MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 418d07696c9edf58c20ad2ba1c0cb3dd678a2e4e7515d15fd530cd59ec5b2aec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 418d07696c9edf58c20ad2ba1c0cb3dd678a2e4e7515d15fd530cd59ec5b2aec
SHA3-384 hash: 3d121d95b8eb97d58fd5d529f2a83db2bef5ff8427dfdf52393f934f925d3da0ec58413cd0f00b46d7d2937a7dfbc311
SHA1 hash: ee4f4552eb9056da1c2717e6c4c537d0a831dbb1
MD5 hash: 232987020a252fea6096bbf8075548dc
humanhash: sweet-thirteen-india-ack
File name:232987020a252fea6096bbf8075548dc.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:764'416 bytes
First seen:2021-10-02 07:15:58 UTC
Last seen:2021-10-02 08:27:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0c041fb9d9286e241f4f51f0ab8f3f03 (4 x RedLineStealer, 3 x RaccoonStealer, 1 x CryptBot)
ssdeep 12288:QETRrGzrJU4O3QO6U531OQ+OSnXoHVZgJShXqhPXUqVR0jL68zxd6L:5Ue4OaU4vXo1KiMEMWvL6L
Threatray 3'088 similar samples on MalwareBazaar
TLSH T1F9F4F118B2C3DFF6D67111B1AB26C3F4562DBC19592A724F7B98372E3A3D291DA03241
File icon (PE):PE icon
dhash icon 4839b234e8c38890 (121 x RaccoonStealer, 54 x RedLineStealer, 51 x ArkeiStealer)
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
232987020a252fea6096bbf8075548dc.exe
Verdict:
Malicious activity
Analysis date:
2021-10-02 07:18:44 UTC
Tags:
trojan stealer vidar loader
Link:
https://app.any.run/tasks/2ddacc91-29a4-4880-a038-1545c4f8c190

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194144/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37699147.22605.24187.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt to an infection source
Sending a TCP request to an infection source
Launching the default Windows debugger (dwwin.exe)
Query of malicious DNS domain
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/18150da7-88c5-4af0-a822-7c50fff9cde4
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/863130
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/418d07696c9edf58c20ad2ba1c0cb3dd678a2e4e7515d15fd530cd59ec5b2aec/
Threat name:
Win32.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-10-01 14:13:30 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
055cb853c5499b9697324c17f34ee00e054f21fcd505cb943aeb1de4b719682b
ArkeiStealer
1ded793046759d0c4848c5cd03ebc7f4200a113fd09a73453809edf19064a05c
ArkeiStealer
21b462c2cde024f0a0abb408979ccefa46a8281902871aef0762c5bf90d99731
ArkeiStealer
65fc50d2de580eb94f18a7c6ce0e98080cc7174b4df77d5252ec4525e9ef3fad
ArkeiStealer
716877dd92f89046b2ff37a9c4df120007a5722d7fe494864b8aaeac11290d0b
ArkeiStealer
96458b37d93d0638e168dd2c880e2b34b08d448cd163d11fccf2d80a3d5be726
ArkeiStealer
b19bd5c5dae85d2bc22eb58b02c06de6767734e841ee8ae90e8fbd040e77b779
ArkeiStealer
b9209d7d35e55f35a12503b6e8c2f2b5823436a6009d9920b1da00b7ef2bd9d4
ArkeiStealer
c5100d1bf69fec9ba16db2e5950ca974b65d97d5174a409ddc0a92715ebc3d7b
ArkeiStealer
f85e8c5cddb5550c387685e6e3019f9adbced46c8a1f59503a58e3a00f11232b
ArkeiStealer
+ 3'078 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1008 discovery spyware stealer suricata
Link:
https://tria.ge/reports/211002-h3vexseaeq/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Vidar Stealer
Vidar
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
https://mas.to/@bardak1ho
Unpacked files
SH256 hash:
3a36485d09c10d881a8a5992c6f293b8239c4da81f3b31927581bbf17b964f9c
MD5 hash:
b55a872097578a66aef4edaddf9af33b
SHA1 hash:
9a05ed83a367e4cffe6de255a43fbafc80154abd
Link:
https://www.unpac.me/results/b136ccf9-3db6-4a51-b68c-1d895b3fe425/
SH256 hash:
418d07696c9edf58c20ad2ba1c0cb3dd678a2e4e7515d15fd530cd59ec5b2aec
MD5 hash:
232987020a252fea6096bbf8075548dc
SHA1 hash:
ee4f4552eb9056da1c2717e6c4c537d0a831dbb1
Link:
https://www.unpac.me/results/b136ccf9-3db6-4a51-b68c-1d895b3fe425/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/418d07696c9e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/418d07696c9edf58c20ad2ba1c0cb3dd678a2e4e7515d15fd530cd59ec5b2aec

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 418d07696c9edf58c20ad2ba1c0cb3dd678a2e4e7515d15fd530cd59ec5b2aec

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1586513/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1584973/
Cape
Cape
https://www.capesandbox.com/analysis/194144/

Comments