MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 2e6900e575c222bee9131ddef431f1f7803c4f712cb8c79cff1ae671b15b3078. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
ArkeiStealer
Vendor detections: 12
| SHA256 hash: | 2e6900e575c222bee9131ddef431f1f7803c4f712cb8c79cff1ae671b15b3078 |
|---|---|
| SHA3-384 hash: | fdd0c5da91765e092a336f7b35fdc35409b787004361c04809b9d8e6df00da10cf35cb0d6242926229372ea5ee86913e |
| SHA1 hash: | be68c9859be06b97db61716c2a8453ff7a675972 |
| MD5 hash: | 6257bb9a4ba86b01a0e8f667e5a57a2c |
| humanhash: | michigan-wyoming-fourteen-spaghetti |
| File name: | 6257bb9a4ba86b01a0e8f667e5a57a2c.exe |
| Download: | download sample |
| Signature | ArkeiStealer |
| File size: | 694'272 bytes |
| First seen: | 2021-09-06 06:32:33 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 9c3501e221e7e06d3e51bfb52c2b6518 (4 x ArkeiStealer, 4 x Stop, 2 x RaccoonStealer) |
| ssdeep | 12288:yQeizzauS24ABvbacoC/6uMotYznag56cJYmGw6oDDsL:YIzjS2/nlCzn/HGSw |
| Threatray | 2'763 similar samples on MalwareBazaar |
| TLSH | T1C5E40212B9C0E427E5A646304060D6F59EFEBC721A60C24BBB98E77F6F703815E25397 |
| dhash icon | 4839b2b0e8c38890 (105 x RaccoonStealer, 38 x Smoke Loader, 33 x RedLineStealer) |
| Reporter |  abuse_ch |
| Tags: | ArkeiStealer exe |
Intelligence
File Origin
# of uploads :
1
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6257bb9a4ba86b01a0e8f667e5a57a2c.exe
Verdict:
Malicious activity
Analysis date:
2021-09-06 06:36:12 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Result
Verdict:
Malware
Maliciousness:
Behaviour
Launching the default Windows debugger (dwwin.exe)
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Deleting a recently created file
Replacing files
Reading critical registry keys
Creating a window
Delayed writing of the file
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Launching a process
Stealing user critical data
Launching a tool to kill processes
Forced shutdown of a browser
Malware family:
Malicious Packer
Verdict:
Malicious
Result
Threat name:
Vidar
Detection:
malicious
Classification:
troj.spyw
Score:
64 / 100
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.Sabsik
Status:
Malicious
First seen:
2021-09-06 00:26:07 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Similar samples:
+ 2'753 additional samples on MalwareBazaar
Result
Malware family:
vidar
Score:
10/10
Tags:
family:vidar botnet:1008 discovery spyware stealer suricata
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Vidar Stealer
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
https://romkaxarit.tumblr.com/
Unpacked files
SH256 hash:
bba539e974547ee16aeb35898f93cb7f38c5fbfb15a7d2e6584b8910561cca36
MD5 hash:
e139d3e032bd01fa412f879f826c45a4
SHA1 hash:
0920edb0ce36283c90131d98d66aeacd26cb8633
Detections:
win_oski_g0
Parent samples :
bfe420ea0760974bdb7f76c5c95f8694e70255b9cfbf5ff19c1be2cec5c76a50
ca3291276c2ca7e712a191660b9c19eee9395d4d5f5851a5c7fadae04cabc4d4
e292a0c2b116fc037f1203ada6d8bc9c1a8b4ea9caa6fda072c36a28f6ce6332
0dd88d1680c01b1c9ab3fea4ab104518f2f0bb2b844da7937fd6af5e9e507b28
9250a42039894ce2365f01d5f5ea892911d31139c931ae50078f4d85eb70622b
038671e9ee686616defaf76fbceb7ff6efa1d7cd0e60325a61a4fad482724be3
a835db23fa3362856672e0c22bc91f43d91148f14ea8795026f789fac9101bc5
b98ce97a468d7e69e2d9344268d2c68085cf95f6386b4d5c89a772671b95468d
f3aca29ebe030327614bd9490d21337a76c99fc690da96143c778e949b4f3014
907c112beb537b9bdc86aa35fa1bb7eabd2adb88193f4eb505f1665086c7d1d9
2e6900e575c222bee9131ddef431f1f7803c4f712cb8c79cff1ae671b15b3078
d368823c55cf26cf627c93b36c1240292289cdb5df4fa72bff4726247d724334
c391048f55dd2b433a4154f643a615482841b66f5e77d97a16e2f571ba45e2fa
3ec3b89ce82722d857a655d31fe198df4cae1e506605cbdc0bab93458022fb94
54f1e7859007bb501f1ec186ff16d41d646e67c372f41378ad5277bb56fcac79
ce35f9b1b39877768401efd79bb939f079ce5d323d2332dc3306c2dff4e47598
3b36460b8174b31b1a63e77e5e97293d1ac9d87170df66fe0b388a5005e96824
211d5cfb31621051281b289aa8ce6111d894088a2059becc54ee888ce4967239
c658bfe194e75bd08503d48891fb59ec72b5d08bd1162f4f57be36327de0284f
7ed9d180673f584cb838c88400d0c9bfa8cac5b42f6f85e843f37ce91d292f18
e779a81ea1baa2b62c5bb58716469c5585a38308fe71bf220ffc73583cbb0a00
5bb23f104b0bbe34ef6c9fbc006e9423cf61ca54ea3557d423a212968a9761b2
53bf1311760dbf64ec106e6fe8cc3fd94d0c2bb401d73fb97be4817fcddb5720
52626f71a116fe737ea806d9416157fed129060e654423d84c3e9b01f4c3ddae
993599a929bcbab8c27829257fdb51f8fa02fe73555ecd9260f8cfe919eb3796
7c6321b65a08aeab4f94e25158ad2f5198c79b604c1cbcc57ddc4259c022e506
838d45fb11410a9b2cfcc817a7204c8c129c349e8e1dce38279153e6d3d47025
23fd9ad1ccf48f7063ed54e5a2970936299a6951547a689ac320858531217510
ca3291276c2ca7e712a191660b9c19eee9395d4d5f5851a5c7fadae04cabc4d4
e292a0c2b116fc037f1203ada6d8bc9c1a8b4ea9caa6fda072c36a28f6ce6332
0dd88d1680c01b1c9ab3fea4ab104518f2f0bb2b844da7937fd6af5e9e507b28
9250a42039894ce2365f01d5f5ea892911d31139c931ae50078f4d85eb70622b
038671e9ee686616defaf76fbceb7ff6efa1d7cd0e60325a61a4fad482724be3
a835db23fa3362856672e0c22bc91f43d91148f14ea8795026f789fac9101bc5
b98ce97a468d7e69e2d9344268d2c68085cf95f6386b4d5c89a772671b95468d
f3aca29ebe030327614bd9490d21337a76c99fc690da96143c778e949b4f3014
907c112beb537b9bdc86aa35fa1bb7eabd2adb88193f4eb505f1665086c7d1d9
2e6900e575c222bee9131ddef431f1f7803c4f712cb8c79cff1ae671b15b3078
d368823c55cf26cf627c93b36c1240292289cdb5df4fa72bff4726247d724334
c391048f55dd2b433a4154f643a615482841b66f5e77d97a16e2f571ba45e2fa
3ec3b89ce82722d857a655d31fe198df4cae1e506605cbdc0bab93458022fb94
54f1e7859007bb501f1ec186ff16d41d646e67c372f41378ad5277bb56fcac79
ce35f9b1b39877768401efd79bb939f079ce5d323d2332dc3306c2dff4e47598
3b36460b8174b31b1a63e77e5e97293d1ac9d87170df66fe0b388a5005e96824
211d5cfb31621051281b289aa8ce6111d894088a2059becc54ee888ce4967239
c658bfe194e75bd08503d48891fb59ec72b5d08bd1162f4f57be36327de0284f
7ed9d180673f584cb838c88400d0c9bfa8cac5b42f6f85e843f37ce91d292f18
e779a81ea1baa2b62c5bb58716469c5585a38308fe71bf220ffc73583cbb0a00
5bb23f104b0bbe34ef6c9fbc006e9423cf61ca54ea3557d423a212968a9761b2
53bf1311760dbf64ec106e6fe8cc3fd94d0c2bb401d73fb97be4817fcddb5720
52626f71a116fe737ea806d9416157fed129060e654423d84c3e9b01f4c3ddae
993599a929bcbab8c27829257fdb51f8fa02fe73555ecd9260f8cfe919eb3796
7c6321b65a08aeab4f94e25158ad2f5198c79b604c1cbcc57ddc4259c022e506
838d45fb11410a9b2cfcc817a7204c8c129c349e8e1dce38279153e6d3d47025
23fd9ad1ccf48f7063ed54e5a2970936299a6951547a689ac320858531217510
SH256 hash:
2e6900e575c222bee9131ddef431f1f7803c4f712cb8c79cff1ae671b15b3078
MD5 hash:
6257bb9a4ba86b01a0e8f667e5a57a2c
SHA1 hash:
be68c9859be06b97db61716c2a8453ff7a675972
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables containing SQL queries to confidential data stores. Observed in infostealers |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables containing potential Windows Defender anti-emulation checks |
| Rule name: | MALWARE_Win_Vidar |
|---|---|
| Author: | ditekSHen |
| Description: | Detects Vidar / ArkeiStealer |
| Rule name: | Vidar |
|---|---|
| Author: | kevoreilly |
| Description: | Vidar Payload |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.