MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d6dab6999a94d2adc4afdc5b696471e7ee9743647225e06dd3927f88c71b907. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 4 File information Comments

SHA256 hash:	2d6dab6999a94d2adc4afdc5b696471e7ee9743647225e06dd3927f88c71b907
SHA3-384 hash:	68e1520cb5af9011c06f11e1d99cfc3ced08ac081a5746b32c1e8952f1e37fd03b3563171f4ace8894230137384de27a
SHA1 hash:	cade72d6bccc837945f018e63821cbb6f62aa4a0
MD5 hash:	0b606e788a09adcfd070237083fcf72b
humanhash:	stream-sweet-uranus-leopard
File name:	file.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	360'960 bytes
First seen:	2023-05-17 15:26:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7d09af4f4de799f652c0bd662bf75a46 (1 x ArkeiStealer, 1 x Amadey, 1 x Smoke Loader)
ssdeep	6144:BAbZSBzK118IROM2IL5zSHdJoODajHwwuqe1M2cplYT7sL/nsDJLS:gEBzKX8/45zSHfodjHwmIIbYf0f
Threatray	40 similar samples on MalwareBazaar
TLSH	T15B74E03276D39471EE7215314A25CAF11A2BB8314FB0AACB27A45A3F0E753E1CA75347
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0160666a6a6a7a60 (1 x ArkeiStealer)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

276

Origin country :

Vendor Threat Intelligence

Malware family:

arkei

ID:

File name:

file.exe

Verdict:

Malicious activity

Analysis date:

2023-05-17 15:31:40 UTC

Tags:

stealer arkei vidar

Link:

https://app.any.run/tasks/ec70f6c6-1e25-404a-bc09-fa5f9d2ad951

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/390739/

Detection(s):

Sanesecurity.Malware.29323.BadIN.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Using the Windows Management Instrumentation requests

Creating a window

Searching for synchronization primitives

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6464f2483e79001b02c99b00/reports/274250b7-d3f0-49f2-bda5-e05f27f7cb22/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/2d6dab6999a94d2adc4afdc5b696471e7ee9743647225e06dd3927f88c71b907

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/83bc2167-91b4-483e-aa4a-cdf794875a34

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1235470

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2d6dab6999a94d2adc4afdc5b696471e7ee9743647225e06dd3927f88c71b907/

Threat name:

Win32.Spyware.Vidar

Status:

Malicious

First seen:

2023-05-17 15:27:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=fvw2w2mzvfgsvxck7xc3nfshdz7os5bwi4rf4bw5het7rddrxedq._file

Verdict:

malicious

ArkeiStealer

0f99eef3431f8f04eef23ccab335afcd7129e1ca69728ba2bfc929de3010e402

ArkeiStealer

4c89e04ebf04b92bcd16357f0423fb3b5aad86c2f937df0afadc452fddcf8c80

ArkeiStealer

9b7720640ea927b47581425a91027c4f5eb4871c7b00bc86ce39079e789bcbf8

ArkeiStealer

b6ea9a9a7c01640cdf980211e0942559566507195d91fe0d4e4b28b7406e2343

ArkeiStealer

b92797965358585eadbe928c2b8531c5575caa87cbcef1171a48f1941a10b740

ArkeiStealer

c2dfe32086a0b4085c35fe0aee15e5a1d55bc0e61101fa69e7223da8c35d82df

ArkeiStealer

cf1e04b5bdcdea701bcccd48ad40f5cd709e059ba35d935b821d6808e0fecd14

ArkeiStealer

e0c350a16bb3fec4d9306d413e93241c733412f14cbdc9a4e95e9f973aa1bcff

ArkeiStealer

e2fe66dc2a429aadd2ddbdd0d09e78f7a5ae13ff6f874e36e8f4edee443a892e

ArkeiStealer

+ 30 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:2ad8358aa58beeea05cca6adf4e8c87e discovery spyware stealer

Link:

https://tria.ge/reports/230517-svq3msee6z/

Behaviour

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Vidar

Malware Config

C2 Extraction:

https://steamcommunity.com/profiles/76561199263069598
https://t.me/cybehost

Unpacked files

SH256 hash:

f23cd6a1db6a07d406a25dcb5ecfa226671377a47121bde8d17b14d4d2b985a3

MD5 hash:

987f79f7421e9b7d1e88399f72aa41db

SHA1 hash:

4e262115a1d7dc6095aa2cafc114fd6506cffb65

Detections:

VidarStealer

Link:

https://www.unpac.me/results/9b9db2a0-d526-4efe-a32c-d8c84276bd19/

SH256 hash:

2d6dab6999a94d2adc4afdc5b696471e7ee9743647225e06dd3927f88c71b907

MD5 hash:

0b606e788a09adcfd070237083fcf72b

SHA1 hash:

cade72d6bccc837945f018e63821cbb6f62aa4a0

Link:

https://www.unpac.me/results/9b9db2a0-d526-4efe-a32c-d8c84276bd19/

Malware family:

Vidar.A

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2d6dab6999a9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2d6dab6999a94d2adc4afdc5b696471e7ee9743647225e06dd3927f88c71b907

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	has_telegram_urls Create hunting rule
Author:	Aaron DeVera<aaron@backchannel.re>
Description:	Detects Telegram URLs

Rule name:	Telegram_Links Create hunting rule

Rule name:	Vidar Create hunting rule
Author:	kevoreilly,rony
Description:	Vidar Payload

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/390739/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample