MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 311ad9668bfcc6cf1688a6ccd995fffc2f6c7891df6e3b3e0a528488049b8f0c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 311ad9668bfcc6cf1688a6ccd995fffc2f6c7891df6e3b3e0a528488049b8f0c
SHA3-384 hash: 9922502e3c4fdf38a0dae7b197cd8305a5de9288a34c77b8b773080c08702441463c966556ab8adc251d812f31b2a699
SHA1 hash: ae5a967a734063ce3c9b7ccb112b44ccdbf1b5fb
MD5 hash: 27686627d6240005afd3c4516a58b032
humanhash: vegan-robin-california-fix
File name:file
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:4'097'536 bytes
First seen:2023-05-15 21:29:04 UTC
Last seen:2023-05-16 02:38:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 98304:yJhq1t7g2bLMfm9tOyjg9Pq8R8tf9wpnvN+JGLO1ownzyjMfurJ:yJhot4+9tmq8R8tlwBVJOJ4MWrJ
Threatray 1'323 similar samples on MalwareBazaar
TLSH T19516E13D09A6CAEAC07FC3E49BCC4957FABCD837B215D96F28C60346624164E61D219F
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:ArkeiStealer exe


Avatar
andretavare5
Sample downloaded from https://vk.com/doc797927207_660441113?hash=3mJGkx3T8liMDpfKL20aZNjzvFlUO8qkrRN8X4WBews&dl=G44TOOJSG4ZDANY:1684181724:RJfVp3s9q7cjAcgdZGTXut2VuXsZbzhYzjzCaKVvsmP&api=1&no_preview=1#b1

Intelligence

File Origin
# of uploads :
11
# of downloads :
312
Origin country :
US US
Vendor Threat Intelligence
Malware family:
arkei
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-05-15 21:30:38 UTC
Tags:
stealer arkei vidar
Link:
https://app.any.run/tasks/9b029a13-8090-4cdb-8a25-a0b8c0b6433d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/390275/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.11960.27838.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a process from a recently created file
Stealing user critical data
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6462a45be18b58ecd89b91a4/reports/ddad7f40-f33f-44b4-a5b0-c309052d370e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/311ad9668bfcc6cf1688a6ccd995fffc2f6c7891df6e3b3e0a528488049b8f0c
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/cefef230-570b-4946-8a84-f5e673e2c716
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1234102
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected AntiVM3
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 867084 Sample: file.exe Startdate: 15/05/2023 Architecture: WINDOWS Score: 100 46 Found malware configuration 2->46 48 Antivirus detection for dropped file 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 9 other signatures 2->52 8 file.exe 3 2->8         started        12 cmd.exe 2 2->12         started        14 cmd.exe 1 2->14         started        process3 file4 38 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 8->38 dropped 60 Injects a PE file into a foreign processes 8->60 16 file.exe 22 8->16         started        21 conhost.exe 12->21         started        23 more.com 1 12->23         started        25 taskkill.exe 1 14->25         started        27 conhost.exe 14->27         started        signatures5 process6 dnsIp7 40 t.me 149.154.167.99, 443, 49684 TELEGRAMRU United Kingdom 16->40 42 bitbucket.org 104.192.141.1, 443, 49686 AMAZON-02US United States 16->42 44 4 other IPs or domains 16->44 34 C:\Users\user\AppData\Local\...\outapp[1].exe, PE32+ 16->34 dropped 36 C:\ProgramData\88708949921869309273.exe, PE32+ 16->36 dropped 54 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->54 56 Tries to harvest and steal browser information (history, passwords, etc) 16->56 58 Tries to steal Crypto Currency Wallets 16->58 29 88708949921869309273.exe 1 16->29         started        file8 signatures9 process10 signatures11 62 Antivirus detection for dropped file 29->62 64 Query firmware table information (likely to detect VMs) 29->64 66 Tries to detect sandboxes and other dynamic analysis tools (window names) 29->66 68 3 other signatures 29->68 32 conhost.exe 29->32         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/311ad9668bfcc6cf1688a6ccd995fffc2f6c7891df6e3b3e0a528488049b8f0c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-15 21:30:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gennszul7tdm6fuiu3gntfp77qxwy6er35xdwpqkkkciqbe3r4ga._file
Verdict:
malicious
Similar samples:
1aabaf257833b939257609dea10af40fb814682dd8de52918145f3bc40441625
ArkeiStealer
2050a2f16f735a22589fa28453489733dfa907f5f9b05ce0510b89bcafae0ba4
ArkeiStealer
214e9703ba46ea2ec8a747913145d48a8be812ab4beaf8f055e889c204955174
ArkeiStealer
271b5a55ffe8fa4b7886abbd3c5cf68614267f8bdc2f6f78fac2f5400e95aa35
ArkeiStealer
4598f17c42e3fa2259e57d1e4732ad6847a6b3469114a1d37112a8fca6ba748b
ArkeiStealer
558da56234404dd337be2a22e2493aa6c140b7688e58a17236dc95da0e5162eb
ArkeiStealer
79b23b23f117799f716d74c2d4d59263926ef13cb47078a161fe88c9a3bc1cb6
ArkeiStealer
b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0
ArkeiStealer
c73c5027ec11576250105ea0664c33a51f3a19901c6bcbfd84d88c94f3482435
ArkeiStealer
e814d34a0eb17347413d34653b7fca514c931eb1a5317012fe44d54c09617fd4
ArkeiStealer
+ 1'313 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:2638aa4b03dea00aba391798147927fd discovery spyware stealer
Link:
https://tria.ge/reports/230515-1cfsysac48/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Vidar
Malware Config
C2 Extraction:
https://steamcommunity.com/profiles/76561199263069598
https://t.me/cybehost
Unpacked files
SH256 hash:
a7e471f7bc560488312d57e885bb4cfc423587a0d84abbb3073a820f7cd0e209
MD5 hash:
e7709a907be0cdb6ff7eb99daee97c6c
SHA1 hash:
bb3f6871c40f54070b53947bf6958d410ea8bac1
Link:
https://www.unpac.me/results/481f0aee-9312-4355-8981-4f00da754157/
SH256 hash:
7d7d1d6578fbdd89907e75dd21032ab018c3a88991dc70366478c68815f19fa5
MD5 hash:
1e2591a4957be65a12ba6ac97a975ee1
SHA1 hash:
1ae0cec4772aa7c9e63ad45cc29329adfcf9b8f7
Link:
https://www.unpac.me/results/481f0aee-9312-4355-8981-4f00da754157/
SH256 hash:
dba0239d9ea589c98e484f0a014313118b15e8063e99630583bfcad8b78a8b9c
MD5 hash:
ac2005bc121e2d56bfa67258ffa7edb7
SHA1 hash:
02bd8c075fb07be70bf75155a2693393b8cdab83
Detections:
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/481f0aee-9312-4355-8981-4f00da754157/
SH256 hash:
311ad9668bfcc6cf1688a6ccd995fffc2f6c7891df6e3b3e0a528488049b8f0c
MD5 hash:
27686627d6240005afd3c4516a58b032
SHA1 hash:
ae5a967a734063ce3c9b7ccb112b44ccdbf1b5fb
Link:
https://www.unpac.me/results/481f0aee-9312-4355-8981-4f00da754157/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/311ad9668bfc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Dotnet_Hidden_Executables_Detect
Create hunting rule
Author:Mehmet Ali Kerimoglu (@CYB3RMX)
Description:This rule detects hidden PE file presence.
Reference:https://github.com/CYB3RMX/Qu1cksc0pe
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_Links
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly,rony
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/390275/

Comments