MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4997b19ed2d5a3e06598efc01500219a1d858eb48d79b7c867842e73466ba376. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 16

Intelligence 16 IOCs YARA 7 File information Comments

SHA256 hash:	4997b19ed2d5a3e06598efc01500219a1d858eb48d79b7c867842e73466ba376
SHA3-384 hash:	0996970b798e0c5bf03bb57a29cfe0e74e332525c1e4c8086662e7d32b7979140e4c1a4d764d78961b215b979d3028ab
SHA1 hash:	c3fa9c1c65a6c44cc152315ba70e59a9062b9935
MD5 hash:	781b0834307644f14046dd52d715ce37
humanhash:	quebec-london-cold-fish
File name:	781b0834307644f14046dd52d715ce37.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	443'904 bytes
First seen:	2023-06-28 06:12:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4cb73e7166b3b7d1d1133e9f0d5a861b (1 x RedLineStealer, 1 x ArkeiStealer, 1 x GCleaner)
ssdeep	6144:vS2xgTTGqGioxIqQVhn7rIY8DJ4kXh1JS3/NrLtYGFpjcCmLTUI:v7OTGlTK7jrKJlXhzSBLtYCwf3
Threatray	2'126 similar samples on MalwareBazaar
TLSH	T17F948C3392B13C54E9268B32CE1EC6E87F5EF6538E6D77662218AA5F05B01B2D173710
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0161210901210901 (1 x ArkeiStealer)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

288

Origin country :

Vendor Threat Intelligence

Malware family:

arkei

ID:

File name:

781b0834307644f14046dd52d715ce37.exe

Verdict:

Malicious activity

Analysis date:

2023-06-28 06:13:49 UTC

Tags:

stealer arkei vidar

Link:

https://app.any.run/tasks/8a5f48ad-0567-47d5-943c-eab5a866a594

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/403392/

Detection(s):

SecuriteInfo.com.Win32.CrypterX-gen.24535.24300.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Using the Windows Management Instrumentation requests

Creating a window

Running batch commands

Creating a process with a hidden window

Launching a process

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/649bcf71f4ab9b52f3dc03b7/reports/3fffcada-eee3-40ff-b9c4-c605626da3bb/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/4997b19ed2d5a3e06598efc01500219a1d858eb48d79b7c867842e73466ba376

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/75387a9d-3bf0-43ca-8f1f-f313ab60a397

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1262454

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Searches for specific processes (likely to inject)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4997b19ed2d5a3e06598efc01500219a1d858eb48d79b7c867842e73466ba376/

Threat name:

Win32.Trojan.Gcleaner

Status:

Malicious

First seen:

2023-06-27 18:12:35 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 35 (74.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jgl3dhws2wr6azmy57abkabbtioyldvurv43psdhqqxhgrtlun3a._file

Verdict:

malicious

ArkeiStealer

5457285bf50fb555f651ddc0fcd19174bcdef1eb6356ea7c5872dc1a5847dd11

ArkeiStealer

6b209f87abd2ba2ac812bce1ab1c9738b2ca93626bbd6cac56de7a6dcbaa49b7

ArkeiStealer

6f015d2ecc877fdc3d3afec3e0172b3d1c01f5a0a723c7c66780bb2ce6ef5290

ArkeiStealer

87f58956937f84708706f515675d0b48125ace13ede701886e433cc8b336720d

ArkeiStealer

8bcef7f2318c046a3e75cd30dc002ebbf60d55c669a73e861c2bf1bb76dc9010

ArkeiStealer

9d314f7bb979238d429d772e28d7a679fd4391db5d3581666a7f4207061be785

ArkeiStealer

a0038a7651f4408728f4a8c7a2abe43b237fc9dc6645fa34e5c4d9c212658878

ArkeiStealer

c62d6a8f03122f152f75051babb0a9ad178223ae33a2205caf5675f29cf3cef3

ArkeiStealer

cd621988496f0c54d5e56cc9d0f1fd944c82dcab5eb66b294e456b85a962aaad

ArkeiStealer

+ 2'116 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:12403f3562ffd49d3a3d2ce5d201f221 discovery spyware stealer

Link:

https://tria.ge/reports/230628-gyrb2agd95/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Vidar

Malware Config

C2 Extraction:

https://steamcommunity.com/profiles/76561199520592470
https://t.me/motafan

Unpacked files

SH256 hash:

b207d230e4b63dba0a34d800407d89585a062c02c5c31286aa295f69043350c2

MD5 hash:

fc1ba0544b94b6e6f1188ac272048973

SHA1 hash:

dc2676ed2814ee4f1c353e9e9661f5db6f6c4330

Link:

https://www.unpac.me/results/380c199c-c055-447f-ab9b-12b6040a517b/

SH256 hash:

74be00ada04859fb74e9be352547c2b04630697a53bb1fb6feeaeb69b888e2ca

MD5 hash:

fb5a75ea2dce249f92ffb82ae9755097

SHA1 hash:

2b5feaeb189e2cf4344d240d6a5b4e5d1f83c706

Detections:

VidarStealer

Link:

https://www.unpac.me/results/380c199c-c055-447f-ab9b-12b6040a517b/

Parent samples :

4997b19ed2d5a3e06598efc01500219a1d858eb48d79b7c867842e73466ba376
d2349196b611e963c2099768c35e7b9de02436e1bccfe1b49d8311c41cd1ef55

SH256 hash:

b207d230e4b63dba0a34d800407d89585a062c02c5c31286aa295f69043350c2

MD5 hash:

fc1ba0544b94b6e6f1188ac272048973

SHA1 hash:

dc2676ed2814ee4f1c353e9e9661f5db6f6c4330

Link:

https://www.unpac.me/results/380c199c-c055-447f-ab9b-12b6040a517b/

SH256 hash:

74be00ada04859fb74e9be352547c2b04630697a53bb1fb6feeaeb69b888e2ca

MD5 hash:

fb5a75ea2dce249f92ffb82ae9755097

SHA1 hash:

2b5feaeb189e2cf4344d240d6a5b4e5d1f83c706

Detections:

VidarStealer

Link:

https://www.unpac.me/results/380c199c-c055-447f-ab9b-12b6040a517b/

Parent samples :

4997b19ed2d5a3e06598efc01500219a1d858eb48d79b7c867842e73466ba376
d2349196b611e963c2099768c35e7b9de02436e1bccfe1b49d8311c41cd1ef55

SH256 hash:

4997b19ed2d5a3e06598efc01500219a1d858eb48d79b7c867842e73466ba376

MD5 hash:

781b0834307644f14046dd52d715ce37

SHA1 hash:

c3fa9c1c65a6c44cc152315ba70e59a9062b9935

Link:

https://www.unpac.me/results/380c199c-c055-447f-ab9b-12b6040a517b/

Malware family:

Vidar.A

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4997b19ed2d5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4997b19ed2d5a3e06598efc01500219a1d858eb48d79b7c867842e73466ba376

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	has_telegram_urls Create hunting rule
Author:	Aaron DeVera<aaron@backchannel.re>
Description:	Detects Telegram URLs

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Telegram_Links Create hunting rule

Rule name:	Vidar Create hunting rule
Author:	kevoreilly,rony
Description:	Vidar Payload

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

Rule name:	win_vidar Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detection of Vidar Stealer and Variants via strings present in final unpacked payloads