MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ea3a99ae3bc0bbc4eeee90fd025c9b6a89de10a04d865928eb0f1109bdc5f92. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	4ea3a99ae3bc0bbc4eeee90fd025c9b6a89de10a04d865928eb0f1109bdc5f92
SHA3-384 hash:	702c553173631b9b840ed2cafc8c1bef8b3567580d46342af9f713b72e3068f446b5115a6d60af5c186ef66017d1ac24
SHA1 hash:	1bd82cbe38b05bfffa994e7b452d39020fccd0d1
MD5 hash:	a3b1a98e160bfa4291bcb69fb03cd795
humanhash:	early-social-william-golf
File name:	Setup.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	392'704 bytes
First seen:	2022-12-28 08:27:47 UTC
Last seen:	2022-12-28 10:30:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	537b4a76cd6140a39ddb6a15925a0d1d (7 x RedLineStealer, 1 x ArkeiStealer)
ssdeep	6144:8Orem9aAKWpCwq2CcVAYsmD4sTuYGWw8F1nzbovounSQpPiv6hcWf9n3NM:8MFdCw9SU4sTcktIgQ5e4cm9
Threatray	1'107 similar samples on MalwareBazaar
TLSH	T1AC84CF07901E1623F88CEEF813D14B21A57D2965F3E588B86A1C7A1728D67F071D927F
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

199

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

vidar

ID:

File name:

Setup.exe

Verdict:

Malicious activity

Analysis date:

2022-12-28 08:30:26 UTC

Tags:

trojan stealer vidar

Link:

https://app.any.run/tasks/f8935072-340e-4685-b593-8f53094f3ef4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.GenericKDZ.95630.1096.29032.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Using the Windows Management Instrumentation requests

Stealing user critical data

Unauthorized injection to a system process

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/63abfe15a66e2eb297377e5b/reports/07137b11-199d-449f-b60f-879136dd9d56/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Arkei Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/35eed9b0-8560-4e27-a77c-d0e50dd6242d

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1141996

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4ea3a99ae3bc0bbc4eeee90fd025c9b6a89de10a04d865928eb0f1109bdc5f92/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2022-12-28 08:28:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=j2r2tgxdxqf3ytxo5eh5ajojw2uj3yikatmgleuowdyrbg64l6ja._file

Verdict:

malicious

ArkeiStealer

08c7eb81c268bbae91dedf391c1901461e786ee5cd401872100efad10812efc9

ArkeiStealer

2c993eb220436695d78783d2a6520951e4ce2b65311a96b904a063abdc088235

ArkeiStealer

33a9c4f53a214003ac5a5415db060701bc53b271a670f03167cd01bc67fcf23a

ArkeiStealer

6eaa17442216edf6c184c03e3b7468922c1b6d59fbf419f811552e2e86e0bcfe

ArkeiStealer

bacdddfabf0476948f55a43f5bda407afa2f1cd4884e973a1722e3f674cc2a94

ArkeiStealer

d7c42d1df0e957935b672b0633cf3dad39b5d8c85eec4631c62191915af02379

ArkeiStealer

+ 1'097 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:1375 spyware stealer

Link:

https://tria.ge/reports/221228-kc1kcsch5w/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Loads dropped DLL

Vidar

Malware Config

C2 Extraction:

https://t.me/iseepass
https://steamcommunity.com/profiles/76561199459255837

Unpacked files

SH256 hash:

e639d4622406ee3670c490c34d3eda62cd076ace5a8789140512639aacf6a945

MD5 hash:

e4b03f20200283eb3f65b24c3676a9c6

SHA1 hash:

8702934dfebd49781e4ba6a2bc3f75f117fc2610

Link:

https://www.unpac.me/results/a398a09e-b23f-49da-83dd-addc5ea336b7/

SH256 hash:

4ea3a99ae3bc0bbc4eeee90fd025c9b6a89de10a04d865928eb0f1109bdc5f92

MD5 hash:

a3b1a98e160bfa4291bcb69fb03cd795

SHA1 hash:

1bd82cbe38b05bfffa994e7b452d39020fccd0d1

Link:

https://www.unpac.me/results/a398a09e-b23f-49da-83dd-addc5ea336b7/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4ea3a99ae3bc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4ea3a99ae3bc0bbc4eeee90fd025c9b6a89de10a04d865928eb0f1109bdc5f92

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample