MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f546ff4327d9dc62caf7d0b5e661daa4928717d3fadf4bdac32284e7e075e03. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f546ff4327d9dc62caf7d0b5e661daa4928717d3fadf4bdac32284e7e075e03
SHA3-384 hash: c0d3380b04a9d0219cd8cfaa9d8c49c626bc915e59170e7aec7bd89d0e71c40f913f816f2031384fa96d3ae80955f823
SHA1 hash: 6e2a89fa771d00606b7242eff8eb476a4e6662b1
MD5 hash: 3f4c8af3bd20cd38462283d8bad04a54
humanhash: white-lion-queen-tennis
File name:3f4c8af3bd20cd38462283d8bad04a54.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:657'920 bytes
First seen:2021-06-02 13:51:33 UTC
Last seen:2021-06-02 14:42:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ce0285631d070898f097544ed4dc3769 (3 x RaccoonStealer, 2 x RedLineStealer, 1 x Smoke Loader)
ssdeep 12288:y1vGD4Ne1vNKpHfvStleOQ2eYmRKBuOYf0XdD4AmOWSg:yA4c1vIzbQYfZAy/
Threatray 1'020 similar samples on MalwareBazaar
TLSH 28E4E010A7B0D039F5F356B499B99179A53ABDA1BB3450CB13D62BEA0734EE0AD31307
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
93c2d749cdf8bec63a116334a049ecce.exe
Verdict:
Malicious activity
Analysis date:
2021-06-02 13:23:52 UTC
Tags:
trojan ransomware stop loader stealer vidar
Link:
https://app.any.run/tasks/36c4338f-ec89-4c2c-bb60-1686e7c43a4e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/164076/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Replacing files
Reading critical registry keys
Delayed writing of the file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Launching a process
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Connection attempt
Sending an HTTP GET request
Creating a file
Deleting a recently created file
Stealing user critical data
Launching a tool to kill processes
Forced shutdown of a browser
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/795980
Signature
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2f546ff4327d9dc62caf7d0b5e661daa4928717d3fadf4bdac32284e7e075e03/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-06-02 13:52:12 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=f5kg75bspwo4mlfppufv4zq5vjesq4l5h6w7jpnmgiue47qhlybq._file
Verdict:
malicious
Similar samples:
3411ffa29608d19dc77f53571010425fc94abd5dac92d6c2abffab6eb468c0ea
ArkeiStealer
3b36f51b91f67c01015777197970e7ea37e291ff8b6401a853e9582b0a1d90cb
ArkeiStealer
4f8fe2f14c19ae475f397f4ea62e59ef42adc7c5af1ced0fca00d8963c9fb6d6
ArkeiStealer
83f50d86c658c945ad095f32812422656d56612c31dc4f5ff72f850b604f2aac
ArkeiStealer
864ef1321215c0dad7c8677e3c18942b111468c63358475baa71fb1679c25096
ArkeiStealer
a28956c03af41c83a80a84889bd4b2528c3842f14ca44d7c2d3362cbaa036b8d
ArkeiStealer
c06a0e78bbdb7eb777ee46932da052fc2bc4efc2987e63bad29d2177cdcb7cb4
ArkeiStealer
c5abf55b0591c96c64316cef1b7c5124f3b7ab3d05bc75ab80ae17c53d01dc72
ArkeiStealer
cb3c387163302fbf8ddb4c13e9d786c1070a4185a74bdd3faebd1649d02b2b30
ArkeiStealer
f91c7c2e15b7343d97bc5c3961f43ebd659440102a4a9c3359d7a9e6e0aef9d3
ArkeiStealer
+ 1'010 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar discovery spyware stealer
Link:
https://tria.ge/reports/210602-ttjr4p3jc6/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Vidar
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2f546ff4327d9dc62caf7d0b5e661daa4928717d3fadf4bdac32284e7e075e03

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICOIUS_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 2f546ff4327d9dc62caf7d0b5e661daa4928717d3fadf4bdac32284e7e075e03

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1256040/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/164076/

Comments