MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47422edc80eb95a3fc925f32051034560e9d8c2cfe701ac18d9a2ede84edb5fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	47422edc80eb95a3fc925f32051034560e9d8c2cfe701ac18d9a2ede84edb5fb
SHA3-384 hash:	b8f48844997bd54aa6cafeac0ae7114c2871f751bef177739cc1313d04dbe8c9fdfea001f3083f2a1fb5b3828abaad25
SHA1 hash:	4db0f6265643acb15f93e6a542bcd4bd95f41322
MD5 hash:	f26d8e8986917a4b7b747a2d46bf36d3
humanhash:	oxygen-lactose-iowa-saturn
File name:	SecuriteInfo.com.Win32.PWSX-gen.9296.19888
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	406'664 bytes
First seen:	2022-11-29 09:37:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ca1295f13fd2c4ffbe6149bbb89cff34 (1 x ArkeiStealer)
ssdeep	6144:0veonJUylJoJn31HvrsOYLQs28wqmFqVkc7oZFNRgUoCoOcjxFEH:0P6Jx1HvrsO28dqhh1FE
Threatray	1'176 similar samples on MalwareBazaar
TLSH	T19C84BDA7D5A48B0AE9FD54344488250E2528B3CD143218F1FAAB9EE9139D39DDD837FC
TrID	40.3% (.EXE) Win64 Executable (generic) (10523/12/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4505/5/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	90c8889532224b54 (1 x ArkeiStealer)
Reporter	SecuriteInfoCom
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

218

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

vidar

ID:

File name:

SecuriteInfo.com.Win32.PWSX-gen.9296.19888

Verdict:

Malicious activity

Analysis date:

2022-11-29 09:41:40 UTC

Tags:

trojan stealer vidar

Link:

https://app.any.run/tasks/666a868c-05c4-4411-941e-17d50b17bdfc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/339715/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.9296.19888.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Reading critical registry keys

Creating a window

Running batch commands

Creating a process with a hidden window

Launching a process

Searching for the window

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-vm overlay packed

Link:

https://www.filescan.io/uploads/6385d2fe00c584752ee26fb9/reports/a1a3a939-c92c-4279-a0dd-861a5240f400/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/c3953f46-42d7-4b68-9ca4-bd5a6bd7224a

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1123222

Signature

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Self deletion via cmd or bat file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/47422edc80eb95a3fc925f32051034560e9d8c2cfe701ac18d9a2ede84edb5fb/

Threat name:

Win32.Infostealer.Bandra

Status:

Malicious

First seen:

2022-11-29 02:15:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=i5bc5xea5ok2h7esl4zakebukyhj3dbm7zybvqmntixn5bhnwx5q._file

Verdict:

malicious

ArkeiStealer

08c7eb81c268bbae91dedf391c1901461e786ee5cd401872100efad10812efc9

ArkeiStealer

2c993eb220436695d78783d2a6520951e4ce2b65311a96b904a063abdc088235

ArkeiStealer

6eaa17442216edf6c184c03e3b7468922c1b6d59fbf419f811552e2e86e0bcfe

ArkeiStealer

90e453d7ffc1f80ae55e826e424eedbb56038650bb9d72ac729d62ad828dfee3

ArkeiStealer

d7c42d1df0e957935b672b0633cf3dad39b5d8c85eec4631c62191915af02379

ArkeiStealer

faf9fafa302622d32b46956c7ff81da78773366c0e120936a61ceea4c489c5b8

ArkeiStealer

+ 1'166 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:1204 discovery spyware stealer

Link:

https://tria.ge/reports/221129-ll3azsga47/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Vidar

Malware Config

C2 Extraction:

https://t.me/headshotsonly
https://steamcommunity.com/profiles/76561199436777531

Unpacked files

SH256 hash:

47422edc80eb95a3fc925f32051034560e9d8c2cfe701ac18d9a2ede84edb5fb

MD5 hash:

f26d8e8986917a4b7b747a2d46bf36d3

SHA1 hash:

4db0f6265643acb15f93e6a542bcd4bd95f41322

Link:

https://www.unpac.me/results/52b5df6c-6c6a-4963-a256-80383b0aee9b/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/47422edc80eb/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/47422edc80eb95a3fc925f32051034560e9d8c2cfe701ac18d9a2ede84edb5fb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

exe 47422edc80eb95a3fc925f32051034560e9d8c2cfe701ac18d9a2ede84edb5fb

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2437775/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/339715/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample