MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33a9c4f53a214003ac5a5415db060701bc53b271a670f03167cd01bc67fcf23a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 33a9c4f53a214003ac5a5415db060701bc53b271a670f03167cd01bc67fcf23a
SHA3-384 hash: b6f4171bb76551b7cd5e32cb629f4420efc0e1a78c88625923751e170d80571421d91200cfb36e54b115433c627d2636
SHA1 hash: a9488ee6900c93769c41104af836c25d9e95a73a
MD5 hash: 436ffb972a9692a4dbdbce7a6c570941
humanhash: whiskey-juliet-eight-fillet
File name:Setup_new.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:888'320 bytes
First seen:2022-12-12 16:35:21 UTC
Last seen:2022-12-12 18:30:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f38a5a5b7390e67a8e2dc9e829a9e36a (1 x RedLineStealer, 1 x ArkeiStealer)
ssdeep 24576:fmwKz8GCMIrv31oo6KNa4XoHqyOuJuB6aabTD0K:a8GCMIeBKNamnQbb30K
Threatray 1'110 similar samples on MalwareBazaar
TLSH T12415CF52F8C18076C672383D15A5E2B456EE74311D228ABFA7D82A3D5F306A1BF1253F
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
182
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
Setup_new.exe
Verdict:
Malicious activity
Analysis date:
2022-12-12 16:36:33 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/79278624-1a48-4af1-9c29-cbfe4d6756dc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/345522/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.94404.412.11695.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Searching for synchronization primitives
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Searching for the window
Creating a window
Running batch commands
Creating a process with a hidden window
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed shell32.dll
Link:
https://www.filescan.io/uploads/639758739a505ad9423f3ab0/reports/5821c449-a776-4de7-951f-c02f0869c3b6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Arkei Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6df586d9-77aa-4c53-9503-159a33f3d997
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1132836
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/33a9c4f53a214003ac5a5415db060701bc53b271a670f03167cd01bc67fcf23a/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2022-12-12 16:36:07 UTC
File Type:
PE (Exe)
AV detection:
24 of 40 (60.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gou4j5j2efaahlc2kqk5wbqhag6fhmtruzypamlhzua3yz746i5a._file
Verdict:
malicious
Similar samples:
0544e0fcb370f6d4e5691f820cbd673ef7d0e1a973dbe76e4956a514b0862566
ArkeiStealer
08c7eb81c268bbae91dedf391c1901461e786ee5cd401872100efad10812efc9
ArkeiStealer
2c993eb220436695d78783d2a6520951e4ce2b65311a96b904a063abdc088235
ArkeiStealer
6eaa17442216edf6c184c03e3b7468922c1b6d59fbf419f811552e2e86e0bcfe
ArkeiStealer
bacdddfabf0476948f55a43f5bda407afa2f1cd4884e973a1722e3f674cc2a94
ArkeiStealer
d7c42d1df0e957935b672b0633cf3dad39b5d8c85eec4631c62191915af02379
ArkeiStealer
f0527a6ecbe7892f48f746fe60c054681852295c5a897402f09a47e74c617956
ArkeiStealer
+ 1'100 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1696 spyware stealer
Link:
https://tria.ge/reports/221212-t38hbsef2v/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Uses the VBS compiler for execution
Vidar
Malware Config
C2 Extraction:
https://t.me/hkjkkiiioo
https://t.me/asndmadas19
Gathering data
Unpacked files
SH256 hash:
bf280936afc499b9225989f3372f74ad7d50b77ae8904ccb5bb931152fc4f7f7
MD5 hash:
4f1cde123dc5d6a8b22c62edf25f2901
SHA1 hash:
dbf4006053c75816241da82d2d281bc72a27d431
Link:
https://www.unpac.me/results/6de56cbd-566b-46ff-8229-82df5cbaa434/
SH256 hash:
33a9c4f53a214003ac5a5415db060701bc53b271a670f03167cd01bc67fcf23a
MD5 hash:
436ffb972a9692a4dbdbce7a6c570941
SHA1 hash:
a9488ee6900c93769c41104af836c25d9e95a73a
Link:
https://www.unpac.me/results/6de56cbd-566b-46ff-8229-82df5cbaa434/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/33a9c4f53a21/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Arkei Stealer
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/33a9c4f53a214003ac5a5415db060701bc53b271a670f03167cd01bc67fcf23a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/345522/

Comments