MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 360b2afefd68c3ded857f70836cee28007aac12118476e45d151af93c7fbc7f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 1 File information Comments

SHA256 hash:	360b2afefd68c3ded857f70836cee28007aac12118476e45d151af93c7fbc7f2
SHA3-384 hash:	4d7cb99959d37455aa8ac7eb5a946d00261fdc33e7fdcd591a4c5758bcba30a0bfed1c6a4b79b144256d3abb4ec5781d
SHA1 hash:	31c4f3d0a180759e1dee40cf9d333d54f62f381c
MD5 hash:	7fc626b24f949525f0912f6d55e1b2ac
humanhash:	idaho-vegan-echo-quebec
File name:	Setups1.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	6'930'944 bytes
First seen:	2022-11-08 07:01:50 UTC
Last seen:	2022-11-08 08:40:44 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9a1d26a8b16a9dbb94396f19b5a9d4c9 (4 x ArkeiStealer)
ssdeep	98304:aRI7XZbU9lApSEGEi5DPsOgO4X9tvf73Pi67n8pSRlXlAirQ9loCylPHWIMQMM:auL4OSEGDENtvf73f8pAlLrGoXm
Threatray	972 similar samples on MalwareBazaar
TLSH	T193662373136A1091E9C4C9358D37FDA2B1F7436ACB829CB860CE9DD52A264E5D703E93
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	f8f0a4a09d99d9de (1 x ArkeiStealer)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

165

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

vidar

ID:

File name:

Setups1.exe

Verdict:

Malicious activity

Analysis date:

2022-11-08 07:02:16 UTC

Tags:

stealer trojan vidar

Link:

https://app.any.run/tasks/6c96599d-3cae-4b97-8d9a-cb3be93e01c5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/330383/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.31089.15949.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Running batch commands

Creating a process with a hidden window

Launching a process

Stealing user critical data

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/49976/overview

Behaviour

MalwareBazaar

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6369fef05a33779d69ce9709/reports/f2102e9b-2090-4676-b416-735f2de6a696/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/4c3f6cd9-8587-4467-9748-d6ee723162a9

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1107986

Signature

Antivirus detection for URL or domain

Detected VMProtect packer

Machine Learning detection for sample

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Self deletion via cmd or bat file

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/360b2afefd68c3ded857f70836cee28007aac12118476e45d151af93c7fbc7f2/

Threat name:

Win32.Infostealer.Bandra

Status:

Malicious

First seen:

2022-11-08 07:02:24 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=gyfsv7x5ndb55wcx64edntxcqad2vqjbdbdw4rorkgxzhr73y7za._file

Verdict:

suspicious

Label(s):

raccoon

ArkeiStealer

1ebe93b170185c9898d90829867fd281a34568c054f832cee5027db73b63bba6

ArkeiStealer

3a289614d73c4260ae0cb5be146a0642f8a269dc0320b141d823aeed35209a56

ArkeiStealer

cec50bf34d70097c1ca3bff6dc6cc52c45ed98b6e3f4a098a4eaaf5abde3540e

ArkeiStealer

e45dbe7cb55c15faa395640121286cb2d61bb3655e9da26f9ea3d1d2f2c47880

ArkeiStealer

ee3002402500877070b877e8189e266879bcd3f8f8643340533ad1e0ff12526b

ArkeiStealer

+ 962 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:1014 discovery spyware stealer vmprotect

Link:

https://tria.ge/reports/221108-hts6hachh8/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

VMProtect packed file

Vidar

Malware Config

C2 Extraction:

https://ioc.exchange/@xiteb15011
https://t.me/tg_turgay

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/28bcee95-8e18-4afe-86c1-e74ab540e424

Unpacked files

SH256 hash:

360b2afefd68c3ded857f70836cee28007aac12118476e45d151af93c7fbc7f2

MD5 hash:

7fc626b24f949525f0912f6d55e1b2ac

SHA1 hash:

31c4f3d0a180759e1dee40cf9d333d54f62f381c

Link:

https://www.unpac.me/results/1bcbdd35-9c0b-4b78-b316-a43739adacea/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/360b2afefd68/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/360b2afefd68c3ded857f70836cee28007aac12118476e45d151af93c7fbc7f2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_VMProtect Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/330383/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample