MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b66abe3a8f155402ec2d039a4f469aa7c515379cfbc214a8b89406c16415a17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b66abe3a8f155402ec2d039a4f469aa7c515379cfbc214a8b89406c16415a17
SHA3-384 hash: 570a6371f88db502df03b8e2e022bc5ece058a0c5e3fd7bb5caff934f1096ebb83a23f39914f5e25313e8a0e89614a7e
SHA1 hash: 0bf68bd2282304dfeee529b02f73d7ba105c9d65
MD5 hash: c2256c4496c8ced6ee045dcfb71544fe
humanhash: happy-music-carbon-don
File name:file
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:4'144'128 bytes
First seen:2022-11-27 13:46:39 UTC
Last seen:2022-11-28 13:28:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 80987734dc07c32b4f2a2118db04ea26 (1 x ArkeiStealer)
ssdeep 98304:cIRJlTNWsvLKHG9lz2QY5Bt4G5w0g4zJVEr1jef8:conTNWseMRdDGa+y
Threatray 1'147 similar samples on MalwareBazaar
TLSH T14916236362596298C0DACD358537BEE372F30A36C641AC740EFABDC63621496C713A5F
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 70e0c0f0d0d2d2f0 (1 x ArkeiStealer)
Reporter andretavare5
Tags:ArkeiStealer exe


Avatar
andretavare5
Sample downloaded from https://vk.com/doc760750097_656940680?hash=4DjtH8buJNMfYasi1XiL12tTG171qm1JAZrqSfHg4sX&dl=G43DANZVGAYDSNY:1669543987:qzhxn6kZFyYgxs0ehG2IvdLXzDhNufKQEv5zZdbunYD&api=1&no_preview=1#CRYPTO_ALL

Intelligence

File Origin
# of uploads :
751
# of downloads :
280
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-27 13:49:40 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/ff067e7e-acb3-4f79-a3dc-9f6e028bd973

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/339051/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.3268.27106.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Running batch commands
Creating a process with a hidden window
Launching a process
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63836a575be128ac718f1e47/reports/abb50b5e-389a-4551-a137-7115dbf26008/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3ec57682-0cd4-48c0-9bbf-6394785b4b00
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1121932
Signature
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
PE file contains section with special chars
Self deletion via cmd or bat file
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3b66abe3a8f155402ec2d039a4f469aa7c515379cfbc214a8b89406c16415a17/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-11-27 13:47:16 UTC
File Type:
PE (Exe)
Extracted files:
31
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hntkxy5i6fkualwc2a42j5djvj6fcu3zz66ccsulrfagyfsblilq._file
Verdict:
suspicious
Label(s):
raccoon
Create hunting rule
Similar samples:
1ebe93b170185c9898d90829867fd281a34568c054f832cee5027db73b63bba6
ArkeiStealer
44bd9084d0e09c6700364fe22001809a5ad5c160bce5a626c468ea1758a09c15
ArkeiStealer
58ae170573fd183ada1906291ca170724608a6a6217d84a6e5f0e400c3b1f481
ArkeiStealer
7404cb25819f535125e6c4a213d348d077add914be4620b58ba50d364b538ea6
ArkeiStealer
9f47198b35478784b38b1094f82d96cb6d50c3edc4a0139ac4ccd9e822c86feb
ArkeiStealer
e45dbe7cb55c15faa395640121286cb2d61bb3655e9da26f9ea3d1d2f2c47880
ArkeiStealer
+ 1'137 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1679 discovery spyware stealer
Link:
https://tria.ge/reports/221127-q3h1wsbh74/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Vidar
Malware Config
C2 Extraction:
https://t.me/headshotsonly
https://steamcommunity.com/profiles/76561199436777531
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9ffeba34-9c3e-45dc-a575-1242bffff250
Unpacked files
SH256 hash:
833c640f603745976593ed32b63bfe731e5ac44b3f729c36a80cff025877a1ea
MD5 hash:
aa040200c0b44f51a280f6126b4439d5
SHA1 hash:
3c3bf08e13b145ad43671d22e97dad9d7b1a6c81
Link:
https://www.unpac.me/results/54d9dade-739d-47ee-b40d-057e82543189/
SH256 hash:
3b66abe3a8f155402ec2d039a4f469aa7c515379cfbc214a8b89406c16415a17
MD5 hash:
c2256c4496c8ced6ee045dcfb71544fe
SHA1 hash:
0bf68bd2282304dfeee529b02f73d7ba105c9d65
Link:
https://www.unpac.me/results/54d9dade-739d-47ee-b40d-057e82543189/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3b66abe3a8f1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3b66abe3a8f155402ec2d039a4f469aa7c515379cfbc214a8b89406c16415a17

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/339051/

Comments