MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30eb1174412010512f13dd33bbad41e759c75f3f9cc96146ab2661bd723b246f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	30eb1174412010512f13dd33bbad41e759c75f3f9cc96146ab2661bd723b246f
SHA3-384 hash:	3e2c67990172fec4862d70b9806dda0400eb1e58dc5ba8f10b27ad51a8dddf43a74254d94f748015a9af7a32f3e7c987
SHA1 hash:	99149d57750981e01ad2ae96425492c63109f150
MD5 hash:	2c97fecf8c25eb347068ee42a17523ef
humanhash:	north-illinois-mirror-georgia
File name:	lnstaIIer .x64.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	6'106'112 bytes
First seen:	2022-10-29 20:05:33 UTC
Last seen:	2022-10-29 21:08:51 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	dafdbbc6109353a89cfda1e51dd5d507 (3 x ArkeiStealer)
ssdeep	98304:ngGuFERs6w1NdI5smvhwCDsQsMsv3LU+cG/CdL6S4rr832ddu+U28J/1f:gtFERytM3JDsQ7sfXczMNru3JNf
Threatray	883 similar samples on MalwareBazaar
TLSH	T13256235312960006D5EDC837C627BEA132F753769742FCFA659B9EC926178E0F6038A3
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

abuse_ch

ArkeiStealer C2:
http://88.119.169.42/

Intelligence

File Origin

# of uploads :

# of downloads :

466

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

vidar

ID:

File name:

lnstaIIer .x64.exe

Verdict:

Malicious activity

Analysis date:

2022-10-29 20:08:22 UTC

Tags:

trojan stealer vidar

Link:

https://app.any.run/tasks/66066b38-7e2a-4fae-8006-c37b499014b2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/325964/

Detection(s):

SecuriteInfo.com.Trojan.GenericKDS.61003291.23609.12897.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Sending an HTTP GET request

Creating a file

Sending a custom TCP request

Reading critical registry keys

Creating a window

Launching cmd.exe command interpreter

Creating a process with a hidden window

Launching a process

Stealing user critical data

Launching a tool to kill processes

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/46680/overview

Behaviour

MalwareBazaar

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed shell32.dll

Link:

https://www.filescan.io/uploads/635d87ac58409ff7bc0c4160/reports/3653f04e-2c11-4fca-9129-6b8bd27c3eb7/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/46054622-98b7-4858-ae9a-e9356d79a527

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1101053

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/30eb1174412010512f13dd33bbad41e759c75f3f9cc96146ab2661bd723b246f/

Threat name:

Win32.Infostealer.Bandra

Status:

Malicious

First seen:

2022-10-29 20:06:21 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 26 (61.54%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gdvrc5cbeaifclyt3uz3xlkb45m4oxz7ttewcrvlezq324r3erxq._file

Verdict:

malicious

ArkeiStealer

137f888429094a1dece66c656564cde7d4f60f7b132c8105c6eaaecd95f3f9d9

ArkeiStealer

3a289614d73c4260ae0cb5be146a0642f8a269dc0320b141d823aeed35209a56

ArkeiStealer

3af3279ede125805a47682382304f6b76af4e7c34c2bfeaa198e0dc38f3ad1b6

ArkeiStealer

722a297fad3b3764bd9f4df0b3bf5d403a367d8dcb22e1a5821f9c44296a8760

ArkeiStealer

cec50bf34d70097c1ca3bff6dc6cc52c45ed98b6e3f4a098a4eaaf5abde3540e

ArkeiStealer

e3c67cd0facc741f5a8fca337949d8c5ea5705b3a380525cc84a11660ce53366

ArkeiStealer

+ 873 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:1729 discovery spyware stealer

Link:

https://tria.ge/reports/221029-yvebqsdag4/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Program crash

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Vidar

Malware Config

C2 Extraction:

http://88.119.169.42:80

Unpacked files

SH256 hash:

702e5f367091cb541d2fc2d4c05e6d86a3cedfce288f2c42e056d97cf0f76f9a

MD5 hash:

645f26ccf2b5bcfff14366e38e2e5bfc

SHA1 hash:

a138deddfdec5b7a8ab6ae13bb97c551c0d19caf

Detections:

VidarStealer

Link:

https://www.unpac.me/results/9816ec77-9d65-4599-bed1-e03443cc376a/

SH256 hash:

30eb1174412010512f13dd33bbad41e759c75f3f9cc96146ab2661bd723b246f

MD5 hash:

2c97fecf8c25eb347068ee42a17523ef

SHA1 hash:

99149d57750981e01ad2ae96425492c63109f150

Link:

https://www.unpac.me/results/9816ec77-9d65-4599-bed1-e03443cc376a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/30eb1174412010512f13dd33bbad41e759c75f3f9cc96146ab2661bd723b246f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/325964/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample