MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 51cfcee19834820df4a40549e75ad654861044bb1beab841e4aed94e5f28fb1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
ArkeiStealer
Vendor detections: 10
| SHA256 hash: | 51cfcee19834820df4a40549e75ad654861044bb1beab841e4aed94e5f28fb1d |
|---|---|
| SHA3-384 hash: | d01327d8788e8a94b6a532ee29a2f4b4309398cffc575a6392291a94e6e0ce86c3102e64d42c762fecea6ee448e83e93 |
| SHA1 hash: | 66e1f078e47260f331b01428329bde0404d505ef |
| MD5 hash: | b69179de74613f1c4d62131e81639cd6 |
| humanhash: | montana-cat-idaho-four |
| File name: | file.bin |
| Download: | download sample |
| Signature | ArkeiStealer |
| File size: | 607'744 bytes |
| First seen: | 2020-12-13 08:56:31 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 5636d7ed82c424e5c63f520f4cc55a1d (2 x ArkeiStealer) |
| ssdeep | 12288:Q94g0zPF6VwxZJImGdIFiucNZWuWlV5m8lZDKQMyU:zt+wxDIujcN0Xb5m46R |
| TLSH | C7D4E026686C3F5BD823A234310B2F7555F58B1F3F25756CFAFE8BB1A170A502A63046 |
| Reporter |  JAMESWT_WT |
| Tags: | ArkeiStealer |
Intelligence
File Origin
# of uploads :
1
# of downloads :
549
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file.exe
Verdict:
Malicious activity
Analysis date:
2020-12-12 20:06:44 UTC
Tags:
trojan stealer vidar loader evasion
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Predatorthethief
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Changing a file
Creating a file
DNS request
Connection attempt
Sending an HTTP GET request
Sending a UDP request
Deleting a recently created file
Replacing files
Reading critical registry keys
Creating a window
Delayed writing of the file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Creating a file in the Windows subdirectories
Stealing user critical data
Launching a tool to kill processes
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Vidar
Detection:
malicious
Classification:
phis.troj.spyw
Score:
96 / 100
Signature
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.Bulz
Status:
Malicious
First seen:
2020-12-13 08:55:41 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
14 of 48 (29.17%)
Threat level:
5/5
Detection(s):
Suspicious file
Result
Malware family:
n/a
Score:
8/10
Tags:
discovery spyware stealer upx
Behaviour
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
JavaScript code in executable
Looks up external IP address via web service
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
51cfcee19834820df4a40549e75ad654861044bb1beab841e4aed94e5f28fb1d
MD5 hash:
b69179de74613f1c4d62131e81639cd6
SHA1 hash:
66e1f078e47260f331b01428329bde0404d505ef
SH256 hash:
4c92448e3676b34a39f1fa0e9cfa33645ac60cc56f726af37663c80a43a63e45
MD5 hash:
f13daf507ebfc0b2aa321b46ea3b958c
SHA1 hash:
1f37f089d725a4fe5f992b36e1a5015cecd0d09a
SH256 hash:
b4bfee19d56f9597baae9a97e369c7d3d00eaf8d716b75c0a0c2576a0fe0b2b6
MD5 hash:
bd5bd1cdedf25b481cfa25d898791dd9
SHA1 hash:
b78bf9138e14e296d152172328f58a724d059e3a
Detections:
win_vidar_g0
win_vidar_auto
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | Cryptocoin_bin_mem |
|---|---|
| Author: | James_inthe_box |
| Description: | Steam in files like avemaria |
| Rule name: | suspicious_packer_section |
|---|---|
| Author: | @j0sm1 |
| Description: | The packer/protector section names/keywords |
| Reference: | http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/ |
| Rule name: | win_vidar_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | autogenerated rule brought to you by yara-signator |
| Rule name: | win_vidar_g0 |
|---|---|
| Author: | Slavo Greminger, SWITCH-CERT |
| Rule name: | with_sqlite |
|---|---|
| Author: | Julian J. Gonzalez <info@seguridadparatodos.es> |
| Description: | Rule to detect the presence of SQLite data in raw image |
| Reference: | http://www.st2labs.com |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.