MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35e67bf049cb9c2d9c6af0f2f29fffef0279a0953732240b6cdc7c1b12121d23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35e67bf049cb9c2d9c6af0f2f29fffef0279a0953732240b6cdc7c1b12121d23
SHA3-384 hash: fa8ddf8a0ba989859859205cca79f1d8be7934ade0a37f9c85c8d6e205f6032ba3d5f7d0bfe22b05c94649b26bbcf130
SHA1 hash: 60081ae7b16738fa8315c650b240c82919044478
MD5 hash: 24ad5d3dd00a5c74b2280af26ff854d7
humanhash: johnny-michigan-indigo-utah
File name:35e67bf049cb9c2d9c6af0f2f29fffef0279a09537322.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:382'976 bytes
First seen:2022-08-23 10:25:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b4818e7c13c839e394d01c7d80b1d880 (1 x Smoke Loader, 1 x DanaBot, 1 x ArkeiStealer)
ssdeep 6144:2e5lgH1bq3YhWeJB4Q0qXmRj/Ac08xtlxODiw/qyD2/k0sEuvXX8:756bqohWIB7XqYZ+xOV/q3PsA
Threatray 4'609 similar samples on MalwareBazaar
TLSH T1B784CF5076A0D03DE5B712F07979C2AC793A7EA1AB3454CB62C67AEE1A342D4EC74307
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon badacabecee6baa2 (28 x RedLineStealer, 19 x Stop, 13 x Smoke Loader)
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://135.181.104.248/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://135.181.104.248/ https://threatfox.abuse.ch/ioc/844709/

Intelligence

File Origin
# of uploads :
1
# of downloads :
258
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
35e67bf049cb9c2d9c6af0f2f29fffef0279a0953732240b6cdc7c1b12121d23
Verdict:
Malicious activity
Analysis date:
2022-08-22 04:33:41 UTC
Tags:
trojan stealer
Link:
https://app.any.run/tasks/c2d6e541-ab06-45af-b588-cd889dcab32b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/300443/
Detection(s):
Win.Packed.Crypterx-9964586-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Creating a window
Stealing user critical data
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/29755/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6304abb43cbb13868a74b232/reports/23cac981-7b42-41e6-a463-13adfad3980b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b202841d-5a95-49ab-b5ba-85ffc0496d16
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1056134
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/35e67bf049cb9c2d9c6af0f2f29fffef0279a0953732240b6cdc7c1b12121d23/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-08-22 00:03:32 UTC
File Type:
PE (Exe)
Extracted files:
37
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gxthx4cjzooc3hdk6dzpfh7754bhtievg4zcic3m3r6bweqsdurq._file
Verdict:
malicious
Similar samples:
0c6058dd764f4921fcb201f1c7fb7a9f24ae2c4ade920ff36fe29886cd6a8f7e
ArkeiStealer
68652defc71770065997b7d60a64a3959446a114a2ee17a443a15ae8b767f150
ArkeiStealer
82a108c44defd4e43bf5bdee2bbadbf7f62870683557276b698d15845267c722
ArkeiStealer
89ec309c384717284199d66d01669738ce37d9fb445a8f7f2259dfd6ca888f5d
ArkeiStealer
96e21b5e642faf31d4c7654cc40cbfd63c3d4e8cf265e9fc2885cdb137f7691b
ArkeiStealer
b1e62cecdf705a662dc9638e12d238378e2775d75b3aa63a01552dee8d5da346
ArkeiStealer
b7bf04a5d5d14c38358fb28f8e2453bf45926684769ad6a79a4bf110d8587af5
ArkeiStealer
c87ec3f9dfb87a10f1c38102a3c58bc2cbb252891b5c882f3c4f3f0a9058b170
ArkeiStealer
ffc1b9735633836ed935e403d56dd31a464f39c0814e22cb19bb3af6cd54b270
ArkeiStealer
+ 4'599 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/220823-mgh7zsdccq/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
d2c725b7ba571fc4e3a9dd440b5c7763df7a0bc376721c538cf66b5e06bf55b5
MD5 hash:
eb0ae9d8f23d850a6dc32705d2653d09
SHA1 hash:
1151110529a1a9880c309502e1959f2e8585b21e
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/ec8ab041-0a40-48e9-acd9-e65260b7ea69/
SH256 hash:
35e67bf049cb9c2d9c6af0f2f29fffef0279a0953732240b6cdc7c1b12121d23
MD5 hash:
24ad5d3dd00a5c74b2280af26ff854d7
SHA1 hash:
60081ae7b16738fa8315c650b240c82919044478
Link:
https://www.unpac.me/results/ec8ab041-0a40-48e9-acd9-e65260b7ea69/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/35e67bf049cb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/35e67bf049cb9c2d9c6af0f2f29fffef0279a0953732240b6cdc7c1b12121d23

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.vidar.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/300443/

Comments