fb2bbf4a48a780666ba79c351a904f4e6812b9a9
SHA1 hash: 19326d11451447f823b637424b8ebb856d2508a8
MD5 hash: c1d4a46772da836ea329a74d42aa9baf
humanhash: glucose-skylark-jersey-rugby
File name:setup_parsed.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'484'080 bytes
First seen:2022-10-30 15:58:02 UTC
Last seen:2022-10-30 17:59:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1b62f5ec48faa08ab096dfae72734859 (36 x RedLineStealer, 5 x ArkeiStealer, 1 x PandaStealer)
ssdeep 24576:54+4avH3vkdECpW//MUx/XEyoY6YifYmiXMDZdsAdcLrHK2Kd7vUCCHZgjnV4Kep:K+4CH38dtpy/M0fEMNgqmngtwTg
Threatray 897 similar samples on MalwareBazaar
TLSH T11E657D3AEB4614B4D76356B1C25EFE7B9B0476348061AE3FBB4AEE0C64334127CC9256
TrID 44.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
23.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter 0xToxin
Tags:1375 ArkeiStealer exe vidar

Intelligence

File Origin
# of uploads :
2
# of downloads :
539
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
setup_parsed.exe
Verdict:
Malicious activity
Analysis date:
2022-10-30 16:00:00 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/a7997b90-04c6-429b-9622-d926f65a4387

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/326139/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.93123.16481.28505.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Launching a process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/46827/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug overlay packed
Link:
https://www.filescan.io/uploads/635e9f0c58409ff7bc0c4fca/reports/20504acd-eed3-4801-9ece-1f336f2bb438/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/43743efc-0705-4d10-b25f-890506b2fa83
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1101284
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
DLL side loading technique detected
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
PE file contains section with special chars
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/29dc4071c3232c5cd82186be9155bd7288bc4eb4013159ceaed06da36ef29607/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-10-30 15:59:08 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fhoea4odemwfzwbbq27jcvn5okelytvuaeyvttvo2bw2g3xssydq._file
Verdict:
malicious
Similar samples:
1d9dd4ae9d1ba20dbf36549110c16150525122f3aa7fdd390c66b7a6bfb752e4
ArkeiStealer
33b834d43e55548d511dd46076c7ba48db7ffe4a50accc66bd43fa98d6793e41
ArkeiStealer
6e8b8a1d654dfedfa6d56e2f43a049eb491370ff46e0668fe5cfd7489b4b125c
ArkeiStealer
9463f28e07f665446e8702ec76aa02646f8efc1a9040a2201d6d256c77c8cd87
ArkeiStealer
a334fa92fab1199f16a272b0f2f63465750f98bed946d23f8f7ae498206ca553
ArkeiStealer
aecee48e77885753fef3b48411fd1093f2f3da937ef0dab744530bbf452586ef
ArkeiStealer
b3455729f0228a10eebd389eda5d2dbc38e34ac4614c16d48631dcc4308cf89a
ArkeiStealer
da271da1daacb415125be5ab9eacc9fdf9738776c83fc512c146e467d5930ded
ArkeiStealer
+ 887 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1375 spyware stealer
Link:
https://tria.ge/reports/221030-teg1gaaabm/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Uses the VBS compiler for execution
Vidar
Malware Config
C2 Extraction:
https://t.me/slivetalks
https://c.im/@xinibin420
Unpacked files
SH256 hash:
ba1068b50df52835bb0c7aef9edca292fd1518004accd341231885ef076b8fca
MD5 hash:
300a3bc4d2570c41cd5a93f7701ceda5
SHA1 hash:
3c621e33686fec8862026519b6e13708017dd30a
Link:
https://www.unpac.me/results/551f42e5-b755-41fb-8c70-cf14b6869eb0/
SH256 hash:
29dc4071c3232c5cd82186be9155bd7288bc4eb4013159ceaed06da36ef29607
MD5 hash:
c1d4a46772da836ea329a74d42aa9baf
SHA1 hash:
19326d11451447f823b637424b8ebb856d2508a8
Link:
https://www.unpac.me/results/551f42e5-b755-41fb-8c70-cf14b6869eb0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/29dc4071c323/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/29dc4071c3232c5cd82186be9155bd7288bc4eb4013159ceaed06da36ef29607

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Vidar
Create hunting rule
Author:kevoreilly,rony
Description:Vidar Payload
Rule name:Windows_Trojan_Vidar_114258d5
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/326139/

Comments