MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c965884e7cb34c573604037e3b848cc503abc666e41762ec6a603493444e50d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c965884e7cb34c573604037e3b848cc503abc666e41762ec6a603493444e50d
SHA3-384 hash: 06a4889f98decff1d734ca4b7ce0b4f0fe6e7f2de5405e786c85f33d5a1db9d995045cb96134fdca4cd7c06de05c7e6f
SHA1 hash: 94f756a1cf8a6409577eab67a8d779f67adad982
MD5 hash: 12982ae5336316989198ef9858d1f144
humanhash: papa-robin-sink-potato
File name:12982ae5336316989198ef9858d1f144.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:234'496 bytes
First seen:2022-10-01 21:20:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash cea3a2f8139fd6eeec6e10c1c161c63a (2 x CoinMiner, 2 x Smoke Loader, 1 x RecordBreaker)
ssdeep 3072:80CnMbsLIG+todI5p8AVyVq54aKQrB3DRjyGEW/ohKBQtZJ/Pk44n:psLStodS/uq3DRdf/efT
Threatray 714 similar samples on MalwareBazaar
TLSH T16D34E0D036B0D03EC4774A70B835C6E52A7A5C165528094F275A3BAF6F307926EFE31A
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b6dacabecee6baa6 (72 x Stop, 68 x RedLineStealer, 55 x Smoke Loader)
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://64.44.167.153/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://64.44.167.153/ https://threatfox.abuse.ch/ioc/858504/

Intelligence

File Origin
# of uploads :
1
# of downloads :
308
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/315605/
Detection(s):
Win.Packed.Crypterx-9954995-0
Create hunting rule

Win.Dropper.Tofsee-9971434-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending an HTTP GET request
Creating a file in the %temp% directory
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
DNS request
Creating a process from a recently created file
Sending a custom TCP request
Creating a window
Searching for synchronization primitives
Delayed reading of the file
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Launching a tool to kill processes
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GCleaner
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a2fe7afd-ef1d-48db-94cf-659487b1f971
Result
Threat name:
Vidar, onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1081685
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected onlyLogger
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 714242 Sample: FcHKUdTsxt.exe Startdate: 01/10/2022 Architecture: WINDOWS Score: 100 79 Multi AV Scanner detection for domain / URL 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 Antivirus detection for URL or domain 2->83 85 8 other signatures 2->85 11 FcHKUdTsxt.exe 24 2->11         started        process3 dnsIp4 67 googlehosted.l.googleusercontent.com 172.217.168.33, 443, 49719, 49720 GOOGLEUS United States 11->67 69 script.google.com 216.58.215.238, 443, 49715, 49716 GOOGLEUS United States 11->69 71 2 other IPs or domains 11->71 53 C:\Users\user\AppData\...\6407281271.exe, PE32 11->53 dropped 55 C:\Users\user\AppData\...\2184468940.exe, PE32 11->55 dropped 57 C:\Users\user\AppData\Local\...\s23[1], PE32 11->57 dropped 59 3 other malicious files 11->59 dropped 15 cmd.exe 1 11->15         started        17 cmd.exe 1 11->17         started        19 cmd.exe 1 11->19         started        file5 process6 process7 21 6407281271.exe 11 15->21         started        25 conhost.exe 15->25         started        27 2184468940.exe 13 17->27         started        30 conhost.exe 17->30         started        32 taskkill.exe 1 19->32         started        34 conhost.exe 19->34         started        dnsIp8 51 C:\ProgramData\...\trsclean.exe, PE32 21->51 dropped 95 Antivirus detection for dropped file 21->95 97 Multi AV Scanner detection for dropped file 21->97 36 trsclean.exe 21->36         started        73 script.googleusercontent.com 27->73 75 script.google.com 27->75 77 googlehosted.l.googleusercontent.com 27->77 99 Binary is likely a compiled AutoIt script file 27->99 file9 signatures10 process11 signatures12 87 Antivirus detection for dropped file 36->87 89 Multi AV Scanner detection for dropped file 36->89 91 Detected unpacking (changes PE section rights) 36->91 93 3 other signatures 36->93 39 trsclean.exe 17 36->39         started        process13 dnsIp14 61 t.me 149.154.167.99, 443, 49721 TELEGRAMRU United Kingdom 39->61 63 64.44.167.153, 49722, 80 NEXEONUS United States 39->63 65 192.168.2.1 unknown unknown 39->65 101 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 39->101 103 Tries to harvest and steal browser information (history, passwords, etc) 39->103 105 Tries to steal Crypto Currency Wallets 39->105 43 cmd.exe 1 39->43         started        signatures15 process16 process17 45 taskkill.exe 1 43->45         started        47 conhost.exe 43->47         started        49 timeout.exe 1 43->49         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3c965884e7cb34c573604037e3b848cc503abc666e41762ec6a603493444e50d/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-09-23 18:12:46 UTC
File Type:
PE (Exe)
Extracted files:
35
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hslfrbhhzm2mk43aia36hocizridvpdgnzaxmlwguybusnce4ugq._file
Verdict:
malicious
Similar samples:
23d61708d9bbdb2bd1fbfd3c3086193d5eb8b7a5c3dc84a4e77857c8020b71c1
ArkeiStealer
455e9b43d3df1c83df5182936603a66d04658d6d1cb3098e9676978549e926fa
ArkeiStealer
704f8a3f1c2a4c9c7cff571df36398bb27d82930a1e0c7a29fd72074015ed75a
ArkeiStealer
8ecbe3f78c01ca3ddb3cd79498d97441c9f08cc3c2d2416546aee250ff84877e
ArkeiStealer
9d5f1be092ee806db3f058fa773d20f7f4a9c120c44f0f0ab365e1e2a822cb36
ArkeiStealer
bb5938ca20203ecde3fc65a31025801a1c136b90c76d7816edcb58db733ca3ed
ArkeiStealer
+ 704 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1636 discovery spyware stealer upx
Link:
https://tria.ge/reports/221001-z7a1hshdak/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
AutoIT Executable
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Vidar
Malware Config
C2 Extraction:
https://t.me/dghzq
https://t.me/zjsqpz
https://t.me/fqwexzq
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9aa4fe90-a1aa-4908-a037-0a56fc76643b
Unpacked files
SH256 hash:
a9fb62c4ef2e6477a3752569c79caf7893ba44bb5797322bcb4faf3deb9251d0
MD5 hash:
9bfc1bb3485f3e5bdf1d2febb7a32e10
SHA1 hash:
da9622a17082f8b48411be12e0ab5581972fa4e8
Link:
https://www.unpac.me/results/5b4fbd07-2cc2-4877-a341-534fcfe66499/
SH256 hash:
3c965884e7cb34c573604037e3b848cc503abc666e41762ec6a603493444e50d
MD5 hash:
12982ae5336316989198ef9858d1f144
SHA1 hash:
94f756a1cf8a6409577eab67a8d779f67adad982
Link:
https://www.unpac.me/results/5b4fbd07-2cc2-4877-a341-534fcfe66499/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3c965884e7cb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3c965884e7cb34c573604037e3b848cc503abc666e41762ec6a603493444e50d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.vidar.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/315605/

Comments