MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2bc35780b427873d03d777f75b112473d6593fdf7eab195dd75a6ba1ec1daec9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	2bc35780b427873d03d777f75b112473d6593fdf7eab195dd75a6ba1ec1daec9
SHA3-384 hash:	7179f152b632cd0c06f332598410eda9572ac2a572e2198c59c8752e5558247a64f3cc886d483d8e93318943fa1fcd8e
SHA1 hash:	dd5f98d82e1fc035cb19c4964e73a8fd2fccd27b
MD5 hash:	2ceb58e1cdc172ea3390b52d80e39851
humanhash:	black-floor-zebra-speaker
File name:	Cracked.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	1'331'712 bytes
First seen:	2022-11-16 14:05:29 UTC
Last seen:	2022-11-16 15:56:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	50712ab27b49fdb22a0256a270d2c961 (2 x RemcosRAT, 2 x ArkeiStealer, 1 x RecordBreaker)
ssdeep	24576:VNgqRBpUYLThaFNy3eOLRSRAnzVmxbVx7NlPlh5EF15up9u8sY/leUkNU:V/NLQMyAhWflSr8fuhIle
TLSH	T11955D0367BE540F3D97FB0721C34622A1A632C7587A0DAB730718E8B8F276555E91BC8
TrID	80.5% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 9.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 3.1% (.EXE) Win64 Executable (generic) (10523/12/4) 1.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 1.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

abuse_ch

ArkeiStealer C2:
http://185.231.205.200/

Intelligence

File Origin

# of uploads :

# of downloads :

210

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

vidar

ID:

File name:

Cracked.exe

Verdict:

Malicious activity

Analysis date:

2022-11-16 14:08:56 UTC

Tags:

trojan stealer vidar

Link:

https://app.any.run/tasks/291b009b-0f8d-4649-a48d-e683c2bbbb87

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/334864/

Detection(s):

SecuriteInfo.com.Variant.Jaik.104017.32358.128.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Сreating synchronization primitives

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6374ee4d2445ecec3cc4bcaf/reports/68f741af-4039-4135-a8a6-601d290d42d1/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Mustang Panda

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8ff346a1-51b1-4a80-9d2e-cb409f1a581d

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1114887

Signature

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2bc35780b427873d03d777f75b112473d6593fdf7eab195dd75a6ba1ec1daec9/

Threat name:

ByteCode-MSIL.Infostealer.Reline

Status:

Malicious

First seen:

2022-11-16 14:06:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

14 of 40 (35.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=fpbvpafue6dt2a6xo73vwejeoplfsp67p2vrsxoxljv2d3a5v3eq._file

Verdict:

malicious

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:1696 discovery spyware stealer

Link:

https://tria.ge/reports/221116-reeh8sff41/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Program crash

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Vidar

Malware Config

C2 Extraction:

https://t.me/hkjkkiiioo
https://t.me/asndmadas19

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/e2e832e2-0da5-4ed4-9203-396778ae951b

Unpacked files

SH256 hash:

951d246696a1ded8f81f500336414aae5179b9beeb8099e51da05af6449f0090

MD5 hash:

10623aaf1909cf52b8b51d6570ef0cfa

SHA1 hash:

9e063767c4a7b3b0af87c651716134b981a5ff10

Link:

https://www.unpac.me/results/55598f72-0608-4d0f-a9f5-b0a9290c7793/

SH256 hash:

2bc35780b427873d03d777f75b112473d6593fdf7eab195dd75a6ba1ec1daec9

MD5 hash:

2ceb58e1cdc172ea3390b52d80e39851

SHA1 hash:

dd5f98d82e1fc035cb19c4964e73a8fd2fccd27b

Link:

https://www.unpac.me/results/55598f72-0608-4d0f-a9f5-b0a9290c7793/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2bc35780b427873d03d777f75b112473d6593fdf7eab195dd75a6ba1ec1daec9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/334864/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample