MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d70b9871f56942f3f1a9e57226dcc178fdb8d715a919a0689ca715d85ac40ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	3d70b9871f56942f3f1a9e57226dcc178fdb8d715a919a0689ca715d85ac40ad
SHA3-384 hash:	24dfa104d01f413c82eee556b5462cdc22a4e71fae388f0f3caf94b15aa7d6940fa926bc9e206191b0a9f7986f8bb7cd
SHA1 hash:	b004219ecb4287fb27cf07e02d4eecbb773766c5
MD5 hash:	b5d17ffc9e3fbd135a09dea9b844f61e
humanhash:	maine-leopard-zulu-papa
File name:	b5d17ffc9e3fbd135a09dea9b844f61e.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	695'808 bytes
First seen:	2021-11-15 08:22:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	804abf6bfd1eb86d699699dd471c7b89 (10 x RaccoonStealer, 4 x RedLineStealer, 2 x Loki)
ssdeep	12288:rpz9s4JIQa0ybpklaxRwjmiUfFVYUZE4u2XWy/AVuAqy51BGQd9uHFq779:rpWC2/piazXi06UZ9u2XWSAVuAq81wQN
Threatray	3'446 similar samples on MalwareBazaar
TLSH	T189E402E037A08035E0A57D32666487A1963BB832F574D916F774672F0EB37E08AB4763
File icon (PE):
dhash icon	fcfcb4d4d4d4d8c0 (70 x RedLineStealer, 59 x RaccoonStealer, 24 x Smoke Loader)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

120

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/205799/

Detection(s):

Win.Packed.Fragtor-9908420-0

Win.Packed.Fragtor-9908933-0

Win.Packed.Generic-9908949-0

Win.Dropper.Fragtor-9909325-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Deleting a recently created file

Replacing files

Reading critical registry keys

Delayed writing of the file

Running batch commands

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Searching for the window

Launching a process

Creating a window

Connection attempt to an infection source

Stealing user critical data

Launching a tool to kill processes

Sending an HTTP GET request to an infection source

Forced shutdown of a browser

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/619218e83edf00a722d5030c/reports/03340f42-b54f-4232-b7ba-f1ea9f44a880/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Vidar

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3290eb53-925d-430f-8565-2e6c915fdaa4

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/889329

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Found Tor onion address

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Self deletion via cmd delete

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Vidar

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

vidar

Link:

https://mwdb.cert.pl/sample/3d70b9871f56942f3f1a9e57226dcc178fdb8d715a919a0689ca715d85ac40ad/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2021-11-15 08:23:06 UTC

AV detection:

36 of 44 (81.82%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hvyltby7k2kc6py2tzlse3omc6h5xdlrlkizubujzjyv3bnmicwq._file

Verdict:

malicious

ArkeiStealer

52a4ad8395e49789fa987b56b1881fe6093e91f8d5e34b9598e9e7b98cabd570

ArkeiStealer

57af71329fbcd067e4a0e71b6b6a5ccb22c9ba806843928fcb02196259d34da1

ArkeiStealer

68057c01ea50c5514b856ded8170ba2285ad782f71c27bcc87cb9aaf91da3166

ArkeiStealer

69fb7b86d91b3770791529e3edab3aa7ed335c7cc66c8027f401fd4cd4088034

ArkeiStealer

76e3372675b50861ba373f9700db718087d9821cc619e00aca03912f22eeedd1

ArkeiStealer

9f7b738f2ff2ae60844f22c5b4e6e6b42312c2f5f32b3992dc65e5ac6d7a177b

ArkeiStealer

e063c47dce8d2f1121ceb4cf4b20688e975646ac831c0e5843d4536d7e1dfbce

ArkeiStealer

f1b2cc9a9fed9992129c1673d423647dd8307aada8ccff1b3d0fea35c2c3e741

ArkeiStealer

+ 3'436 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:1002 discovery spyware stealer suricata

Link:

https://tria.ge/reports/211115-j95pxaeefr/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Vidar Stealer

Vidar

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

Malware Config

C2 Extraction:

https://koyu.space/@qmashton

Unpacked files

SH256 hash:

564b1ad2d6f6765bde04622c9e7de0cdd7d3725807efd084df05ea523c9a2f91

MD5 hash:

84fca1bf5180c913995c09f8ee1767b5

SHA1 hash:

3093321188a9b545209fc0eb0978b251afe5cb78

Link:

https://www.unpac.me/results/97ede2aa-86bb-4c7b-83fe-de2ddc5cc668/

SH256 hash:

3d70b9871f56942f3f1a9e57226dcc178fdb8d715a919a0689ca715d85ac40ad

MD5 hash:

b5d17ffc9e3fbd135a09dea9b844f61e

SHA1 hash:

b004219ecb4287fb27cf07e02d4eecbb773766c5

Link:

https://www.unpac.me/results/97ede2aa-86bb-4c7b-83fe-de2ddc5cc668/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing potential Windows Defender anti-emulation checks

Rule name:	MALWARE_Win_Vidar Create hunting rule
Author:	ditekSHen
Description:	Detects Vidar / ArkeiStealer

Rule name:	Vidar Create hunting rule
Author:	kevoreilly
Description:	Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/205799/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample