MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a289614d73c4260ae0cb5be146a0642f8a269dc0320b141d823aeed35209a56. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 8


Intelligence 8 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a289614d73c4260ae0cb5be146a0642f8a269dc0320b141d823aeed35209a56
SHA3-384 hash: 763f47aeeb0d65ee627a5736e83a138c127e15ce0996f8a1c4857b5a74007340ab569012ac8ad049533c5a0e714d9dcc
SHA1 hash: cba91a6a40c5bdfa4bb11dde97bfff05eb906208
MD5 hash: 1ca1b650ea1e4ef8a79c8d6ed00fbd77
humanhash: happy-moon-eighteen-idaho
File name:file
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:7'254'848 bytes
First seen:2022-10-27 19:14:52 UTC
Last seen:2022-10-28 07:09:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9a1d26a8b16a9dbb94396f19b5a9d4c9 (4 x ArkeiStealer)
ssdeep 196608:JxGVX7S+x9QVak81xIUijgBuKPLLuRcY3bmwi70L:JmX7xx9Z5z4jWPLLuRc4IAL
Threatray 827 similar samples on MalwareBazaar
TLSH T1077622A3AE541181F08A8FF44936FC54B0775B7E8E43D8392A99ADC2373D9EC9711983
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f0f4e0d4d4ccccf0 (1 x ArkeiStealer)
Reporter andretavare5
Tags:ArkeiStealer exe


Avatar
andretavare5
Sample downloaded from https://vk.com/doc733883836_657689044?hash=FunToLCUk46O4orfSR1QibfqZtIMFsbXu0JF8O0U0ZH&dl=G4ZTGOBYGM4DGNQ:1666896714:S6lbwQo36e2gA8gMZtztCHeoGTjvhdwsArr0BVnbOdD&api=1&no_preview=1#fj1

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://195.201.253.169/ https://threatfox.abuse.ch/ioc/878075/

Intelligence

File Origin
# of uploads :
252
# of downloads :
253
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/325105/
Detection(s):
SecuriteInfo.com.Win32.Trojan-gen.15242.7057.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a file
Reading critical registry keys
Creating a window
Creating a file in the system32 subdirectories
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Stealing user critical data
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/46088/overview
Behaviour
MalwareBazaar
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/833d2532-8735-46ba-9a52-90cb6052b45b
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1099718
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a289614d73c4260ae0cb5be146a0642f8a269dc0320b141d823aeed35209a56/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-10-27 20:30:31 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hiujmfgxhrbgblqmww7bi2qgil4ke2o4amqlcqoyeoxo2njatjla._file
Verdict:
unknown
Similar samples:
137f888429094a1dece66c656564cde7d4f60f7b132c8105c6eaaecd95f3f9d9
ArkeiStealer
1a12d9c9ac19873abafa62c6d37eb8c31495a0818e8aa99987b41126cd31cd02
ArkeiStealer
1beb50ab8de7ec33aec7deb5365fbebce3a91bfe9cf31387a5bf326ace08d48b
ArkeiStealer
3af3279ede125805a47682382304f6b76af4e7c34c2bfeaa198e0dc38f3ad1b6
ArkeiStealer
cec50bf34d70097c1ca3bff6dc6cc52c45ed98b6e3f4a098a4eaaf5abde3540e
ArkeiStealer
dade5b7aa50e2e1df254ae9c8b70f59cfa6c47889bc1cb3ff722620b367fde60
ArkeiStealer
f414b58167438e77909afa13c1e137874fb7aad4983d30cd9b769f205ace0078
ArkeiStealer
+ 817 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1748 discovery spyware stealer
Link:
https://tria.ge/reports/221027-xx8spadag2/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Vidar
Malware Config
C2 Extraction:
https://t.me/slivetalks
https://c.im/@xinibin420
Unpacked files
SH256 hash:
8175edc1f89e210a0041fb24107cf760dfa174962b1e8c8afef2e0ef9af6c2d7
MD5 hash:
a5dc35b2dc7667889156a37417310e29
SHA1 hash:
7d932e1f2db975070a4bc3b6a32d2bf0562c65d3
Link:
https://www.unpac.me/results/24cc9f7a-5f3d-46f0-90ac-b654e0dc5b6c/
SH256 hash:
3a289614d73c4260ae0cb5be146a0642f8a269dc0320b141d823aeed35209a56
MD5 hash:
1ca1b650ea1e4ef8a79c8d6ed00fbd77
SHA1 hash:
cba91a6a40c5bdfa4bb11dde97bfff05eb906208
Link:
https://www.unpac.me/results/24cc9f7a-5f3d-46f0-90ac-b654e0dc5b6c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3a289614d73c4260ae0cb5be146a0642f8a269dc0320b141d823aeed35209a56

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/325105/

Comments