MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2beb165a3f2ed3b8506fe8c0d2624b2f47c2a82579ccdea7d7f308c49a00ca9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2beb165a3f2ed3b8506fe8c0d2624b2f47c2a82579ccdea7d7f308c49a00ca9d
SHA3-384 hash: 6604b9970a0a6251594557be06cace47348f53ee8d3e2219363af3b0092d8c7b38428f3baed8b4abe64847d6c9b61462
SHA1 hash: 71fd171809b55d73a75ef63b2776a2ab82a58a6a
MD5 hash: cc63a28ffd1c520a780046c720f955f4
humanhash: winner-seventeen-shade-charlie
File name:file
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:357'888 bytes
First seen:2022-11-02 10:01:23 UTC
Last seen:2022-11-02 12:55:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b72cbc79fc1fead86b580f2d8c254198 (3 x ArkeiStealer)
ssdeep 6144:xRT6eUPmb5Dsxp6BDh8k65be81o0L3nVUW3LHKnhB0cBYUPyBtI1RD:xR2ob5DQ4BDh8k65be81o0L3VUCqhB0e
Threatray 881 similar samples on MalwareBazaar
TLSH T1E7745B217280F433D527667A5EEEA7B6567C3D701921980BFB840B29BFB51C35B6038B
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:ArkeiStealer exe


Avatar
andretavare5
Sample downloaded from https://vk.com/doc759438714_648736490?hash=yeJxmOcY9rIcOEoQImUd8RQ527dNZuFqzSVIjAw2lZL&dl=G42TSNBTHA3TCNA:1667318362:ZYmGPGdMt8uIYkSTOFgd973UvrNBsh7VIRP9eonCnYz&api=1&no_preview=1#CRYPTO_ALL

Intelligence

File Origin
# of uploads :
78
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-02 10:03:55 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/07d5d71b-43da-4500-a1fd-10076bf00c83

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/327059/
Detection(s):
SecuriteInfo.com.Trojan.Siggen19.1632.12391.23973.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a process
Stealing user critical data
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/47349/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/6362401c736e9d884f0dd982/reports/dfbf35c5-dc5a-45b0-99c4-99d29c809179/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8dffc43c-ca19-483b-ad0c-3ab7d276f5f8
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1103116
Signature
Antivirus detection for URL or domain
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Self deletion via cmd or bat file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2beb165a3f2ed3b8506fe8c0d2624b2f47c2a82579ccdea7d7f308c49a00ca9d/
Threat name:
Win32.Trojan.ZusyRedLine
Create hunting rule
Status:
Malicious
First seen:
2022-11-02 10:02:06 UTC
File Type:
PE (Exe)
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fpvrmwr7f3j3qudp5daneyslf5d4fkbfphgn5j6x6memjgqazkoq._file
Verdict:
malicious
Similar samples:
1a12d9c9ac19873abafa62c6d37eb8c31495a0818e8aa99987b41126cd31cd02
ArkeiStealer
1aacaadce5954ff321f06df9cf1785902ef0b1806599b8b0aa477ae211ff2976
ArkeiStealer
1beb50ab8de7ec33aec7deb5365fbebce3a91bfe9cf31387a5bf326ace08d48b
ArkeiStealer
3af3279ede125805a47682382304f6b76af4e7c34c2bfeaa198e0dc38f3ad1b6
ArkeiStealer
4d17f634c190695b934f137ee2bded7b040666b3ac69c46dd6b98fee72ddf23a
ArkeiStealer
8a2a052fe103dc0368d0186daee5372812fa396daaa384a8599507a9709ee8e6
ArkeiStealer
dade5b7aa50e2e1df254ae9c8b70f59cfa6c47889bc1cb3ff722620b367fde60
ArkeiStealer
f414b58167438e77909afa13c1e137874fb7aad4983d30cd9b769f205ace0078
ArkeiStealer
+ 871 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/221102-l2r5ysbfen/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fd13ea24-6288-4eab-88b6-07dffe11f607
Unpacked files
SH256 hash:
2beb165a3f2ed3b8506fe8c0d2624b2f47c2a82579ccdea7d7f308c49a00ca9d
MD5 hash:
cc63a28ffd1c520a780046c720f955f4
SHA1 hash:
71fd171809b55d73a75ef63b2776a2ab82a58a6a
Link:
https://www.unpac.me/results/b8173da5-138b-4258-8e2c-4d8fab0134f3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2beb165a3f2e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2beb165a3f2ed3b8506fe8c0d2624b2f47c2a82579ccdea7d7f308c49a00ca9d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/327059/

Comments