MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44bd9084d0e09c6700364fe22001809a5ad5c160bce5a626c468ea1758a09c15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44bd9084d0e09c6700364fe22001809a5ad5c160bce5a626c468ea1758a09c15
SHA3-384 hash: e13bdd07f0117f657fde3e3aed7c65222f3a2ab0f20ebd5e3b0f3e8d7a06c4443997d72ad7bea411f9b66217cd8f3316
SHA1 hash: 121deb4e364fc43b29d9025b3d7bb4a28eea9982
MD5 hash: c9c2019117e77fe3d26ba4c47595bbb9
humanhash: chicken-nuts-winter-cardinal
File name:file
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:4'273'296 bytes
First seen:2022-11-23 13:15:47 UTC
Last seen:2022-11-23 15:11:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 80a65fa6dfd5f90a19614fd9f581e0bc (2 x ArkeiStealer)
ssdeep 98304:Gnc0giTB0H14mCsd8duADtV5aVD8iPQlBjCS/iRKy6BM:G4iTB09Cs6Jt+VdQWnREBM
Threatray 1'129 similar samples on MalwareBazaar
TLSH T1C016236753E91888E5EAC43C883BFCA471FA81A7C58099BDB99F74C963F05E0D117A43
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon ba7a6a72daceaea4 (3 x CoinMiner, 1 x ArkeiStealer, 1 x RedLineStealer)
Reporter andretavare5
Tags:ArkeiStealer exe signed

Code Signing Certificate

Organisation:Logitech Z-708 Template NET
Issuer:Logitech Z-708 Template NET
Algorithm:sha1WithRSAEncryption
Valid from:2022-11-21T14:19:15Z
Valid to:2032-11-22T14:19:15Z
Serial number: 14a8f1af6aca099b40218bc3f48b8671
Thumbprint Algorithm:SHA256
Thumbprint: 67bf19bc3a22fe925b3c54e3ff0d8087a565458b873f4806227f53b857ba3fa0
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from https://vk.com/doc760750097_656672556?hash=Odm7509ljgwYNNT9YkdWPKAySj9546WKO30DNvUPiQw&dl=G43DANZVGAYDSNY:1669205173:zncOLVAbhtZA2n2jeChEVAkkSb6C4OBc3626g8Ne5tT&api=1&no_preview=1#CRYPT_ALL

Intelligence

File Origin
# of uploads :
55
# of downloads :
276
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-23 13:18:20 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/8cbc69d7-738a-4269-8b40-ac8479715a86

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/337613/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.11826.23546.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Running batch commands
Creating a process with a hidden window
Launching a process
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/637e1d1424da1c12cfe18253/reports/5278ed5b-834b-40d2-80ea-83cc461b09d8/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1d18eb0c-3732-45be-9f56-ce2acedc9f8f
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1119717
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (creates a PE file in dynamic memory)
Machine Learning detection for sample
PE file contains section with special chars
Self deletion via cmd or bat file
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/44bd9084d0e09c6700364fe22001809a5ad5c160bce5a626c468ea1758a09c15/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-11-23 13:16:22 UTC
File Type:
PE (Exe)
Extracted files:
148
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=is6zbbgq4cogoabwj7rcaamatjnnlqlaxts2mjwendvbowfatqkq._file
Verdict:
suspicious
Label(s):
raccoon
Create hunting rule
Similar samples:
1ebe93b170185c9898d90829867fd281a34568c054f832cee5027db73b63bba6
ArkeiStealer
360b2afefd68c3ded857f70836cee28007aac12118476e45d151af93c7fbc7f2
ArkeiStealer
58ae170573fd183ada1906291ca170724608a6a6217d84a6e5f0e400c3b1f481
ArkeiStealer
7404cb25819f535125e6c4a213d348d077add914be4620b58ba50d364b538ea6
ArkeiStealer
b9c544f7eef189e45cd0cb1cf50d9d1e163ce810c2b57d111eaf8cd417be24f7
ArkeiStealer
ce3c6cc7e3d80c26246bb01b910992d8c77b1c3f30ec28b79346f15224a3c746
ArkeiStealer
e45dbe7cb55c15faa395640121286cb2d61bb3655e9da26f9ea3d1d2f2c47880
ArkeiStealer
+ 1'119 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1679 discovery spyware stealer
Link:
https://tria.ge/reports/221123-qhsplaea82/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks installed software on the system
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Vidar
Malware Config
C2 Extraction:
https://t.me/headshotsonly
https://steamcommunity.com/profiles/76561199436777531
Unpacked files
SH256 hash:
58fce62a30adbd7e950bffcf084769e028326ea607a50ff03b5331491922c38c
MD5 hash:
935c878b6ace59f722dffae901ae2b87
SHA1 hash:
717ac44c19003404216611479f5c88b0660aa46a
Link:
https://www.unpac.me/results/8816abd3-b591-4a6b-b76e-54b7e03b0205/
SH256 hash:
44bd9084d0e09c6700364fe22001809a5ad5c160bce5a626c468ea1758a09c15
MD5 hash:
c9c2019117e77fe3d26ba4c47595bbb9
SHA1 hash:
121deb4e364fc43b29d9025b3d7bb4a28eea9982
Link:
https://www.unpac.me/results/8816abd3-b591-4a6b-b76e-54b7e03b0205/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/44bd9084d0e0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/44bd9084d0e09c6700364fe22001809a5ad5c160bce5a626c468ea1758a09c15

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/337613/

Comments