MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b6df8f781da883c897102059bc10531355239bc32cc019e587a0d4fd7333c9f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b6df8f781da883c897102059bc10531355239bc32cc019e587a0d4fd7333c9f
SHA3-384 hash: 5adf426415fee625c0a853fd90cfe617278695abf5d70ade0390647439d667f49006f9076d38fa22cd2ccf0b8c379d76
SHA1 hash: d002656e5f067acd18ac9be209fc5335b81025ea
MD5 hash: 58f2bf15e9c4064ff73292ef29d394c0
humanhash: single-monkey-march-coffee
File name:library_2
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:364'544 bytes
First seen:2022-10-28 10:24:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5152ddfb3332deb6fb4acc619da01e5a (9 x Amadey, 5 x Smoke Loader, 4 x Tofsee)
ssdeep 6144:5BHYHSL21jejKu3y2FntMsI7Z64SkXMkASqA6w6j:5B4HS6FeeuCEntJI7Zjb8jSAj
Threatray 820 similar samples on MalwareBazaar
TLSH T14E74D0717641C872C48D1534882ACFF0197EAC3519684AB7B394F76EBEB1281ADB631F
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 480c1c4c4f590b14 (113 x Smoke Loader, 92 x RedLineStealer, 83 x Amadey)
Reporter JAMESWT_WT
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
290
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-10-28 10:14:51 UTC
Tags:
installer loader opendir
Link:
https://app.any.run/tasks/780127f9-98a5-49d6-b4fc-eee1c742c0b4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/325493/
Detection(s):
Win.Dropper.Tofsee-9976122-0
Create hunting rule

Win.Packed.Pwsx-9976136-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Creating a window
Searching for synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Launching a process
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/635badff791bb7e48afdb953/reports/c442ce0a-d498-4b04-bdd4-51e5723e577d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/18a11db5-eb16-4273-a341-c718fe7f68f1
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1100318
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 732979 Sample: library_2.exe Startdate: 28/10/2022 Architecture: WINDOWS Score: 100 64 Malicious sample detected (through community Yara rule) 2->64 66 Antivirus detection for URL or domain 2->66 68 Multi AV Scanner detection for dropped file 2->68 70 5 other signatures 2->70 9 library_2.exe 20 2->9         started        14 BebroBot.exe 2 2->14         started        16 BebroBot.exe 1 2->16         started        process3 dnsIp4 56 t.me 149.154.167.99, 443, 49696 TELEGRAMRU United Kingdom 9->56 58 45.15.156.60, 49698, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 9->58 60 49.12.196.69, 49697, 80 HETZNER-ASDE Germany 9->60 44 C:\Users\user\AppData\...\qwe22zdlAq[1].exe, PE32 9->44 dropped 46 C:\ProgramData\sqlite3.dll, PE32 9->46 dropped 48 C:\ProgramData\83048432076046969424.exe, PE32 9->48 dropped 82 Detected unpacking (changes PE section rights) 9->82 84 Detected unpacking (overwrites its own PE header) 9->84 86 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 9->86 88 3 other signatures 9->88 18 83048432076046969424.exe 9->18         started        21 cmd.exe 1 9->21         started        23 conhost.exe 14->23         started        25 conhost.exe 16->25         started        file5 signatures6 process7 signatures8 72 Multi AV Scanner detection for dropped file 18->72 74 Machine Learning detection for dropped file 18->74 76 Writes to foreign memory regions 18->76 78 2 other signatures 18->78 27 RegSvcs.exe 1 1 18->27         started        32 conhost.exe 21->32         started        34 timeout.exe 1 21->34         started        process9 dnsIp10 62 79.137.196.121, 1488, 49699 PSKSET-ASRU Russian Federation 27->62 50 C:\Users\user\AppData\...\BebroBot.exe, PE32 27->50 dropped 90 Injects a PE file into a foreign processes 27->90 36 RegSvcs.exe 27->36         started        file11 signatures12 process13 signatures14 80 Injects a PE file into a foreign processes 36->80 39 RegSvcs.exe 12 36->39         started        42 RegSvcs.exe 36->42         started        process15 dnsIp16 52 172.86.121.106, 80 NETRANGEUS United States 39->52 54 192.168.2.1 unknown unknown 39->54
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4b6df8f781da883c897102059bc10531355239bc32cc019e587a0d4fd7333c9f/
Threat name:
Win32.Trojan.Raccoon
Create hunting rule
Status:
Malicious
First seen:
2022-10-28 11:24:42 UTC
File Type:
PE (Exe)
Extracted files:
30
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jnw7r54b3kedzclraiczxqifge2veon4glgadhsypigu7vzthspq._file
Verdict:
malicious
Similar samples:
02f44f1826304f79afc04b8e3271530d799d8d805ea0501620152d7a1c70a502
ArkeiStealer
11a3fde6fbce94c261cc8785856d132eccd5239e95a9129c2ba404cad58bbd96
ArkeiStealer
53b9574dfc4abdd1b4ce4a65220e0a202cc4113a0d6dc0301f921dd9000e70fe
ArkeiStealer
b40106ff8758aafebd4a521af40467b1693537bce239bea4b07deac8ea925f93
ArkeiStealer
cab73be3e1fcca42f723d90cc793d60e3f8029b480554e4dd255de2b1107590f
ArkeiStealer
dd56aa044bfb8c5acdc0a475b724252ea9e9d760d4bdf510e304c58aabd33e41
ArkeiStealer
+ 810 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1636 discovery persistence spyware stealer
Link:
https://tria.ge/reports/221028-mfyahsfcf4/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Vidar
Malware Config
C2 Extraction:
https://t.me/dghzq
https://t.me/zjsqpz
https://t.me/fqwexzq
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/cd4428c2-604b-4fba-964c-0446c67b92c1
Unpacked files
SH256 hash:
655ef3379af81e01aac6040d9e8112e9e690764c6a0c7633816391722daf45a5
MD5 hash:
b9d6b334c5d61f1540fe5a0e69b15291
SHA1 hash:
1c15a469bd655112512ed7a64715d97aa2ff9087
Link:
https://www.unpac.me/results/c8680ef1-b176-4ef8-a39a-b0e629d58183/
SH256 hash:
4b6df8f781da883c897102059bc10531355239bc32cc019e587a0d4fd7333c9f
MD5 hash:
58f2bf15e9c4064ff73292ef29d394c0
SHA1 hash:
d002656e5f067acd18ac9be209fc5335b81025ea
Link:
https://www.unpac.me/results/c8680ef1-b176-4ef8-a39a-b0e629d58183/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4b6df8f781da883c897102059bc10531355239bc32cc019e587a0d4fd7333c9f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Vidar
Create hunting rule
Author:kevoreilly,rony
Description:Vidar Payload
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Vidar_114258d5
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/325493/

Comments