MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ac337b6785aaf1104179e5f38c7e1f58288f5fa9da6b442dbbb10405c0a8f3c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 17

Intelligence 17 IOCs YARA 6 File information Comments

SHA256 hash:	3ac337b6785aaf1104179e5f38c7e1f58288f5fa9da6b442dbbb10405c0a8f3c
SHA3-384 hash:	64bc8dfe5aff2d20767ce46023acf4451a75b03e26507bd28c449a97cb3fda150cca470cf68e017edb3f28350471227f
SHA1 hash:	01f67159c01fe7b1ae1c0bf4158107e119089fdf
MD5 hash:	9272fe5a3cf27c8f4fba0148d57dc0da
humanhash:	two-echo-six-stream
File name:	file
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	313'856 bytes
First seen:	2023-06-22 14:07:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	8bbd6ffd639dbd5d8bd87b5cbd77d83f (1 x ArkeiStealer)
ssdeep	6144:8Rltf1U/Yskkb2fa1T9dhyNS2FvA9ca3gvaXcf0:0sknfa7dhyNKcaQvaX
TLSH	T13964F1A17A60CCB2F82BB2B819258695777BF87163A5C68B3354176F0D312D19F3B342
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0001120424081400 (1 x ArkeiStealer)
Reporter	jstrosch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

https://asi-rca.ro/download/File_pass1234.7z

Verdict:

Malicious activity

Analysis date:

2023-06-22 06:57:16 UTC

Tags:

privateloader opendir evasion loader rat redline stealer smoke trojan gcleaner ransomware stop amadey

Link:

https://app.any.run/tasks/e9fe9674-4fca-4ae9-80d8-ddbf89ecf25e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/401698/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Using the Windows Management Instrumentation requests

Creating a window

Running batch commands

Creating a process with a hidden window

Launching a process

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Stealing user critical data

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/92127/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

CPUID_Instruction

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed xpack

Link:

https://www.filescan.io/uploads/649455c273cb23e4dbf8278b/reports/10334336-4aa4-4ef2-ab84-62161e467d3b/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/3ac337b6785aaf1104179e5f38c7e1f58288f5fa9da6b442dbbb10405c0a8f3c

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/06bf3d1b-f1a7-4170-b941-13a0395ebf14

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1259792

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Searches for specific processes (likely to inject)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3ac337b6785aaf1104179e5f38c7e1f58288f5fa9da6b442dbbb10405c0a8f3c/

Threat name:

Win32.Trojan.Lockbit

Status:

Malicious

First seen:

2023-06-22 08:35:44 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

29 of 35 (82.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hlbtpntylkxrcbaxtzptrr7b6wbir5p2twtliqw3xmieaxakr46a._file

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:9f58bcb3813bb0d3c7a7a048ae145e6b discovery spyware stealer

Link:

https://tria.ge/reports/230622-rfh8taeg85/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Vidar

Malware Config

C2 Extraction:

https://steamcommunity.com/profiles/76561199235044780
https://t.me/headlist

Unpacked files

SH256 hash:

6c11508c7afdfd3f5167959f35f3b6ac2051d4f31ad137166a41bd40bc6389a5

MD5 hash:

bd8daf4f5bb6036f7cd157d3bf4a55f7

SHA1 hash:

bd8ae864b5293a7270290bff40c71b6b87519341

Detections:

VidarStealer

Link:

https://www.unpac.me/results/863ded38-0707-45ec-a2f0-51e5da210e42/

SH256 hash:

3ac337b6785aaf1104179e5f38c7e1f58288f5fa9da6b442dbbb10405c0a8f3c

MD5 hash:

9272fe5a3cf27c8f4fba0148d57dc0da

SHA1 hash:

01f67159c01fe7b1ae1c0bf4158107e119089fdf

Link:

https://www.unpac.me/results/863ded38-0707-45ec-a2f0-51e5da210e42/

Malware family:

Vidar.A

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3ac337b6785a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3ac337b6785aaf1104179e5f38c7e1f58288f5fa9da6b442dbbb10405c0a8f3c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	has_telegram_urls Create hunting rule
Author:	Aaron DeVera<aaron@backchannel.re>
Description:	Detects Telegram URLs

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	Telegram_Links Create hunting rule

Rule name:	Vidar Create hunting rule
Author:	kevoreilly,rony
Description:	Vidar Payload

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

Rule name:	win_vidar Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detection of Vidar Stealer and Variants via strings present in final unpacked payloads