MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3519c802164ad7fbb26b86834083ecc83039f05fdd2915a8e54091461629b08a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 14


Intelligence 14 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3519c802164ad7fbb26b86834083ecc83039f05fdd2915a8e54091461629b08a
SHA3-384 hash: f28ea29a39f7a05234a7add4bf11eed7629d9cc85a0f591cced72d0b47c50e1f776fc7cafe05262c259f8a1df0dc32f1
SHA1 hash: 4019f8bbeb202b7fc0a8c4647ada383139c0f02c
MD5 hash: 6fbf058c7a5c8b8889b6d3b043c956e3
humanhash: music-eight-violet-lemon
File name:6FBF058C7A5C8B8889B6D3B043C956E3.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:5'678'891 bytes
First seen:2022-10-20 03:21:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6c9b62aae6117060f9867b92d139b95e (9 x ArkeiStealer, 2 x Smoke Loader, 1 x RedLineStealer)
ssdeep 98304:ZaURnsjfaRQghRWff5j/R0UMz/R0UMr/R0UMw/R0UM0:ZznsjfsvQBD2UMT2UMb2UMA2UM0
Threatray 712 similar samples on MalwareBazaar
TLSH T1A746CF23B349243EC06A193A4827D6F4993B7E61791ACC4E7BFC7D4CDF391416A2A50B
TrID 61.8% (.EXE) Inno Setup installer (109740/4/30)
23.4% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
5.9% (.EXE) Win64 Executable (generic) (10523/12/4)
2.5% (.EXE) Win32 Executable (generic) (4505/5/1)
1.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon d0d09cd4d4e4d4cc (1 x ArkeiStealer, 1 x Smoke Loader)
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://49.12.196.69/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://49.12.196.69/ https://threatfox.abuse.ch/ioc/891720/

Intelligence

File Origin
# of uploads :
1
# of downloads :
248
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
ficker
Create hunting rule
ID:
1
File name:
e802bea8c9e7e665f35d38a88081b61147d53a6c449cba599fb192359889e2f2.exe
Verdict:
Malicious activity
Analysis date:
2022-10-17 18:06:44 UTC
Tags:
installer opendir loader evasion trojan ficker stealer raccoon recordbreaker
Link:
https://app.any.run/tasks/d9eb03a3-19cc-4ae9-b8d1-26031be4e601

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321885/
Detection(s):
PUA.Win.Adware.Dealply-6619245-0
Create hunting rule

PUA.Win.Adware.Dealply-6619266-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Delayed reading of the file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/43916/overview
Behaviour
MalwareBazaar
LanguageCheck
CheckNumberOfProcessor
CPUID_Instruction
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cmd.exe fingerprint greyware keylogger overlay packed regasm.exe rundll32.exe
Link:
https://www.filescan.io/uploads/6350bedd7f72336a8d629ba2/reports/159e5ee1-f5e7-4651-beec-4ffdfe5a5107/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/18311570-945e-4ce0-b0c8-4d9c9a60c7d7
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1093899
Signature
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 726519 Sample: ExDfdBSYHn.exe Startdate: 20/10/2022 Architecture: WINDOWS Score: 100 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for URL or domain 2->51 53 Multi AV Scanner detection for dropped file 2->53 55 4 other signatures 2->55 9 ExDfdBSYHn.exe 12 2->9         started        process3 file4 35 C:\Users\user\...\R4CE9-82A5-E8F6D7A.exe, PE32 9->35 dropped 12 R4CE9-82A5-E8F6D7A.exe 9->12         started        process5 signatures6 61 Injects a PE file into a foreign processes 12->61 15 R4CE9-82A5-E8F6D7A.exe 20 12->15         started        process7 dnsIp8 37 t.me 149.154.167.99, 443, 49693 TELEGRAMRU United Kingdom 15->37 39 45.15.156.60, 49695, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 15->39 41 49.12.196.69, 49694, 80 HETZNER-ASDE Germany 15->41 31 C:\Users\user\AppData\...\qwe22zdlAq[1].exe, PE32 15->31 dropped 33 C:\ProgramData\27468307972539493982.exe, PE32 15->33 dropped 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->43 45 Tries to harvest and steal browser information (history, passwords, etc) 15->45 47 Tries to steal Crypto Currency Wallets 15->47 20 27468307972539493982.exe 15->20         started        23 cmd.exe 1 15->23         started        file9 signatures10 process11 signatures12 57 Multi AV Scanner detection for dropped file 20->57 59 Machine Learning detection for dropped file 20->59 25 taskkill.exe 1 23->25         started        27 conhost.exe 23->27         started        29 timeout.exe 1 23->29         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3519c802164ad7fbb26b86834083ecc83039f05fdd2915a8e54091461629b08a/
Threat name:
Win32.Infostealer.Bandra
Create hunting rule
Status:
Malicious
First seen:
2022-10-17 19:36:38 UTC
File Type:
PE (Exe)
Extracted files:
94
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gum4qaqwjll7xmtlq2buba7mzaydt4c73uurlkhficiumfrjwcfa._file
Verdict:
malicious
Similar samples:
1bd4abc21125d116ca1b721d180e1c36dd0bf7b78b69088a9b17c8445fdda085
ArkeiStealer
3af3279ede125805a47682382304f6b76af4e7c34c2bfeaa198e0dc38f3ad1b6
ArkeiStealer
aa2b5d5f5e91f673c6ad75dfdf35c33ebda273b5ca96d5d4897cb791ba23d16a
ArkeiStealer
f414b58167438e77909afa13c1e137874fb7aad4983d30cd9b769f205ace0078
ArkeiStealer
f5d0c083bcd73094d1c995ce77f0730514f34e7ea0bb7e620127949dac19b6aa
ArkeiStealer
fd5b0792ea3837a3eb0b86a47e08d4ec52dda7f1fbe677326fbe31ac534d7340
ArkeiStealer
+ 702 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1636 discovery spyware stealer
Link:
https://tria.ge/reports/221020-dww8qacag5/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Vidar
Malware Config
C2 Extraction:
https://t.me/dghzq
https://t.me/zjsqpz
https://t.me/fqwexzq
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e59e3291-2cd1-4fd2-adb5-cb705cb6f69d
Unpacked files
SH256 hash:
4da8252d23f32c59bff3b18b619e389e7994ac31493522bba5767f8fb538e138
MD5 hash:
bb89df9eb30eaba523cae8a9065a1253
SHA1 hash:
bcafac72d36e875f25876cd1d9f5c7826207f540
Link:
https://www.unpac.me/results/78b5e04d-727d-48cd-9f9d-7f6975ece306/
SH256 hash:
d758cc43c607abbc38b2deb85b02fcf42abfe939617391a5846527cf2d1e13af
MD5 hash:
6251cf9d23396d8e57f1eb7ddd0c7eb4
SHA1 hash:
0ddd316dffe4d57d68f6ef93a09d1e513b8881fa
Detections:
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/78b5e04d-727d-48cd-9f9d-7f6975ece306/
Parent samples :
f414b58167438e77909afa13c1e137874fb7aad4983d30cd9b769f205ace0078
3519c802164ad7fbb26b86834083ecc83039f05fdd2915a8e54091461629b08a
SH256 hash:
3519c802164ad7fbb26b86834083ecc83039f05fdd2915a8e54091461629b08a
MD5 hash:
6fbf058c7a5c8b8889b6d3b043c956e3
SHA1 hash:
4019f8bbeb202b7fc0a8c4647ada383139c0f02c
Link:
https://www.unpac.me/results/78b5e04d-727d-48cd-9f9d-7f6975ece306/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3519c802164a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3519c802164ad7fbb26b86834083ecc83039f05fdd2915a8e54091461629b08a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/321885/

Comments