MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45ad5f55b0a34bc634015430dc080cdc2052636df0ab4cc6d0ab539c533c2c90. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 45ad5f55b0a34bc634015430dc080cdc2052636df0ab4cc6d0ab539c533c2c90
SHA3-384 hash: 27b420b2a6b7d334c41785d23333c374814f9312c30dbb3c817ee37eec209d5f4e5b9365e6e745c86bd6c384449a0dfb
SHA1 hash: bca68ee54ba6be03a0a8bf1de6f7f3aa7e0f90a6
MD5 hash: 108d02f1be013a326af3975ed37bb623
humanhash: london-golf-pasta-island
File name:108d02f1be013a326af3975ed37bb623
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:791'040 bytes
First seen:2023-07-24 19:07:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7d594973434539b63f110ff65422442a (2 x ArkeiStealer)
ssdeep 24576:IRu16WYdRNDl0Et8uEXE6dl5H92r5HAMNY:oVNDl0Et8uEXE6ds1HAM
Threatray 61 similar samples on MalwareBazaar
TLSH T173F4821892306E2AC0C31FB07DBA936E41D42568E31DCEE65A7DDCB5F6EC8436D025DA
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
372
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
arkei
Create hunting rule
ID:
1
File name:
108d02f1be013a326af3975ed37bb623
Verdict:
Malicious activity
Analysis date:
2023-07-24 21:11:06 UTC
Tags:
arkei
Link:
https://app.any.run/tasks/08ee84d5-3b2f-4271-b602-873b6e9a3848

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/431811/
Detection(s):
SecuriteInfo.com.W32.Agent.GHQ.gen.Eldorado.10193.27557.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a window
Stealing user critical data
Sending an HTTP GET request to an infection source
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm control greyware lolbin
Link:
https://www.filescan.io/uploads/64becc13bf0894a95b703094/reports/5e85f47c-3de6-47f0-8fdb-bf3b3754461e/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/45ad5f55b0a34bc634015430dc080cdc2052636df0ab4cc6d0ab539c533c2c90
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/66e65970-71bf-400d-8166-aca447e863df
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1278632
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Searches for specific processes (likely to inject)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/45ad5f55b0a34bc634015430dc080cdc2052636df0ab4cc6d0ab539c533c2c90/
Threat name:
Win32.Trojan.Cryware
Create hunting rule
Status:
Malicious
First seen:
2023-07-24 19:08:05 UTC
File Type:
PE (Exe)
AV detection:
22 of 25 (88.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iwwv6vnqunf4mnabkqynycam3qqfey3n6cvuzrwqvnjzyuz4fsia._file
Verdict:
malicious
Similar samples:
06d7fc6483226e59a06dd737791d965778c8317a5ed4d88ea5f1d418d05735b6
ArkeiStealer
1bb689e95fd5ed5f70fd3ac60cf28d7aace52fea6b1bacc0a257e19cbf50a71d
ArkeiStealer
2666bc8583d2fb41a96376ab46c4b96ddc676e4187ca510b977740a5fa8a4fe0
ArkeiStealer
6bacfc828a2cef4c0cb83eecc9e1bdfa8b32c0072a95a23734e1b8fd18655ade
ArkeiStealer
81180c513c6393c2308f7fb8a156c5b1e4a263e9b4b63a294140fc49ff4cfcc6
ArkeiStealer
8744d8ea9cecc91941cfe8161a647fd4af3c77f5045c46b21ab07689a3d349f1
ArkeiStealer
a4b3953a8fdbee6fccaa3c25847c3da85e78d33377e73e6bebe3fe9d00a4de84
ArkeiStealer
ac3e72d085e062564ec329377615d7188683c24e4e6744c75eb5be82eb91e132
ArkeiStealer
ad79e6cc3eed9f54ebf354168ba2328b25b0a9cb73e495488a53882d088c83ff
ArkeiStealer
b644ed105b1208ac7d25de367523aec04f53c18c68d7e389d892a0930cba860b
ArkeiStealer
+ 51 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:https://t.me/dastantim discovery spyware stealer
Link:
https://tria.ge/reports/230724-xs7ptshc3s/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Program crash
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Malware Config
C2 Extraction:
https://t.me/dastantim
https://steamcommunity.com/profiles/76561199529242058
Unpacked files
SH256 hash:
45ad5f55b0a34bc634015430dc080cdc2052636df0ab4cc6d0ab539c533c2c90
MD5 hash:
108d02f1be013a326af3975ed37bb623
SHA1 hash:
bca68ee54ba6be03a0a8bf1de6f7f3aa7e0f90a6
Link:
https://www.unpac.me/results/d95e1a68-6826-49e6-849b-08a7709b8428/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/45ad5f55b0a3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/45ad5f55b0a34bc634015430dc080cdc2052636df0ab4cc6d0ab539c533c2c90

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:Telegram_Links
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly,rony
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 45ad5f55b0a34bc634015430dc080cdc2052636df0ab4cc6d0ab539c533c2c90

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2689124/
Cape
Cape
https://www.capesandbox.com/analysis/431811/

Comments


Avatar
zbet commented on 2023-07-24 19:07:54 UTC

url : hxxp://5.42.92.67/lend/build.exe