MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b1338eceb20e531dca686256b82a8aa56e75aeb4b53f54d08900dd75fc0b19f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b1338eceb20e531dca686256b82a8aa56e75aeb4b53f54d08900dd75fc0b19f
SHA3-384 hash: d968f39e9b3d595e5ba00a1f4d9ad1a23cb983003aa47691fc1be96469ab2f6fb18592d54d2d51e5697111fb7dc129bd
SHA1 hash: 0c797546a53cdec7bd6bf974e56898997c56dee6
MD5 hash: 9e19b741c3585ff124c3783b66c72b9f
humanhash: moon-delta-nuts-whiskey
File name:Setup.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:962'540 bytes
First seen:2023-01-21 00:43:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d7a12535e5326b3ab3692a9c853c177e (2 x RedLineStealer, 1 x ArkeiStealer)
ssdeep 12288:wJ9anahTul9o18B36z328sWM1pW9+fwpGySEznJ06jc/a7Q49ZuYKMa8y2:wGnahTul9zBqz3G/WRGybJ06waQ4L02
Threatray 1'826 similar samples on MalwareBazaar
TLSH T19B25C07FA6650046E0D78B3A4A23BD9031B6C76797CDA8BE74EF94C5170D0D3E222A17
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter Chainskilabs
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
301
Origin country :
US US
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2023-01-21 00:41:16 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/f2dde3e0-34c9-4e3f-b64b-dfdeb7b0628e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/355204/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/61922/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63cb3553447edb203a0000ea/reports/4dc6dc48-8f08-4a7e-96a7-fc8901f99f49/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ffd0037d-c342-41d8-925f-830bfed8c97d
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1155999
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 788731 Sample: Setup.exe Startdate: 21/01/2023 Architecture: WINDOWS Score: 100 55 Snort IDS alert for network traffic 2->55 57 Multi AV Scanner detection for domain / URL 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 8 other signatures 2->61 9 Setup.exe 1 2->9         started        process3 signatures4 71 Writes to foreign memory regions 9->71 73 Allocates memory in foreign processes 9->73 75 Injects a PE file into a foreign processes 9->75 12 AppLaunch.exe 23 9->12         started        17 conhost.exe 9->17         started        process5 dnsIp6 49 65.109.208.142, 49691, 80 ALABANZA-BALTUS United States 12->49 51 t.me 149.154.167.99, 443, 49690 TELEGRAMRU United Kingdom 12->51 53 dl.uploadgram.me 92.222.250.82, 443, 49692, 49693 OVHFR France 12->53 37 C:\Users\user\AppData\...\Starter[1].exe, PE32 12->37 dropped 39 C:\Users\user\AppData\...\635965506[1].exe, PE32+ 12->39 dropped 41 C:\ProgramData\52439718982046988684.exe, PE32 12->41 dropped 43 C:\ProgramData\21691895283609307172.exe, PE32+ 12->43 dropped 77 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->77 79 Tries to harvest and steal browser information (history, passwords, etc) 12->79 81 Tries to steal Crypto Currency Wallets 12->81 83 Contains functionality to compare user and computer (likely to detect sandboxes) 12->83 19 52439718982046988684.exe 2 12->19         started        22 21691895283609307172.exe 12->22         started        25 cmd.exe 1 12->25         started        file7 signatures8 process9 dnsIp10 63 Antivirus detection for dropped file 19->63 65 Multi AV Scanner detection for dropped file 19->65 67 Machine Learning detection for dropped file 19->67 45 youtube-ui.l.google.com 142.250.203.110, 443, 49694 GOOGLEUS United States 22->45 47 www.youtube.com 22->47 69 Tries to harvest and steal browser information (history, passwords, etc) 22->69 27 cmd.exe 1 22->27         started        29 conhost.exe 25->29         started        31 timeout.exe 1 25->31         started        signatures11 process12 process13 33 conhost.exe 27->33         started        35 choice.exe 1 27->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4b1338eceb20e531dca686256b82a8aa56e75aeb4b53f54d08900dd75fc0b19f/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-01-21 00:52:11 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jmjtr3hledstdxfgqyswxavivjloowxljnj7ktiisag5ox6awgpq._file
Verdict:
malicious
Similar samples:
12567de24a8dbc6c0103aa263217ad240098d7545e32546f35fd5b791b1869fa
ArkeiStealer
4b56f06c41fb17b2e445bee3e4016d3297f758cbb20b3fc280763593813242df
ArkeiStealer
4c98097c2e234a8cb19327c9ddaa9b8c8669dd0f0a95fd71912282e6f0cf50d5
ArkeiStealer
656f5c1e8367a0b6e34dbf8e5740be127b4ffaa74a22a2164fcd68eff45580ff
ArkeiStealer
68d471be0c90161c04cd1645b4cb63cef52a7ad79ecf4de62331befb19645f58
ArkeiStealer
6ad67b7dd47d2e625f7a143be485695dd20648a2363bd91ac079556624712354
ArkeiStealer
6dc10241f07d88ce686151f7c47c4e7ed0b182e5e221cdd3ed24af496a691af8
ArkeiStealer
6e3f1055521e01bd967f22fd68b48410342264b62cf7b7998a6686a2141d4d67
ArkeiStealer
8116aab7428774d74e15738db29842052c5f1a7c6bb4259026f75872c500b022
ArkeiStealer
88dbf134cd4628fc8b97cc1adf5201cae875df1fa5280b3cbc0306478161e9f4
ArkeiStealer
+ 1'816 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:408 spyware stealer
Link:
https://tria.ge/reports/230121-a3gvtsab97/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Vidar
Malware Config
C2 Extraction:
https://t.me/jetbim2
https://steamcommunity.com/profiles/76561199471266194
Unpacked files
SH256 hash:
7b5252f2b669af0dc8063c6db53374e5413e8979598fb72065f1913212190934
MD5 hash:
42fc7b2daea4fc15d92b5c309b07b9c1
SHA1 hash:
b1514145d1e6b60ffd45df55d54cc21460ad3a97
Link:
https://www.unpac.me/results/b100438a-07fa-4300-be56-67c5ac2d9801/
SH256 hash:
4b1338eceb20e531dca686256b82a8aa56e75aeb4b53f54d08900dd75fc0b19f
MD5 hash:
9e19b741c3585ff124c3783b66c72b9f
SHA1 hash:
0c797546a53cdec7bd6bf974e56898997c56dee6
Link:
https://www.unpac.me/results/b100438a-07fa-4300-be56-67c5ac2d9801/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4b1338eceb20/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4b1338eceb20e531dca686256b82a8aa56e75aeb4b53f54d08900dd75fc0b19f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:Telegram_Links
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/f2dde3e0-34c9-4e3f-b64b-dfdeb7b0628e
Cape
Cape
https://www.capesandbox.com/analysis/355204/

Comments