MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e205ecc398903361efb69b5790716a47b76301e7b8ad3be506fbde96ee6ffe7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e205ecc398903361efb69b5790716a47b76301e7b8ad3be506fbde96ee6ffe7
SHA3-384 hash: 641f0432d44a8186c38191e7d39c274622ab38f6b801432456f83182dba193babb537d7ce979d19fe28a5cea82447efe
SHA1 hash: 50b2707eb2b9f5a023868fc14b31f2e4ed22364b
MD5 hash: 974bcd4a5d035822388dcb1cfb6661aa
humanhash: bluebird-william-salami-xray
File name:Software.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'267'712 bytes
First seen:2023-01-21 02:32:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:PNmS4PkkFrRxomLrOYjTCzAFZVb6WfaMImlta:VmS4silxomLrXjOUuWfd
Threatray 1'915 similar samples on MalwareBazaar
TLSH T1B045BE42696647E2DCB98C34B2B9E51427A14CD2436D9D3E7D863E3ACCF338F4856B12
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 86c6cece8e8caedc (1 x ArkeiStealer, 1 x RedLineStealer, 1 x Amadey)
Reporter Chainskilabs
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
284
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
Software.exe
Verdict:
Malicious activity
Analysis date:
2023-01-21 02:32:54 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/58e62e01-a4e0-4f6f-9a47-64587db6a7b6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/355225/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Creating a file in the system32 subdirectories
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
83%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/63cb4ede2b351a3d0ea73f1c/reports/5b650f3f-b268-461a-ab50-4e42e924d4b3/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d22bde05-377a-4d63-837e-989124f345da
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1156033
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to compare user and computer (likely to detect sandboxes)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
PE file contains section with special chars
PE file has a writeable .text section
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected AntiVM3
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 788765 Sample: Software.exe Startdate: 21/01/2023 Architecture: WINDOWS Score: 100 58 Snort IDS alert for network traffic 2->58 60 Antivirus detection for URL or domain 2->60 62 Antivirus detection for dropped file 2->62 64 10 other signatures 2->64 9 Software.exe 3 2->9         started        process3 file4 38 C:\Users\user\AppData\...\Software.exe.log, ASCII 9->38 dropped 74 Self deletion via cmd or bat file 9->74 76 Injects a PE file into a foreign processes 9->76 78 Contains functionality to compare user and computer (likely to detect sandboxes) 9->78 13 Software.exe 24 9->13         started        18 WerFault.exe 21 9 9->18         started        signatures5 process6 dnsIp7 52 65.109.208.140, 49697, 80 ALABANZA-BALTUS United States 13->52 54 t.me 149.154.167.99, 443, 49696 TELEGRAMRU United Kingdom 13->54 56 2 other IPs or domains 13->56 40 C:\Users\user\AppData\Local\...\bebra[1].exe, PE32+ 13->40 dropped 42 C:\Users\user\AppData\Local\...\Clip1[1].exe, PE32+ 13->42 dropped 44 C:\ProgramData\93370787702947398853.exe, PE32+ 13->44 dropped 46 C:\ProgramData\38232396646153402763.exe, PE32+ 13->46 dropped 80 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->80 82 Self deletion via cmd or bat file 13->82 84 Tries to harvest and steal browser information (history, passwords, etc) 13->84 86 Tries to steal Crypto Currency Wallets 13->86 20 38232396646153402763.exe 13->20         started        24 93370787702947398853.exe 13->24         started        26 cmd.exe 1 13->26         started        file8 signatures9 process10 dnsIp11 48 youtube-ui.l.google.com 172.217.168.46 GOOGLEUS United States 20->48 50 www.youtube.com 20->50 66 Antivirus detection for dropped file 20->66 68 Multi AV Scanner detection for dropped file 20->68 70 Tries to harvest and steal browser information (history, passwords, etc) 20->70 28 cmd.exe 1 20->28         started        72 Machine Learning detection for dropped file 24->72 30 conhost.exe 26->30         started        32 timeout.exe 1 26->32         started        signatures12 process13 process14 34 conhost.exe 28->34         started        36 choice.exe 1 28->36         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2e205ecc398903361efb69b5790716a47b76301e7b8ad3be506fbde96ee6ffe7/
Threat name:
Win32.Infostealer.Bandra
Create hunting rule
Status:
Malicious
First seen:
2023-01-21 03:08:53 UTC
AV detection:
12 of 26 (46.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fyqf5tbzrebtmhx3ng2xsbywur5xmma6pofnhpsqn666s3xg77tq._file
Verdict:
malicious
Similar samples:
12567de24a8dbc6c0103aa263217ad240098d7545e32546f35fd5b791b1869fa
ArkeiStealer
226ed812358dd933659606de6a4c7effa16b4eb2c2003b9125a76097f36a7637
ArkeiStealer
3e84d664aa9fa55735c98f2e91c58b9bdb6630014b151fb69b23da124912d369
ArkeiStealer
4b1338eceb20e531dca686256b82a8aa56e75aeb4b53f54d08900dd75fc0b19f
ArkeiStealer
4b56f06c41fb17b2e445bee3e4016d3297f758cbb20b3fc280763593813242df
ArkeiStealer
4c98097c2e234a8cb19327c9ddaa9b8c8669dd0f0a95fd71912282e6f0cf50d5
ArkeiStealer
656f5c1e8367a0b6e34dbf8e5740be127b4ffaa74a22a2164fcd68eff45580ff
ArkeiStealer
6ad67b7dd47d2e625f7a143be485695dd20648a2363bd91ac079556624712354
ArkeiStealer
6e3f1055521e01bd967f22fd68b48410342264b62cf7b7998a6686a2141d4d67
ArkeiStealer
88dbf134cd4628fc8b97cc1adf5201cae875df1fa5280b3cbc0306478161e9f4
ArkeiStealer
+ 1'905 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:15 discovery spyware stealer themida
Link:
https://tria.ge/reports/230121-c1xjlscc41/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Vidar
Malware Config
C2 Extraction:
https://t.me/jetbim
https://steamcommunity.com/profiles/76561199471266194
Unpacked files
SH256 hash:
4ccf31440caeeac9a5c6db3e72f0d295bca8a19c3b75e053c7b78fc30f30652f
MD5 hash:
07ca23d62c622cb6f7556b678ebec23d
SHA1 hash:
cdbd0d40869112cf98d56220fcf4412a075d2276
Link:
https://www.unpac.me/results/3976538a-ae63-4b2f-93cb-bb9d32fe9c3d/
SH256 hash:
ea376885ad0194ac43c786b9f64d2b8509bd647911df4d27bf11df511315dabb
MD5 hash:
136c0b180eda626cb997d99898ca3ee2
SHA1 hash:
895e5f0097896524cb7f08f67c878d4aba0c7cc3
Link:
https://www.unpac.me/results/3976538a-ae63-4b2f-93cb-bb9d32fe9c3d/
SH256 hash:
ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747
MD5 hash:
89ac57478044c57c7195943116a521e0
SHA1 hash:
1ff2bafeed795423e3538d810bda8e1e3fcdcfa5
Link:
https://www.unpac.me/results/3976538a-ae63-4b2f-93cb-bb9d32fe9c3d/
SH256 hash:
ae64e55d8ad0c5e34e784ae98be7f5c11c2c2bc997a3b44de821853c47ddeabc
MD5 hash:
0b9718067426e00884af3290e505e5b1
SHA1 hash:
1f6b07eb6131357596049476db49486cfd169c8d
Link:
https://www.unpac.me/results/3976538a-ae63-4b2f-93cb-bb9d32fe9c3d/
SH256 hash:
f4b4beea8b88e89957c2f62b578dfe11d8034840d57c425b73dcc94235ade444
MD5 hash:
e8373192e597389b1de05f3b3a748c68
SHA1 hash:
0e18459f0b1c52ae6963c4f83fbf592cfdda6485
Link:
https://www.unpac.me/results/3976538a-ae63-4b2f-93cb-bb9d32fe9c3d/
SH256 hash:
2e205ecc398903361efb69b5790716a47b76301e7b8ad3be506fbde96ee6ffe7
MD5 hash:
974bcd4a5d035822388dcb1cfb6661aa
SHA1 hash:
50b2707eb2b9f5a023868fc14b31f2e4ed22364b
Link:
https://www.unpac.me/results/3976538a-ae63-4b2f-93cb-bb9d32fe9c3d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/2e205ecc398903361efb69b5790716a47b76301e7b8ad3be506fbde96ee6ffe7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/355225/

Comments