MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 455e9b43d3df1c83df5182936603a66d04658d6d1cb3098e9676978549e926fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA File information Comments

SHA256 hash:	455e9b43d3df1c83df5182936603a66d04658d6d1cb3098e9676978549e926fa
SHA3-384 hash:	c6abb641611f1e0ae3f772a7a1fd391eab68954d561c9a6645dc3a39b78218b8ba19cf31393530456e92da332530fe91
SHA1 hash:	d4b07eec24e7559e499866850dacf4bc39e23969
MD5 hash:	6e9fc0f558f043f31e85559a39595da6
humanhash:	friend-delaware-oven-missouri
File name:	6e9fc0f558f043f31e85559a39595da6.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	4'718'592 bytes
First seen:	2022-10-01 03:25:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6c9b62aae6117060f9867b92d139b95e (9 x ArkeiStealer, 2 x Smoke Loader, 1 x RedLineStealer)
ssdeep	49152:HBI6nrEmvRmaNtqp6S0QGHHStTITGaRQXLKp8fm3ileWPH5Hx:HaURnsjfaRQbKp8fm3iMGH
Threatray	530 similar samples on MalwareBazaar
TLSH	T1AE268E23B349643EC06B193A492BD6D89C3F7F61791ACC4A7BF4194CCF361416A3A61B
TrID	61.8% (.EXE) Inno Setup installer (109740/4/30) 23.4% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 5.9% (.EXE) Win64 Executable (generic) (10523/12/4) 2.5% (.EXE) Win32 Executable (generic) (4505/5/1) 1.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):
dhash icon	f0d4b06969e8cc70 (2 x ArkeiStealer, 1 x AsyncRAT)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

abuse_ch

ArkeiStealer C2:
http://64.44.167.153/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://64.44.167.153/	https://threatfox.abuse.ch/ioc/858504/

Intelligence

File Origin

# of uploads :

# of downloads :

271

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/315351/

Detection(s):

PUA.Win.Adware.Dealply-6619245-0

PUA.Win.Adware.Dealply-6619266-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

Delayed reading of the file

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/40333/overview

Behaviour

MalwareBazaar

CPUID_Instruction

LanguageCheck

CheckNumberOfProcessor

CheckCmdLine

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

80%

Tags:

cmd.exe fingerprint greyware keylogger mokes nymaim overlay regasm.exe rundll32.exe smokeloader vidar

Link:

https://www.filescan.io/uploads/6337b34b51afd00428a90094/reports/de10e1ad-531b-4b18-afb4-1cef716a2e26/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bed04d43-1267-43d2-8ae3-1b595b87faf9

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1081332

Signature

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/455e9b43d3df1c83df5182936603a66d04658d6d1cb3098e9676978549e926fa/

Threat name:

Win32.Trojan.Smokeloader

Status:

Malicious

First seen:

2022-09-26 05:00:55 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 41 (51.22%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ivpjwq6t34oihx2rqkjwma5gnucgldlndszqtduwo2lykspje35a._file

Verdict:

malicious

ArkeiStealer

704f8a3f1c2a4c9c7cff571df36398bb27d82930a1e0c7a29fd72074015ed75a

ArkeiStealer

8ecbe3f78c01ca3ddb3cd79498d97441c9f08cc3c2d2416546aee250ff84877e

ArkeiStealer

9d5f1be092ee806db3f058fa773d20f7f4a9c120c44f0f0ab365e1e2a822cb36

ArkeiStealer

bb5938ca20203ecde3fc65a31025801a1c136b90c76d7816edcb58db733ca3ed

ArkeiStealer

+ 520 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:1636 discovery spyware stealer

Link:

https://tria.ge/reports/221001-dy66psgdej/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Vidar

Malware Config

C2 Extraction:

https://t.me/dghzq
https://t.me/zjsqpz
https://t.me/fqwexzq

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/875d51f8-9eac-4a30-a1a3-d205aa1de71d

Unpacked files

SH256 hash:

61e71885942cbb64d50d1cac66a94452dd997e8e6df81abd1cb997d93ab8da60

MD5 hash:

821954255d4088ee4a72247f19580cc4

SHA1 hash:

6c39b6101b30c0fa9f36692284cbfc9f32d650cc

Detections:

VidarStealer

win_vidar_auto

Link:

https://www.unpac.me/results/783019c1-b1e4-4457-a86f-dbb82c2ccfed/

Parent samples :

b3fb5417f369f276a7db43531dabc38241f6fb329bcec6b26f1d9ccd1f817c22
ee5cd7f14bf98534291bdb1b34d1424bebb1fbc27e01915ff15e928dc9ea73f6
8ecbe3f78c01ca3ddb3cd79498d97441c9f08cc3c2d2416546aee250ff84877e
bb5938ca20203ecde3fc65a31025801a1c136b90c76d7816edcb58db733ca3ed
455e9b43d3df1c83df5182936603a66d04658d6d1cb3098e9676978549e926fa

SH256 hash:

f6ca8a05cff95a69b812d60bb66b7b262a509e06b44136ee2cc7ea58dbebeae1

MD5 hash:

4c543a3c34cdd41c71f7a98352f13609

SHA1 hash:

1f29c220f002a7bfe856794a0639e4d317c31d96

Link:

https://www.unpac.me/results/783019c1-b1e4-4457-a86f-dbb82c2ccfed/

SH256 hash:

455e9b43d3df1c83df5182936603a66d04658d6d1cb3098e9676978549e926fa

MD5 hash:

6e9fc0f558f043f31e85559a39595da6

SHA1 hash:

d4b07eec24e7559e499866850dacf4bc39e23969

Link:

https://www.unpac.me/results/783019c1-b1e4-4457-a86f-dbb82c2ccfed/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/455e9b43d3df1c83df5182936603a66d04658d6d1cb3098e9676978549e926fa

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/315351/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample