MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 516aa64dfe0713af8c6f1953c075d7e84d191a7a9a0f3d3a99a3f80f1f04c01e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	516aa64dfe0713af8c6f1953c075d7e84d191a7a9a0f3d3a99a3f80f1f04c01e
SHA3-384 hash:	dd9e66a87b5c4ed7e89ec172a8927c376f927002e2714c8164c3275a0f2b6aebbca3a0e82401bc2b4466d540a3b571a6
SHA1 hash:	2f196ca8a739abe62f13b16686dc19806a61fb06
MD5 hash:	ce995c064a4bc23d5db006d6f3a16a5d
humanhash:	muppet-cat-oranges-arizona
File name:	RSX.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	2'694'744 bytes
First seen:	2022-05-09 18:25:56 UTC
Last seen:	2022-05-09 18:35:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	49152:KWlrMyVFZEBO6JgGybxwRT+nwGNpGpNHAlhLLSde5JjPxenN+IwjjKCnLg3GTtHa:K5Y5WoxwRilpGDgjLSISymCLg3GZ1X2F
Threatray	3'881 similar samples on MalwareBazaar
TLSH	T1FCC54A20F694DD41E0AE7736DBE651A18BB2B8D52EB1CB4CE34A76D114226132E0F71F
TrID	69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.9% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	92b29c8e8eb2869e (2 x AgentTesla, 1 x NetWire, 1 x ArkeiStealer)
Reporter	malwarelabnet
Tags:	ArkeiStealer exe signed vidar

Code Signing Certificate

Organisation:	asfgasdfasdfsadf
Issuer:	asfgasdfasdfsadf
Algorithm:	sha1WithRSAEncryption
Valid from:	2022-05-09T12:50:37Z
Valid to:	2023-05-09T12:50:37Z
Serial number:	4468ea2f0f15c34610ef47044f63f7a0
Thumbprint Algorithm:	SHA256
Thumbprint:	ca2c612b887c2ebd99a2aee9fd95625f632b44220a0c9734e7a59fcb5de81262
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

293

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

RSX.exe

Verdict:

Suspicious activity

Analysis date:

2022-05-09 18:38:20 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/deb008bb-0de8-4fa7-99b2-10d6cd31b786

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Variant.Strictor.116282.4445.21415.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Adding an access-denied ACE

Using the Windows Management Instrumentation requests

Launching a process

Creating a file

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Reading critical registry keys

Delayed writing of the file

Creating a window

Running batch commands

Creating a process with a hidden window

Forced system process termination

Moving of the original file

Stealing user critical data

Launching a tool to kill processes

Unauthorized injection to a system process

Forced shutdown of a browser

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

expand.exe obfuscated overlay packed replace.exe update.exe

Link:

https://www.filescan.io/uploads/62795cd636c061db6e5e39d8/reports/41202768-a408-496b-966d-0631953a84c7/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/bf417636-e54f-44d9-af55-2f9c10a68c43

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/990460

Signature

.NET source code contains very large array initializations

Antivirus detection for URL or domain

Contains functionality to hide user accounts

Found evasive API chain (may stop execution after checking mutex)

Found many strings related to Crypto-Wallets (likely being stolen)

Malicious sample detected (through community Yara rule)

Moves itself to temp directory

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected AntiVM3

Yara detected UAC Bypass using CMSTP

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/516aa64dfe0713af8c6f1953c075d7e84d191a7a9a0f3d3a99a3f80f1f04c01e/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-05-09 18:26:17 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

15 of 26 (57.69%)

Threat level:

5/5

Verdict:

malicious

Label(s):

agenttesla

ArkeiStealer

24c19a1636d3587279d55be4fe5ff2921f8caf3698d6214fe4110bc3ca76fc16

ArkeiStealer

25d4ec4939eeded4ee26d91dc1312393c6cb42b5449a541034ad07608668e1b8

ArkeiStealer

2d4e8ec435902700a1bc97cf6f5aad79891cbb6b0f3d6582dd9937755f8432d2

ArkeiStealer

612840679bebc417813eb40902e8b29c3784c1698c79dc0e77b0141870f0e983

ArkeiStealer

9b8ad71c6fb34bcefbe2f3238af93d3f64aa9167904ac0cd639c330e479efe1c

ArkeiStealer

afac7896cf21983233c533eeaec870610856969d98218b0ffdfa11c6f57a8420

ArkeiStealer

+ 3'871 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:1204 evasion spyware stealer suricata

Link:

https://tria.ge/reports/220509-w26nfsdhc5/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Enumerates processes with tasklist

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Maps connected drives based on registry

Checks BIOS information in registry

Loads dropped DLL

Looks for VMWare Tools registry key

Looks for VirtualBox Guest Additions in registry

Vidar Stealer

Vidar

suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer

Malware Config

C2 Extraction:

https://t.me/hollandracing
https://busshi.moe/@ronxik321

Unpacked files

SH256 hash:

1bcfc7afef471660c24e004b5d4901ce262de71733138a6bbed861481159a3c8

MD5 hash:

420a97c995fc8873d0f38d979e07ece0

SHA1 hash:

ccad2634b9a926bbf0d4a4c05a17ac71631e81b8

Link:

https://www.unpac.me/results/d45939da-e8f2-4271-8f4b-70438563305c/

SH256 hash:

5377a6197ccfc0e6f1b7c702ccce0bf9ed3798bdc244cee6e0cd39ddb7e1dbec

MD5 hash:

4ea9e002e9ad8c9383081ca15d7c6224

SHA1 hash:

3efd6ae2d5aab56a5c1b634b6cae51c018c59613

Link:

https://www.unpac.me/results/d45939da-e8f2-4271-8f4b-70438563305c/

SH256 hash:

70b785e5cb5b2e61c0f5da4a71ab0bbd14d9a0849387f037e0d75cc1ffe0a082

MD5 hash:

5951b52c9b4d11ca7f4f33e5a3fb2c31

SHA1 hash:

0bc54fd699fff7b93e5c447a141c0d904924ab0d

Link:

https://www.unpac.me/results/d45939da-e8f2-4271-8f4b-70438563305c/

SH256 hash:

516aa64dfe0713af8c6f1953c075d7e84d191a7a9a0f3d3a99a3f80f1f04c01e

MD5 hash:

ce995c064a4bc23d5db006d6f3a16a5d

SHA1 hash:

2f196ca8a739abe62f13b16686dc19806a61fb06

Link:

https://www.unpac.me/results/d45939da-e8f2-4271-8f4b-70438563305c/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/516aa64dfe07/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/516aa64dfe0713af8c6f1953c075d7e84d191a7a9a0f3d3a99a3f80f1f04c01e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample