MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d353f9cd17195c5badec796dc3d37eaecc509015a84ca649ff7ea11e8f5beeb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d353f9cd17195c5badec796dc3d37eaecc509015a84ca649ff7ea11e8f5beeb
SHA3-384 hash: 92850abd07c80206e9db4a99ea3a8019aacd1dc6602ea94a0f51c61e9a4fd33a7bf096564b08ca4614e02aeb2d8646c8
SHA1 hash: 2429878919168e882b8e349b97ed2b156be91d3d
MD5 hash: 481aa117267c8e6e94e021a682577aaa
humanhash: hawaii-arkansas-fruit-tennessee
File name:481AA117267C8E6E94E021A682577AAA.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:604'160 bytes
First seen:2021-03-25 01:18:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3163a6c1b9cad8978fd69796e8c587e3 (4 x ArkeiStealer, 1 x Formbook)
ssdeep 12288:PM3aBmLCUWoBrikqk2G5BsG8ZBdBvSYCfTonMRk3:PZBmLC5oBrnqk2Gp4BdBvLChRk
Threatray 526 similar samples on MalwareBazaar
TLSH 2FD4F02073E1C072F1F355315226C3B1CABB78766935959EABC406B94E637E1DB2232B
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://ciaociaoline.com/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://ciaociaoline.com/ https://threatfox.abuse.ch/ioc/5151/

Intelligence

File Origin
# of uploads :
1
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
build.exe.vir
Verdict:
Malicious activity
Analysis date:
2021-03-22 01:48:07 UTC
Tags:
installer
Link:
https://app.any.run/tasks/1abe8488-39aa-4ee1-a7f9-6aa878c64621

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Generic-9846132-0
Create hunting rule

Win.Malware.Filerepmalware-9846658-0
Create hunting rule

Win.Malware.Filerepmetagen-9846659-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a file
Sending a UDP request
Connection attempt
Sending an HTTP GET request
Deleting a recently created file
Replacing files
Reading critical registry keys
Delayed writing of the file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Launching a process
Stealing user critical data
Launching a tool to kill processes
Forced shutdown of a browser
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/01bba9f2-3eb2-4287-91ee-9cfd9e4b8493
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/653209
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d353f9cd17195c5badec796dc3d37eaecc509015a84ca649ff7ea11e8f5beeb/
Threat name:
Win32.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2021-03-22 03:43:29 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hu2t7hgrogk4low6y6lnypjx5lwmkciblkcmuze767vbd2hvx3vq._file
Verdict:
malicious
Similar samples:
02b6aee180e967f7564c8f4f85f2ad17350c4c66fb258ff5b23546bd0a5d6373
ArkeiStealer
04db0b6b37fcd16563eaeb06996b2ab0c676f53cb1445d9b40eb46fa2c38c641
ArkeiStealer
1544df143ddc74b2261b8c580221d30b947188d9bb580f3ed916dfa34a13d5d6
ArkeiStealer
2741dd4405e19e5508adafb27ccc16460777cba41e79e4f0ece549c69e482008
ArkeiStealer
2c2d88dbff1f9196148cc3c7501d4c45b05ef51887651b3bcdbb111fcc7a2ba2
ArkeiStealer
3b3aab241be2a7755d61bea54971d730f81ca09017f8ef5bbabd7e0d59b9e092
ArkeiStealer
49bb4adbb9c4c008916876536f22f6d140b5ff8b5e581644267139a590cd3e60
ArkeiStealer
9379db9909eb90bc81cdb07b2d7dcbef69e5b1374e93b30153270ef2e58afe28
ArkeiStealer
b7fbd8164071eb1fffa561732f96d4569dc1480c01f99833a4b4d593cc3f1cd8
ArkeiStealer
cca1a1f85ee5c99d124bd9df98342eae40343b8757838bb7f1e1385fe8b836d8
ArkeiStealer
+ 516 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar discovery spyware stealer
Link:
https://tria.ge/reports/210325-cvsnbtmcn6/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Vidar
Unpacked files
SH256 hash:
2b547b2d442be0724181dca987a13a2b3ea76cad4e2ce5c3eec0601dd9780351
MD5 hash:
475a9583b8aae62d76ac27c2afd51070
SHA1 hash:
7e6cb6bd2a3f18b6d14bbaf2fa9b30345d63be0c
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/802a2214-96c3-4169-8a04-3b78bc082158/
Parent samples :
031e15a7cbd8e62bf3bf59081ca35cb5c379bd54a6daede88ec77202f46b5d2a
3d353f9cd17195c5badec796dc3d37eaecc509015a84ca649ff7ea11e8f5beeb
e9d5a4ea2beceadfdd3dd64079fcfbb4cb15214d5b4e87161079980c06696a39
SH256 hash:
3d353f9cd17195c5badec796dc3d37eaecc509015a84ca649ff7ea11e8f5beeb
MD5 hash:
481aa117267c8e6e94e021a682577aaa
SHA1 hash:
2429878919168e882b8e349b97ed2b156be91d3d
Link:
https://www.unpac.me/results/802a2214-96c3-4169-8a04-3b78bc082158/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d353f9cd17195c5badec796dc3d37eaecc509015a84ca649ff7ea11e8f5beeb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments