MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36a6921a0de77d733665e1d24cad2e21bede12c5e4495218cd43e66e5b37ce67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 5 File information Comments

SHA256 hash:	36a6921a0de77d733665e1d24cad2e21bede12c5e4495218cd43e66e5b37ce67
SHA3-384 hash:	73f3ff0fbce3e14182826a1b02f7360794e71f4814188de3e33c92d9d55f66b0124d8fe6f71d94ad0365ad73122d21a4
SHA1 hash:	89a22567adc174d3632a36a50a52ef314f473826
MD5 hash:	4f16f77b883afbfd4979823ae1ac1c4d
humanhash:	yankee-missouri-friend-seventeen
File name:	4f16f77b883afbfd4979823ae1ac1c4d.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	348'584 bytes
First seen:	2022-05-24 19:20:45 UTC
Last seen:	2022-07-14 06:47:17 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c69e88423d6ba76171ae4ccf927da66b (10 x RedLineStealer, 3 x ArkeiStealer, 1 x Smoke Loader)
ssdeep	6144:wvkl3UUlAlMhIeGL/OQY/093PdV4eEX21G5:1l3UU+XrOzAPdee82W
Threatray	5'145 similar samples on MalwareBazaar
TLSH	T1A174011172A0C832D5E365304875C6F6BEBABC632974488F77583B2A3D713C2DA71B66
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

292

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

4f16f77b883afbfd4979823ae1ac1c4d.exe

Verdict:

Malicious activity

Analysis date:

2022-05-24 20:50:40 UTC

Tags:

stealer

Link:

https://app.any.run/tasks/7a0b565b-ed5b-47a6-b947-47908167b0bd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/274271/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Creating a window

Delayed writing of the file

Stealing user critical data

Forced shutdown of a browser

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/19918/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionQueryPerformanceCounter

EvasionGetTickCount

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/628d3064945ebb7eb179296c/reports/772b1b84-7d10-4b7e-a965-bfc713144c28/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Vidar

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c0ff8127-a809-4e64-9c5a-c227419b94f3

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1001000

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Self deletion via cmd delete

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/36a6921a0de77d733665e1d24cad2e21bede12c5e4495218cd43e66e5b37ce67/

Threat name:

Win32.Trojan.Vidar

Status:

Malicious

First seen:

2022-05-24 19:21:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=g2tjegqn456xgntf4hjezljoeg7n4ewf4reveggniptg4wzxzztq._file

Verdict:

malicious

ArkeiStealer

7f19bc8eb8f0555986de478bc9a17a8e052f4a9262b0a19b924d8e9c66a01ca7

ArkeiStealer

80cdfc120b7824e7cb5b34fc9ab1b6b43b84dfb435fd8f3e681ad4ae0ebd41de

ArkeiStealer

8399c97b606bb6613f99006964a47064e402e6489574b85db7a9872f601886b2

ArkeiStealer

a2c6f733cee76e07ef2fe055e20bafcf443c5f22a2b97bf92cc84e608cc53d58

ArkeiStealer

aa3abbd93819a58f0612b60cf1cfcc3a296e10d1b776555b8a3f967608b00f06

ArkeiStealer

abc7f395229f5f05074280e01c2e3726aa409d14c0a43ddf52a0368d53462747

ArkeiStealer

+ 5'135 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:1163 discovery spyware stealer suricata

Link:

https://tria.ge/reports/220524-x2nnbaedh4/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Kills process with taskkill

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Vidar Stealer

Vidar

suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer

Malware Config

C2 Extraction:

https://t.me/hyipsdigest
https://mastodon.online/@ronxik13

Unpacked files

SH256 hash:

d5a99a112fe25fafc71a7073ac6443934f35dad5ceeb728cbf7a70e0915ee384

MD5 hash:

074d900158b1b997866c394b188b9e16

SHA1 hash:

40436377df6b1e70f852424fc293828fb5f567ab

Link:

https://www.unpac.me/results/16119360-d665-4a73-b640-81128398cf1d/

SH256 hash:

36a6921a0de77d733665e1d24cad2e21bede12c5e4495218cd43e66e5b37ce67

MD5 hash:

4f16f77b883afbfd4979823ae1ac1c4d

SHA1 hash:

89a22567adc174d3632a36a50a52ef314f473826

Link:

https://www.unpac.me/results/16119360-d665-4a73-b640-81128398cf1d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/36a6921a0de77d733665e1d24cad2e21bede12c5e4495218cd43e66e5b37ce67

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing potential Windows Defender anti-emulation checks

Rule name:	MALWARE_Win_Vidar Create hunting rule
Author:	ditekSHen
Description:	Detects Vidar / ArkeiStealer

Rule name:	Vidar Create hunting rule
Author:	kevoreilly
Description:	Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

exe 36a6921a0de77d733665e1d24cad2e21bede12c5e4495218cd43e66e5b37ce67

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2178064/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/274271/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample