MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51ffa97c666a44c732f20bbb7c62f48e7f01e1e16fc381078d19fdda95894970. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51ffa97c666a44c732f20bbb7c62f48e7f01e1e16fc381078d19fdda95894970
SHA3-384 hash: 39f3012025bcee177b941e7fe1275fbc0e6d5c735518996dc4c2c757f9b998bbfdaa412cff5077357caeb77f17cbfdc9
SHA1 hash: 9c786f375c1a4a5cdfd6c190cef4941c2be62786
MD5 hash: 91d4d9e326c8fc248005b8d1ab6ce48b
humanhash: white-berlin-glucose-music
File name:91d4d9e326c8fc248005b8d1ab6ce48b
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:279'848 bytes
First seen:2021-11-08 05:32:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:5ExPHM86Bh4bOmxrKKHbBTQXUPdywGyTfsKBAKBgI:6Zn6Bh2xrl7BBTdXWI
Threatray 4'198 similar samples on MalwareBazaar
TLSH T1725439CB2FB0BC13CA58CA709922D5D1C4F2ADD3D54CD212E780761E7A9B39C3525A6E
File icon (PE):PE icon
dhash icon f0dc96978e8edcf0 (2 x CoinMiner, 1 x ArkeiStealer, 1 x RedLineStealer)
Reporter zbetcheckin
Tags:32 ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
51ffa97c666a44c732f20bbb7c62f48e7f01e1e16fc381078d19fdda95894970.zip
Verdict:
Malicious activity
Analysis date:
2021-11-08 06:21:14 UTC
Tags:
trojan stealer vidar loader
Link:
https://app.any.run/tasks/eb08e017-5ee2-4054-b67d-417f6411562a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/203140/
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed packed
Link:
https://www.filescan.io/uploads/6188b68e43a4f7480912e9d6/reports/56be19c4-f51d-4d4d-832a-cf547f4d5750/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/31f556dc-a792-4a83-98e0-7227bfe95382
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/884974
Signature
Allocates memory in foreign processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to delay execution (extensive OutputDebugStringW loop)
Uses ipconfig to lookup or modify the Windows network settings
Uses ping.exe to check the status of other devices and networks
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 517432 Sample: VBfyDDZ4a4 Startdate: 08/11/2021 Architecture: WINDOWS Score: 100 48 mas.to 2->48 62 Multi AV Scanner detection for domain / URL 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 Yara detected Vidar stealer 2->66 68 Found many strings related to Crypto-Wallets (likely being stolen) 2->68 8 VBfyDDZ4a4.exe 15 6 2->8         started        signatures3 process4 dnsIp5 50 bitbucket.org 104.192.141.1, 443, 49796 AMAZON-02US United States 8->50 52 s3-w.us-east-1.amazonaws.com 52.216.83.24, 443, 49797 AMAZON-02US United States 8->52 54 2 other IPs or domains 8->54 44 C:\Users\user\AppData\...\VBfyDDZ4a4.exe, PE32 8->44 dropped 46 C:\Users\...\VBfyDDZ4a4.exe:Zone.Identifier, ASCII 8->46 dropped 70 Writes to foreign memory regions 8->70 72 Allocates memory in foreign processes 8->72 74 Tries to delay execution (extensive OutputDebugStringW loop) 8->74 76 Injects a PE file into a foreign processes 8->76 13 powershell.exe 9 8->13         started        16 VBfyDDZ4a4.exe 8->16         started        19 powershell.exe 8 8->19         started        21 6 other processes 8->21 file6 signatures7 process8 file9 78 Uses ping.exe to check the status of other devices and networks 13->78 80 Uses ipconfig to lookup or modify the Windows network settings 13->80 23 conhost.exe 13->23         started        25 ipconfig.exe 1 13->25         started        27 BackgroundTransferHost.exe 13->27         started        42 C:\ProgramData\freebl3.dll, PE32 16->42 dropped 82 Multi AV Scanner detection for dropped file 16->82 29 PING.EXE 19->29         started        32 conhost.exe 19->32         started        34 PING.EXE 1 21->34         started        36 PING.EXE 1 21->36         started        38 PING.EXE 1 21->38         started        40 7 other processes 21->40 signatures10 process11 dnsIp12 56 104.244.42.129 TWITTERUS United States 29->56 58 twitter.com 104.244.42.193 TWITTERUS United States 34->58 60 104.244.42.1 TWITTERUS United States 38->60
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/51ffa97c666a44c732f20bbb7c62f48e7f01e1e16fc381078d19fdda95894970/
Threat name:
ByteCode-MSIL.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2021-11-08 03:39:59 UTC
AV detection:
6 of 45 (13.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kh72s7dgnjcmomxsbo5xyyxurz7qdypbn7bycb4ndh65vfmjjfya._file
Verdict:
malicious
Similar samples:
152c854e0e028eaa43bef46d7375d5704cf43f2c22a0354d7757e7cf5cdc3a89
ArkeiStealer
1fbbaa6cfa20d6e11a3e5e4ba0702f608d474cbf5a86eef891fb57a671c684be
ArkeiStealer
3893dc157f444a1b98d11a33630f78a45579b826f3ce83c08bb7b176cbfa2418
ArkeiStealer
413e55d97976165d64d7ffdba7284c02d473e70e6408591650627f98f7ae7560
ArkeiStealer
98ee19dbbe959081f2d95b7f56af58fcb7ecdc5b85bb9ee13775376b9bad1ccf
ArkeiStealer
9fefd930a1cc7b257fe5a65bc3eda3167bc0f82895f288fc34eaca3411b2688b
ArkeiStealer
cdd1ac2ccf205bcc0e8fecb0b117b809fcade0fcc0eba5f6b85a5dfc88443344
ArkeiStealer
+ 4'188 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:399 discovery spyware stealer
Link:
https://tria.ge/reports/211108-f8vxjabch3/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Gathers network information
Kills process with taskkill
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Vidar Stealer
Vidar
Malware Config
C2 Extraction:
https://mas.to/@kirpich
Unpacked files
SH256 hash:
51ffa97c666a44c732f20bbb7c62f48e7f01e1e16fc381078d19fdda95894970
MD5 hash:
91d4d9e326c8fc248005b8d1ab6ce48b
SHA1 hash:
9c786f375c1a4a5cdfd6c190cef4941c2be62786
Link:
https://www.unpac.me/results/56a67540-9f8f-4b24-ba4b-f01ed1c14042/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/51ffa97c666a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/51ffa97c666a44c732f20bbb7c62f48e7f01e1e16fc381078d19fdda95894970

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 51ffa97c666a44c732f20bbb7c62f48e7f01e1e16fc381078d19fdda95894970

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/203140/
  
URLhaus
https://urlhaus.abuse.ch/url/1762849/

Comments


Avatar
zbet commented on 2021-11-08 05:32:16 UTC

url : hxxp://host-host-file6.com/files/8194_1636301703_9028.exe