MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d8567fb3b55c792b8ba70e2172726ae80805f1a1c858db29e13a5cd02d8634a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 7 File information Yara 3 Comments

SHA256 hash: 3d8567fb3b55c792b8ba70e2172726ae80805f1a1c858db29e13a5cd02d8634a
SHA3-384 hash: 05a64c40a67a5d5a82a74d66d47169ef79f83b9a3a0a546ace25ff36985f1a5589c596d4815dfa15f065779059344d1a
SHA1 hash: 25c2f7e1e00cfaa7ca77d6e92329378af65cd41f
MD5 hash: 1e20978faf83eef6a9d3f22dc7a2e17e
humanhash: carbon-cola-twenty-black
File name:1e20978faf83eef6a9d3f22dc7a2e17e.exe
Download: download sample
Signature ArkeiStealer
File size:475'648 bytes
First seen:2020-07-31 16:12:17 UTC
Last seen:2020-07-31 16:48:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash acf8dfdee671c210e8faeb3a51d05958
ssdeep 12288:UXJVBl/FRaduC2/YJYvGoBHcehl6OTV/Ox:UXTBBaUCvapVHl6OTV/
TLSH 32A412163A43C031E06065728429D272A164ADB16A7BED5337B227AF2EF31D2DB75F07
Reporter @abuse_ch
Tags:ArkeiStealer exe


Twitter
@abuse_ch
ArkeiStealer C2:
http://lawrencemaths.com/

Intelligence


File Origin
# of uploads :
2
# of downloads :
53
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Detection:
Predatorthethief
Result
Threat name:
Vidar
Detection:
malicious
Classification:
troj.spyw.evad
Score:
72 / 100
Signature
Country aware sample found (crashes after keyboard check)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.Kryptik
Status:
Malicious
First seen:
2020-07-31 16:05:53 UTC
AV detection:
41 of 48 (85.42%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware discovery
Behaviour
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Kills process with taskkill
Suspicious use of WriteProcessMemory
Program crash
Looks up external IP address via web service
JavaScript code in executable
Checks installed software on the system
Checks installed software on the system
Looks up external IP address via web service
JavaScript code in executable
Loads dropped DLL
Deletes itself
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Threat name:
Malicious File
Score:
1.00

Yara Signatures


Rule name:win_vidar_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_vidar_g0
Author:Slavo Greminger, SWITCH-CERT
Rule name:with_sqlite
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 3d8567fb3b55c792b8ba70e2172726ae80805f1a1c858db29e13a5cd02d8634a

(this sample)

  
Delivery method
Distributed via web download

Comments