MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 478095690b73f317b9ff209fd4c8a80aba031dfddf84e9ff95fb5168dc8d7453. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 6 File information Comments

SHA256 hash:	478095690b73f317b9ff209fd4c8a80aba031dfddf84e9ff95fb5168dc8d7453
SHA3-384 hash:	856019e7e00ed967dbf9e5638b944f68144410a5f8dac8c021235ebe0f8fe89d86e2b57c8af59121f012156e1c01901b
SHA1 hash:	73cb9bed5d9a44a4adf44e18153a9666f5f1981f
MD5 hash:	d8aaeb2e34408f43b3c69046fd253b27
humanhash:	oregon-five-berlin-carolina
File name:	478095690b73f317b9ff209fd4c8a80aba031dfddf84e9ff95fb5168dc8d7453
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	2'705'408 bytes
First seen:	2022-06-10 07:45:28 UTC
Last seen:	2022-06-10 08:49:27 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	79b3362178937bf9559741c46bb9e035 (18 x LaplasClipper, 9 x RaccoonStealer, 8 x ArkeiStealer)
ssdeep	49152:G//Ps6auADGuowxTTq/0P/wWenXoc4GrTc/JxZVjFcsuhi5H5vFZbceMv7tfCIi4:G6CzwxbGXocLM/jKi5H5tZbchoIi
Threatray	17'298 similar samples on MalwareBazaar
TLSH	T1B9C533766304F607C99E557169FD0E47BF2D3194B4422B2FB2D84F5B2DA3682AE408B3
TrID	52.9% (.EXE) Win32 Executable (generic) (4505/5/1) 23.5% (.EXE) Generic Win/DOS Executable (2002/3) 23.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	e4bc96b2dbfbebe6 (2 x ArkeiStealer, 1 x CoinMiner)
Reporter	crep1x
Tags:	ArkeiStealer exe vidar

Intelligence

File Origin

# of uploads :

# of downloads :

390

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

478095690b73f317b9ff209fd4c8a80aba031dfddf84e9ff95fb5168dc8d7453

Verdict:

Suspicious activity

Analysis date:

2022-06-10 09:12:15 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e219a1c9-29d8-4e24-ab6d-ffa60f2d14a3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/278583/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.50383732.32765.28048.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Searching for analyzing tools

Сreating synchronization primitives

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Creating a window

Stealing user critical data

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62a2f6fec6d7350cc0121577/reports/13a80fd2-6e81-4d2e-80cd-fe33a2d81468/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a7e3eb68-cec7-4295-b94c-65c281e3205e

Result

Threat name:

Vidar

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1010659

Signature

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Hides threads from debuggers

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Instant Messenger accounts or passwords

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/478095690b73f317b9ff209fd4c8a80aba031dfddf84e9ff95fb5168dc8d7453/

Threat name:

Win32.Infostealer.Bandra

Status:

Malicious

First seen:

2022-06-06 00:31:43 UTC

File Type:

PE (Exe)

Extracted files:

358

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=i6ajk2ilopzrpop7ecp5jsfibk5aghp536cot74v7niwrxenorjq._file

Verdict:

malicious

ArkeiStealer

18f5a7d7fa2e52091504106547fc9c1e2d540ff70d75544c550765599c65be1b

ArkeiStealer

5972343370247c01cd49e0fda028bdece0507c15ec3773311ed41688da9b9e30

ArkeiStealer

5dd5eaef8d41d319b5b45be1d275139f08f59423c1326da20acdddf196a41022

ArkeiStealer

7420a4599f32e3ebcdd0faab35d5aeba791dd0a7216e851f2e22cd000576b0d4

ArkeiStealer

82a108c44defd4e43bf5bdee2bbadbf7f62870683557276b698d15845267c722

ArkeiStealer

89ec309c384717284199d66d01669738ce37d9fb445a8f7f2259dfd6ca888f5d

ArkeiStealer

e6cea0eb49c9b461c624ded82d794e9353499644a47f7975a6ab030a9f8123b8

ArkeiStealer

ffc1b9735633836ed935e403d56dd31a464f39c0814e22cb19bb3af6cd54b270

ArkeiStealer

+ 17'288 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar discovery evasion spyware stealer suricata trojan

Link:

https://tria.ge/reports/220610-jlyxfsghan/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks whether UAC is enabled

Checks BIOS information in registry

Loads dropped DLL

Reads local data of messenger clients

Reads user/profile data of web browsers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Vidar Stealer

Vidar

suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer

Unpacked files

SH256 hash:

055957024efbb40cb29cfd01e9038ab22a46e386cac46afb63c07bbcdc25fc82

MD5 hash:

1692d40200b7cf7eab8164369b7b6db4

SHA1 hash:

9ee95c1985954006fb25bc26d5958086d9020422

Link:

https://www.unpac.me/results/75dd910b-06af-4381-9383-d2f63ed323a5/

SH256 hash:

478095690b73f317b9ff209fd4c8a80aba031dfddf84e9ff95fb5168dc8d7453

MD5 hash:

d8aaeb2e34408f43b3c69046fd253b27

SHA1 hash:

73cb9bed5d9a44a4adf44e18153a9666f5f1981f

Link:

https://www.unpac.me/results/75dd910b-06af-4381-9383-d2f63ed323a5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/478095690b73f317b9ff209fd4c8a80aba031dfddf84e9ff95fb5168dc8d7453

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	INDICATOR_EXE_Packed_MPress Create hunting rule
Author:	ditekSHen
Description:	Detects executables built or packed with MPress PE compressor

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing potential Windows Defender anti-emulation checks

Rule name:	Vidar Create hunting rule
Author:	kevoreilly
Description:	Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/278583/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample