MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c98097c2e234a8cb19327c9ddaa9b8c8669dd0f0a95fd71912282e6f0cf50d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c98097c2e234a8cb19327c9ddaa9b8c8669dd0f0a95fd71912282e6f0cf50d5
SHA3-384 hash: 6c9b0fcb47534ff74464cbe00871aa339b864087fcf00dae42b30fc0aa9d4c0d41fc15c358b879d23cfa5eb9f2af67af
SHA1 hash: 589cc7eaefd6536965fa3f1989317192d65b1c86
MD5 hash: fbe17f374e5e1cd86a2e83c00215f502
humanhash: jig-paris-cup-july
File name:Hwid Spoofer free.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:807'424 bytes
First seen:2023-01-05 08:38:08 UTC
Last seen:2023-01-05 10:33:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 347f5c87243da517983cf28ef9192dbe (3 x RedLineStealer, 1 x RecordBreaker, 1 x ArkeiStealer)
ssdeep 12288:xwPa0OH9rWyBw+qtoGqU17NqHRpgKNgWw5wcYDGa6:xwPa069rWyBw+DcqHfNgJwN6a
Threatray 299 similar samples on MalwareBazaar
TLSH T197056C1BFA23D0B7D3938AB0F439937D756AB5702C22481B5F80A5B82DF05821D69F67
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
Hwid Spoofer free.exe
Verdict:
Malicious activity
Analysis date:
2023-01-05 08:39:08 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/00e8d742-33de-4d32-8b76-54ec5fa1ce88

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/349587/
Detection(s):
SecuriteInfo.com.Variant.Lazy.281944.21437.19439.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Searching for the window
Launching a process
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a window
Stealing user critical data
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
anti-vm greyware
Link:
https://www.filescan.io/uploads/63b68ca7bf1064ac5b2db85f/reports/6c5c5971-993d-4b81-bed2-80538beedcfe/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Arkei Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b11e3170-305d-489c-9d11-77fa3f58aefe
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1145524
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 778256 Sample: Hwid Spoofer free.exe Startdate: 05/01/2023 Architecture: WINDOWS Score: 100 55 Multi AV Scanner detection for domain / URL 2->55 57 Antivirus detection for URL or domain 2->57 59 Antivirus detection for dropped file 2->59 61 6 other signatures 2->61 9 Hwid Spoofer free.exe 1 2->9         started        process3 signatures4 71 Writes to foreign memory regions 9->71 73 Allocates memory in foreign processes 9->73 75 Injects a PE file into a foreign processes 9->75 12 AppLaunch.exe 23 9->12         started        17 conhost.exe 9->17         started        process5 dnsIp6 49 t.me 149.154.167.99, 443, 49696 TELEGRAMRU United Kingdom 12->49 51 dl.uploadgram.me 92.222.250.82, 443, 49698, 49699 OVHFR France 12->51 53 94.130.190.48, 49697, 80 HETZNER-ASDE Germany 12->53 37 C:\Users\user\AppData\...\Starter[1].exe, PE32 12->37 dropped 39 C:\Users\user\AppData\...\635965506[1].exe, PE32+ 12->39 dropped 41 C:\ProgramData\98673096851854322781.exe, PE32+ 12->41 dropped 43 C:\ProgramData\71808983024973162305.exe, PE32 12->43 dropped 77 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->77 79 Tries to harvest and steal browser information (history, passwords, etc) 12->79 81 Tries to steal Crypto Currency Wallets 12->81 19 98673096851854322781.exe 12->19         started        23 71808983024973162305.exe 2 12->23         started        25 cmd.exe 1 12->25         started        file7 signatures8 process9 dnsIp10 45 youtube-ui.l.google.com 142.250.180.174, 443, 49700 GOOGLEUS United States 19->45 47 www.youtube.com 19->47 63 Antivirus detection for dropped file 19->63 65 Multi AV Scanner detection for dropped file 19->65 67 Tries to harvest and steal browser information (history, passwords, etc) 19->67 27 cmd.exe 1 19->27         started        69 Machine Learning detection for dropped file 23->69 29 conhost.exe 25->29         started        31 timeout.exe 1 25->31         started        signatures11 process12 process13 33 conhost.exe 27->33         started        35 choice.exe 1 27->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c98097c2e234a8cb19327c9ddaa9b8c8669dd0f0a95fd71912282e6f0cf50d5/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-01-05 09:01:48 UTC
File Type:
PE (Exe)
AV detection:
22 of 41 (53.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jsmas7boenfizmmte7e53ku3rsdgtxipbkk724mrekbon4gpkdkq._file
Verdict:
malicious
Similar samples:
0278ab4f0298aa6e8066c14cf2b0063a09ac96e8bac365ddf192092dc17b42af
ArkeiStealer
226ed812358dd933659606de6a4c7effa16b4eb2c2003b9125a76097f36a7637
ArkeiStealer
3e84d664aa9fa55735c98f2e91c58b9bdb6630014b151fb69b23da124912d369
ArkeiStealer
656f5c1e8367a0b6e34dbf8e5740be127b4ffaa74a22a2164fcd68eff45580ff
ArkeiStealer
6ad67b7dd47d2e625f7a143be485695dd20648a2363bd91ac079556624712354
ArkeiStealer
6dc10241f07d88ce686151f7c47c4e7ed0b182e5e221cdd3ed24af496a691af8
ArkeiStealer
a4c937e097e508320240bae01e9b909e0659c1fb3dd4e387d6a6109e33e59231
ArkeiStealer
c035175a412100bdd59753f1bb7fb311513affdd095beeb7c8d10e68788d03f2
ArkeiStealer
c3ac86b3dfaed540a466f230e12c3f12c56e10755b6d5d195001ca5523d80fa4
ArkeiStealer
+ 289 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:408 spyware stealer
Link:
https://tria.ge/reports/230105-kkanxabd74/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Vidar
Malware Config
C2 Extraction:
https://t.me/year2023start
https://steamcommunity.com/profiles/76561199467421923
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ddebdb23-e6ad-4e15-8e04-947330e944bf
Unpacked files
SH256 hash:
0778974768405572c42025c6924b2a15b87ef9296e8819cdd6cbb5b7094190e2
MD5 hash:
bf183c361969c187e38249b23d942655
SHA1 hash:
99d043cff00f0aafc6a59bcb9814e1da81e19c4c
Link:
https://www.unpac.me/results/c383f378-c7ef-4bbe-ae67-eb91be72b43c/
SH256 hash:
4c98097c2e234a8cb19327c9ddaa9b8c8669dd0f0a95fd71912282e6f0cf50d5
MD5 hash:
fbe17f374e5e1cd86a2e83c00215f502
SHA1 hash:
589cc7eaefd6536965fa3f1989317192d65b1c86
Link:
https://www.unpac.me/results/c383f378-c7ef-4bbe-ae67-eb91be72b43c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4c98097c2e23/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4c98097c2e234a8cb19327c9ddaa9b8c8669dd0f0a95fd71912282e6f0cf50d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:Telegram_Links
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/349587/

Comments