MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4acab2cb128ba9c8a9f91d1f677ec1b6770b265b9d04e9efe3bf979a2327ce1a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	4acab2cb128ba9c8a9f91d1f677ec1b6770b265b9d04e9efe3bf979a2327ce1a
SHA3-384 hash:	91839a6e99c34252021a2a22fdc2376396c64a8961b740852fe77eeed5ec23111e8cc4b2ba7fb759ea344e64f94bdf8d
SHA1 hash:	ea61b392af3f4699a1594dda403dbf675df8468e
MD5 hash:	3537f56d4971205e9987782b5d3b3504
humanhash:	alabama-eighteen-north-maine
File name:	SecuriteInfo.com.Variant.Jaik.72893.16950.31145
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	1'537'056 bytes
First seen:	2022-05-12 10:12:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e069db3169b10d2de1ab388f0782438a (1 x ArkeiStealer)
ssdeep	24576:YqEI1nC67rQgzh0dmAn7na4G5ImVK2Nczo+Uh2IGXYX/npnlNj+LIvCn2ILla/bT:YgdhAgtwmAnU5jV7czoHEU/npnl0b2Iu
Threatray	4'217 similar samples on MalwareBazaar
TLSH	T1A3652325ACC084A3D2756F7BA916C9211336BDF25CF84F470A49394B1E1F1A3885FAE3
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	e0f4fcfcb4bcdcd0 (1 x ArkeiStealer)
Reporter	SecuriteInfoCom
Tags:	ArkeiStealer exe signed

Code Signing Certificate

Organisation:	microfocus.com
Issuer:	DigiCert TLS RSA SHA256 2020 CA1
Algorithm:	sha256WithRSAEncryption
Valid from:	2021-08-19T00:00:00Z
Valid to:	2022-09-19T23:59:59Z
Serial number:	0a49fbe23b1f7dad605c6152dbbb48e8
Intelligence:	5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	7e13587d239ba502b4bffd733671c2b41e171755fcfcef847156d1be7851572c
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

250

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/270059/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Creating a window

Launching a process

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Delayed writing of the file

Stealing user critical data

Unauthorized injection to a system process

Forced shutdown of a browser

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/17338/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/627cddbe7804b2efc491cc19/reports/2cfece7f-8bd6-4933-9d49-211a368074ff/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0fefbc31-6dc0-4a1f-860d-24fda0cf8649

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/992612

Signature

Allocates memory in foreign processes

Detected unpacking (creates a PE file in dynamic memory)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4acab2cb128ba9c8a9f91d1f677ec1b6770b265b9d04e9efe3bf979a2327ce1a/

Threat name:

Win32.Trojan.Jaik

Status:

Malicious

First seen:

2022-05-11 15:51:28 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Verdict:

malicious

ArkeiStealer

24c19a1636d3587279d55be4fe5ff2921f8caf3698d6214fe4110bc3ca76fc16

ArkeiStealer

25d4ec4939eeded4ee26d91dc1312393c6cb42b5449a541034ad07608668e1b8

ArkeiStealer

2d4e8ec435902700a1bc97cf6f5aad79891cbb6b0f3d6582dd9937755f8432d2

ArkeiStealer

612840679bebc417813eb40902e8b29c3784c1698c79dc0e77b0141870f0e983

ArkeiStealer

+ 4'207 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:1204 spyware stealer suricata

Link:

https://tria.ge/reports/220512-l83j9scaf9/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Loads dropped DLL

Vidar Stealer

Vidar

suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer

Malware Config

C2 Extraction:

https://t.me/verstappenf1r
https://climatejustice.social/@ronxik312

Unpacked files

SH256 hash:

9d17fb56ed689eaa49784d3b610ada68a8d75262cb6d2da2442ac3a684f37168

MD5 hash:

bb49f96fb3213b4518217e7408b255fb

SHA1 hash:

59d04742fa39446872d09ab48529b99757d208d4

Link:

https://www.unpac.me/results/78365f12-ad2a-4b42-ab1f-1f7c3f44b44a/

SH256 hash:

d60169c07621e04351ecba37b28f5dbb87408dc5c098e333761bde0d2b34376d

MD5 hash:

bf2181568788c28cec7355289418810a

SHA1 hash:

838caa154ccf05a1428101510a26aa08fe490bba

Link:

https://www.unpac.me/results/78365f12-ad2a-4b42-ab1f-1f7c3f44b44a/

SH256 hash:

70482a3066cae9aaa15b99d56cf0113b52cf9757198e053ec3c77749f65ca582

MD5 hash:

344008f4a275338b315cf81e7001c5cd

SHA1 hash:

1aad925b7ad8021da4cb4d928f584e44c01ef971

Link:

https://www.unpac.me/results/78365f12-ad2a-4b42-ab1f-1f7c3f44b44a/

SH256 hash:

4acab2cb128ba9c8a9f91d1f677ec1b6770b265b9d04e9efe3bf979a2327ce1a

MD5 hash:

3537f56d4971205e9987782b5d3b3504

SHA1 hash:

ea61b392af3f4699a1594dda403dbf675df8468e

Link:

https://www.unpac.me/results/78365f12-ad2a-4b42-ab1f-1f7c3f44b44a/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4acab2cb128b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4acab2cb128ba9c8a9f91d1f677ec1b6770b265b9d04e9efe3bf979a2327ce1a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.