MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b20ec2bdef46b382bbc9ac52438c4db531cf6577d5811ca92b98855a1be9821. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b20ec2bdef46b382bbc9ac52438c4db531cf6577d5811ca92b98855a1be9821
SHA3-384 hash: ae93b3deba71285c1fcc667319563dde6953ec34e95bb5553115390c5a7b57e1eba50ab9b4d823c7e60b782bcf7f4252
SHA1 hash: 15bf389c222bd079a587c6669f2283b3971cc56d
MD5 hash: ff6b04e73e7d24162e9bf830ef495b04
humanhash: orange-snake-bacon-friend
File name:ff6b04e73e7d24162e9bf830ef495b04.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:2'665'480 bytes
First seen:2023-07-13 11:47:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 49152:g/G8sF+lW+8d4Aa53syhHLPLkqYyaUtPcwg:rdsid4AByhjY5Utkl
Threatray 30 similar samples on MalwareBazaar
TLSH T1F6C5028DB55E8A46E6F488309077F15C0FA3BDA2F733F65935A4B21F44722532B52B0A
TrID 66.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.5% (.EXE) Win64 Executable (generic) (10523/12/4)
5.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f4e4ccccdcccc8c8 (1 x ArkeiStealer)
Reporter obfusor
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
290
Origin country :
HK HK
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
ff6b04e73e7d24162e9bf830ef495b04.exe
Verdict:
Malicious activity
Analysis date:
2023-07-13 11:48:12 UTC
Tags:
stealer vidar trojan opendir arkei loader amadey
Link:
https://app.any.run/tasks/2cdc1dcc-8b4c-4ff1-b7a4-4fc365422a4b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/417348/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.10176.14954.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin msbuild net obfuscated overlay packed
Link:
https://www.filescan.io/uploads/64afe4776e9f7019dea02d31/reports/1d8a5d61-d372-4c29-8ee3-a366946ba15b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/3b20ec2bdef46b382bbc9ac52438c4db531cf6577d5811ca92b98855a1be9821
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/82c7de29-cc97-42d6-91b6-e0b8e73f62e7
Result
Threat name:
Amadey, Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1272442
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1272442 Sample: fm8hXTIuTO.exe Startdate: 13/07/2023 Architecture: WINDOWS Score: 100 81 Found malware configuration 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 Antivirus detection for URL or domain 2->85 87 14 other signatures 2->87 12 fm8hXTIuTO.exe 1 2->12         started        16 jbruyer.exe 2->16         started        process3 file4 63 C:\Users\user\AppData\...\fm8hXTIuTO.exe.log, ASCII 12->63 dropped 113 Writes to foreign memory regions 12->113 115 Allocates memory in foreign processes 12->115 117 Injects a PE file into a foreign processes 12->117 18 MSBuild.exe 22 12->18         started        119 Query firmware table information (likely to detect VMs) 16->119 121 Hides threads from debuggers 16->121 123 Tries to detect sandboxes / dynamic malware analysis system (registry check) 16->123 signatures5 process6 dnsIp7 73 149.154.167.99 TELEGRAMRU United Kingdom 18->73 75 67.212.175.162 SINGLEHOP-LLCUS United States 18->75 77 3 other IPs or domains 18->77 57 C:\Users\user\AppData\Local\...\Amday[1].exe, PE32 18->57 dropped 59 C:\ProgramData\02723772706286592511.exe, PE32 18->59 dropped 89 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->89 91 Tries to harvest and steal browser information (history, passwords, etc) 18->91 93 Tries to steal Crypto Currency Wallets 18->93 95 Searches for specific processes (likely to inject) 18->95 23 02723772706286592511.exe 3 18->23         started        file8 signatures9 process10 file11 61 C:\Users\user\AppData\Local\...\jbruyer.exe, PE32 23->61 dropped 97 Query firmware table information (likely to detect VMs) 23->97 99 Machine Learning detection for dropped file 23->99 101 Hides threads from debuggers 23->101 103 Tries to detect sandboxes / dynamic malware analysis system (registry check) 23->103 27 jbruyer.exe 20 23->27         started        signatures12 process13 dnsIp14 79 45.9.74.164 FIRST-SERVER-EU-ASRU Russian Federation 27->79 65 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 27->65 dropped 67 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 27->67 dropped 69 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 27->69 dropped 71 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32+ 27->71 dropped 125 Query firmware table information (likely to detect VMs) 27->125 127 Creates an undocumented autostart registry key 27->127 129 Tries to detect sandboxes and other dynamic analysis tools (window names) 27->129 131 4 other signatures 27->131 32 rundll32.exe 27->32         started        34 cmd.exe 1 27->34         started        36 schtasks.exe 1 27->36         started        38 rundll32.exe 27->38         started        file15 signatures16 process17 process18 40 rundll32.exe 32->40         started        43 conhost.exe 34->43         started        45 cmd.exe 1 34->45         started        47 cmd.exe 1 34->47         started        51 4 other processes 34->51 49 conhost.exe 36->49         started        signatures19 105 System process connects to network (likely due to code injection or exploit) 40->105 107 Tries to steal Instant Messenger accounts or passwords 40->107 109 Tries to harvest and steal ftp login credentials 40->109 111 Tries to harvest and steal browser information (history, passwords, etc) 40->111 53 tar.exe 40->53         started        process20 process21 55 conhost.exe 53->55         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3b20ec2bdef46b382bbc9ac52438c4db531cf6577d5811ca92b98855a1be9821/
Threat name:
ByteCode-MSIL.Spyware.Remloader
Create hunting rule
Status:
Malicious
First seen:
2023-07-13 11:48:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
124
AV detection:
20 of 24 (83.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hmqoyk666rvtqk54tlcsioge3njrz5sxpvmbdsusxgeflin6taqq._file
Verdict:
malicious
Similar samples:
55287472e4122c7bcdbcef98cfcdf78178828734c08240b677859b22dcee21aa
ArkeiStealer
5c70adfeec8dd32457e92854ef1351eb0d78e0fb43bb90467683f6233ecfcf4a
ArkeiStealer
7126cfc8629b80a79f23d1d33e1fc0682c0a12f34bae0b42f31414ec82336eb4
ArkeiStealer
88e5393ec1c21914ee6ab9580ad2b6cdbd1617a2148b70ac7f1295fe07d582fe
ArkeiStealer
96e1c28933f11526534009d9a8b3302291fa0927b9e1c44ec5990c1e041b01da
ArkeiStealer
e19f2e360811718cc910c124bbeb7d6c02a0719f05b1d9fdb7ffcab2c462c727
ArkeiStealer
ed1ac43c1959cf965024bab1d57a1ed1e14170256f003cc91ead9c5c76e09a6a
ArkeiStealer
+ 20 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:vidar botnet:https://t.me/prescilliouns evasion spyware stealer themida trojan
Link:
https://tria.ge/reports/230713-nyfc4ahd8x/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Checks BIOS information in registry
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Vidar
Malware Config
C2 Extraction:
https://t.me/prescilliouns
https://t.me/eagl3z
https://steamcommunity.com/profiles/76561199159550234
45.9.74.164/b7djSDcPcZ/index.php
Unpacked files
SH256 hash:
bff1ea7a400618bc907be40125a20e58e2a2a34cc0a195c383289b2458e30c8b
MD5 hash:
18d456773e822dae964ba76602ef44d2
SHA1 hash:
e514afdd477bc8c17fed0c7bd06593024893b4bd
Link:
https://www.unpac.me/results/ac62b2bf-7519-42a6-a339-ff6e5a5d099b/
SH256 hash:
4ab39318a28ebbf322e0b5f00ae4020cf75f3c6f09a97580a1eb2a3a4c257f96
MD5 hash:
f79c0395f8a64b7483a9d83f349a0854
SHA1 hash:
cdbd327c9bdb5f12d9441f176d684385e8796375
Link:
https://www.unpac.me/results/ac62b2bf-7519-42a6-a339-ff6e5a5d099b/
SH256 hash:
31d77156174339b2ec641cac657da8e0a38b417d05e2fcf470473cdf5bef62f2
MD5 hash:
20b606abd71c28991badd94bcff0195f
SHA1 hash:
a045470629a0fe0290999688dc42c7b4eea2cd51
Link:
https://www.unpac.me/results/ac62b2bf-7519-42a6-a339-ff6e5a5d099b/
SH256 hash:
fd56a07f2da75c84337cbf94e0acafc09fb909cfb187a0ae214827ce2c4708bb
MD5 hash:
d93c5f59ddc41313bf36f106a2f1fe17
SHA1 hash:
97c5cd9d0689c1cd74685bc979122a13eba3fcc9
Link:
https://www.unpac.me/results/ac62b2bf-7519-42a6-a339-ff6e5a5d099b/
SH256 hash:
3b20ec2bdef46b382bbc9ac52438c4db531cf6577d5811ca92b98855a1be9821
MD5 hash:
ff6b04e73e7d24162e9bf830ef495b04
SHA1 hash:
15bf389c222bd079a587c6669f2283b3971cc56d
Link:
https://www.unpac.me/results/ac62b2bf-7519-42a6-a339-ff6e5a5d099b/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3b20ec2bdef4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:msil_suspicious_use_of_strreverse
Create hunting rule
Author:dr4k0nia
Description:Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_NET_Msil_Suspicious_Use_StrReverse
Create hunting rule
Author:dr4k0nia, modified by Florian Roth
Description:Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse
Reference:https://github.com/dr4k0nia/yara-rules
Rule name:Telegram_Links
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly,rony
Description:Vidar Payload
Rule name:win_vidar
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detection of Vidar Stealer and Variants via strings present in final unpacked payloads
Rule name:win_vidar_strings_jun_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detection of Vidar Stealer and Variants via strings present in final unpacked payloads

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/417348/

Comments