MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 334fb1c3def58d304673a7be8b63399d481bc45a8c33567003c09784efd16ebd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 334fb1c3def58d304673a7be8b63399d481bc45a8c33567003c09784efd16ebd
SHA3-384 hash: c2b07de00039aacc4ce5e1f1854de3f81863f598aa7677c62add63c2659b19b6a5bdc73a5b1a65250a1604987a901414
SHA1 hash: 7d4acfd37ce4a498c85a2b7b8ff6d70a4aec557a
MD5 hash: 34bdb9a0cc7686903eec49ef2cc1e7cf
humanhash: neptune-hydrogen-glucose-eleven
File name:file
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'341'440 bytes
First seen:2022-10-24 10:37:17 UTC
Last seen:2022-10-25 08:43:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f9dd8a0feaf4fa9fd20d4d8ea4827100 (17 x RedLineStealer, 2 x ArkeiStealer)
ssdeep 24576:pUHVoXYRYznhf1Mx0/YB1yR1SndVJEh/up3W22IJUCZw2bjy:OHVycnZt3WaJfy
Threatray 745 similar samples on MalwareBazaar
TLSH T12B557C29FB0729B4DA235371855FEA7B9B08BA148032EEBFFF4BDA0874324127C49555
TrID 44.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
23.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:ArkeiStealer exe


Avatar
andretavare5
Sample downloaded from https://vk.com/doc733883836_657434971?hash=KMggGbqh9yMujXYpAJ4AGnActiK5lDJbpP4QBgVRGkT&dl=G4ZTGOBYGM4DGNQ:1666606823:lAHvQvux2OesO0joIxjaCbpyLoY9FbS4LvhAfcA0B3s&api=1&no_preview=1#den10

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://78.47.204.168/ https://threatfox.abuse.ch/ioc/891320/

Intelligence

File Origin
# of uploads :
550
# of downloads :
210
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-10-24 10:37:58 UTC
Tags:
trojan stealer vidar loader
Link:
https://app.any.run/tasks/8342d0c8-56c6-4ae6-85f1-38ffb633ef13

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/323339/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.155241.11142.26219.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the system32 subdirectories
Creating a file
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/287632e8-1639-454e-aacd-e3c4bd92f6b0
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1096412
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
DLL side loading technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 729053 Sample: file.exe Startdate: 24/10/2022 Architecture: WINDOWS Score: 100 67 Multi AV Scanner detection for domain / URL 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Antivirus detection for URL or domain 2->71 73 8 other signatures 2->73 9 file.exe 1 2->9         started        process3 signatures4 75 Contains functionality to inject code into remote processes 9->75 77 Writes to foreign memory regions 9->77 79 Allocates memory in foreign processes 9->79 81 Injects a PE file into a foreign processes 9->81 12 vbc.exe 23 9->12         started        17 WerFault.exe 23 9 9->17         started        19 conhost.exe 9->19         started        process5 dnsIp6 59 t.me 149.154.167.99, 443, 49691 TELEGRAMRU United Kingdom 12->59 61 serotyw.site 91.242.229.54, 49693, 80 LANTRACE-LLCUA Ukraine 12->61 63 78.47.204.168, 49692, 80 HETZNER-ASDE Germany 12->63 47 C:\Users\user\AppData\...\Filename[1].exe, PE32 12->47 dropped 49 C:\ProgramData\sqlite3.dll, PE32 12->49 dropped 51 C:\ProgramData\70105842860793129555.exe, PE32 12->51 dropped 89 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->89 91 Tries to harvest and steal browser information (history, passwords, etc) 12->91 93 DLL side loading technique detected 12->93 95 Tries to steal Crypto Currency Wallets 12->95 21 70105842860793129555.exe 12->21         started        24 cmd.exe 12->24         started        65 192.168.2.1 unknown unknown 17->65 53 C:\ProgramData\Microsoft\...\Report.wer, Unicode 17->53 dropped file7 signatures8 process9 file10 39 C:\Users\user\AppData\Local\Temp\...\Cert.exe, PE32 21->39 dropped 26 Cert.exe 21->26         started        31 cmd.exe 21->31         started        33 conhost.exe 24->33         started        35 timeout.exe 24->35         started        process11 dnsIp12 55 api.telegram.org 149.154.167.220, 443, 49704 TELEGRAMRU United Kingdom 26->55 57 revouninstaller.click 45.87.154.168, 443, 49705 ASN-POSTLTDRU Russian Federation 26->57 41 C:\Program Files\...\chrome1.exe (copy), PE32 26->41 dropped 43 C:\Program Filesbehaviorgraphoogle\Chrome\...\chrome.exe, PE32 26->43 dropped 83 Machine Learning detection for dropped file 26->83 85 Infects executable files (exe, dll, sys, html) 26->85 45 C:\Windows\System32\drivers\etc\hosts, ASCII 31->45 dropped 87 Modifies the hosts file 31->87 37 conhost.exe 31->37         started        file13 signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/334fb1c3def58d304673a7be8b63399d481bc45a8c33567003c09784efd16ebd/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-10-24 11:19:18 UTC
File Type:
PE (Exe)
AV detection:
18 of 25 (72.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gnh3dq666wgtarttu67iwyzztvebxrc2rqzvm4adyclyj36rn26q._file
Verdict:
malicious
Similar samples:
11a3fde6fbce94c261cc8785856d132eccd5239e95a9129c2ba404cad58bbd96
ArkeiStealer
27253651170386863b148afb2a0fdda7780ae65cbc31405acbd99fa06b44b79f
ArkeiStealer
569ea2229b464fe4cbffdb473cff09912f91fb593a16be9003f38dc8c083a62a
ArkeiStealer
8ecc0426ea37a5c9e59d00b4fde1508175a950372ec3870965f1e527634b3419
ArkeiStealer
ae5fa45e7af9a7fe4e5f96a38578fc7c065c2c4f438b3669f71b24f603188549
ArkeiStealer
e1b703cb0718ac38b01753facb2dd66a8c60d5af82f190f00f90d3a2f53a8a4c
ArkeiStealer
+ 735 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:937 spyware stealer
Link:
https://tria.ge/reports/221024-mpdbpsgbek/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Uses the VBS compiler for execution
Vidar
Malware Config
C2 Extraction:
https://t.me/slivetalks
https://c.im/@xinibin420
Unpacked files
SH256 hash:
d0b8d2f27ebe504ea1703498c9f6b75fa4b0e348d44d17756b5d47cf60a5e928
MD5 hash:
93afe8544719caf39751de2e6d91945f
SHA1 hash:
3d7561096ac6d771ae28668a00a9dd0bf499d644
Link:
https://www.unpac.me/results/a99c5972-f20c-446b-879e-b2dc58557811/
SH256 hash:
334fb1c3def58d304673a7be8b63399d481bc45a8c33567003c09784efd16ebd
MD5 hash:
34bdb9a0cc7686903eec49ef2cc1e7cf
SHA1 hash:
7d4acfd37ce4a498c85a2b7b8ff6d70a4aec557a
Link:
https://www.unpac.me/results/a99c5972-f20c-446b-879e-b2dc58557811/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/334fb1c3def5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/334fb1c3def58d304673a7be8b63399d481bc45a8c33567003c09784efd16ebd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Vidar
Create hunting rule
Author:kevoreilly,rony
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/323339/

Comments