MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a7f7b56d9b3c6996f00bd40b7ff5d70e0ce858fc76cc0d89f603a26c34e9e5c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	3a7f7b56d9b3c6996f00bd40b7ff5d70e0ce858fc76cc0d89f603a26c34e9e5c
SHA3-384 hash:	4cf13468e67e816a69030d12f5c58727272c3df496f196374e05a6c1478c0b0e0174bb74c24c83dff1b2f68163be3da1
SHA1 hash:	d4b7744b503b11e7a82564953e4179ba36bd9c5c
MD5 hash:	57f144a367aad10f85ac746fde7e9571
humanhash:	high-winter-nebraska-paris
File name:	57f144a367aad10f85ac746fde7e9571.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	515'484 bytes
First seen:	2020-05-06 18:31:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep	12288:pANwRo+mv8QD4+0V16vljTG2bfn5vEXtHvdXOlLVN0Mnaxa:pAT8QE+ks9Thbf5v8vZO3Nx1
Threatray	104 similar samples on MalwareBazaar
TLSH	99B4F135A281857BC0210939585BD3BAB53ABF045F7C55CFB3ED0E6C9D333492A2539A
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

1

# of downloads :

89

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Vidar

Status:

Malicious

First seen:

2020-05-07 04:28:17 UTC

File Type:

PE (Exe)

AV detection:

28 of 31 (90.32%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hj7xwvwzwpdjs3yaxvalp725odqm5bmpy5wmbwe7ma5cnq2otzoa._file

Verdict:

malicious

Similar samples:

06c470803b445fa48419f5840100b63e2248b72e64c6c0ef47c44c07ff36d2a9

30ee19d9f9b1e7c313c08903a1d5150461447f5fd989e82a982c1b6462698c4f

341847d9c11face1487ab04072d6ddc5065a379011c6684e56e1f4fa8d8ab3f3

6daf0de596310cb04331ef266b7f0a5ee81672016edd8cd6876124a60534cfdc

7ee9786ce295430044ac02259ca43dd92a036f3146533b308dca24f87e05edd4

aa0391688fb348eaa32856bcf0caca596177985f4dd9733f69ab2018ba8d1ff7

d5445db0317af2ab05690f7037065681f908b3ae4da8d53ff5160b6627d74aac

d620778dbbcf11e3a293aeaaebac7b6a9a02e7d8790ca5ffa59bda1e9b9632f4

f8d6f282de8b50d4d9e6fc17f53b0b33cecb4f4fb01f956cca3ba622b4b452aa

fcac1c6c86cda94817da16feb772744ab591e3d1192955b32b074034ea122bf1

+ 94 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar discovery spyware stealer

Link:

https://tria.ge/reports/201109-2rh2p9kef6/

Behaviour

Checks processor information in registry

Modifies Internet Explorer settings

Runs .reg file with regedit

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Control Panel

Modifies registry class

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Drops file in Program Files directory

Drops file in Windows directory

Accesses 2FA software files, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Vidar

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 3a7f7b56d9b3c6996f00bd40b7ff5d70e0ce858fc76cc0d89f603a26c34e9e5c

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/320566/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample