MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39640aaf46028232858f4c0e42520aa38fe5f9864575b81adb9c6d30b87089a9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	39640aaf46028232858f4c0e42520aa38fe5f9864575b81adb9c6d30b87089a9
SHA3-384 hash:	812ab8831300a6ea745435f5385b0db78534f5894edaf0fa08293263ba9cb5abe445954b141f3dc0804a6e4262b71bc6
SHA1 hash:	eba774f7a63b7cedca1d021f1828f805e0afb2a4
MD5 hash:	cdf8f8eff06a993091d03ac659be495b
humanhash:	aspen-washington-may-west
File name:	cdf8f8eff06a993091d03ac659be495b.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	273'000 bytes
First seen:	2023-01-17 13:54:49 UTC
Last seen:	2023-01-17 15:41:11 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	6144:Q5XRIDE+ENUt06PFP2gr88ek9tUt1Py3GvvO8j7C1IPP:kLVSJdhrnV9x8jG1q
Threatray	61 similar samples on MalwareBazaar
TLSH	T1D3442A09FB44FD31C2C87A31809A493816718BF73AE7D38B694459630716BD74D9BF8A
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13097/50/3) 8.7% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	d492ccd8f2d6fe1c (1 x RaccoonStealer, 1 x CryptBot, 1 x ArkeiStealer)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

206

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

cdf8f8eff06a993091d03ac659be495b.exe

Verdict:

Malicious activity

Analysis date:

2023-01-17 13:58:48 UTC

Tags:

opendir

Link:

https://app.any.run/tasks/b93fd0ea-5f2b-4cf6-9323-50dfefb0c601

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/353808/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.17217.16843.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Launching a process

Creating a file

Sending a custom TCP request

Сreating synchronization primitives

Sending an HTTP GET request

Running batch commands

Creating a process with a hidden window

Unauthorized injection to a system process

Verdict:

No Threat

Threat level:

2/10

Confidence:

80%

Tags:

obfuscated overlay packed

Link:

https://www.filescan.io/uploads/63c6a8b986e9647bb4c9bf0b/reports/f59ff8e5-bffe-491c-bf54-c7c452db1ad2/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Arkei Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5df8bb6e-fe0f-4ebc-915e-3a286c65c6d6

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1153094

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/39640aaf46028232858f4c0e42520aa38fe5f9864575b81adb9c6d30b87089a9/

Threat name:

ByteCode-MSIL.Spyware.RedLine

Status:

Malicious

First seen:

2023-01-16 23:23:31 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

14 of 26 (53.85%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hfsavl2gakbdfbmpjqheeuqkuoh6l6mgiv23qgw3trwtbodqrguq._file

Verdict:

unknown

ArkeiStealer

7f04b9072a28a0d1558420fa5734b320b71724afee4096ab46075a6052aea309

ArkeiStealer

98aaa85705c2a3b84dfbc82c27ade35202fb82fb63018f86ec02ef8f11d7d3aa

ArkeiStealer

9ce2b96d827c9b1e3489bd55502b300b508b5180b2fec024b66f700ed824680b

ArkeiStealer

a3a588b7260264b1850f13ffd1e1d7eb390666a16907bbb45e0958ad0caadb72

ArkeiStealer

ad218fa84daf745d843662eb723957cf805e2ddb1043f0f0f1b67f6a6d02111f

ArkeiStealer

b819efc97ab357c063a97a69f9aefa227216415a56b44a62a6dddd6430e69922

ArkeiStealer

ccd13421133f5ab9da25c57fad424244c0ef1ce1cece885bde769579e8284d75

ArkeiStealer

+ 51 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:597 spyware stealer

Link:

https://tria.ge/reports/230117-q744xsda5t/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Loads dropped DLL

Blocklisted process makes network request

Vidar

Malware Config

C2 Extraction:

https://t.me/tgdatapacks
https://steamcommunity.com/profiles/76561199469677637

Unpacked files

SH256 hash:

39640aaf46028232858f4c0e42520aa38fe5f9864575b81adb9c6d30b87089a9

MD5 hash:

cdf8f8eff06a993091d03ac659be495b

SHA1 hash:

eba774f7a63b7cedca1d021f1828f805e0afb2a4

Link:

https://www.unpac.me/results/2f12e8d4-56e8-4cac-a24e-0eefcfe14d85/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/39640aaf4602/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.51

Link:

https://yomi.yoroi.company/submissions/39640aaf46028232858f4c0e42520aa38fe5f9864575b81adb9c6d30b87089a9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/353808/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample