MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 536a39f5ff898717ba9b02b146e0cc11bab0ae6d2cb7e7c6926a92171daadb98. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments 1

SHA256 hash:	536a39f5ff898717ba9b02b146e0cc11bab0ae6d2cb7e7c6926a92171daadb98
SHA3-384 hash:	d7bd788b9d66d17adc5daf0b156210079452aafcc5d3c0cdce1cb821ea31f5c5bc4070d435635b5a59ea82c64fb83d39
SHA1 hash:	68bdfc13657aa855ed981382eb6e920b86ab7326
MD5 hash:	40178549fa7c3f5d179f0a1fd3e5aae1
humanhash:	beer-utah-kitten-michigan
File name:	40178549fa7c3f5d179f0a1fd3e5aae1
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	11'901'440 bytes
First seen:	2022-09-26 04:10:35 UTC
Last seen:	2022-09-26 08:19:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	3eb5d209f4deee0471ab0b8f8e9a1a3e (4 x ArkeiStealer, 4 x RedLineStealer)
ssdeep	98304:AL1Z7CmwBC2B3DbVg6sRj5KOKl3OO71WtzMTjt5/fPqrVdbUrjxi1H2TjiulSU89:xx0Z/KvSCt5nu0rZZsQdWg7tGGzG6b
TLSH	T17DC6090674E0204F6788E6B3AB08D9B573838BCD555163D91AEFCBBB653D7027B112AC
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	zbetcheckin
Tags:	32 ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

120

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/313396/

Detection(s):

SecuriteInfo.com.Variant.Mikey.141331.13450.4188.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Reading critical registry keys

Launching cmd.exe command interpreter

Creating a process with a hidden window

Launching a process

Stealing user critical data

Launching a tool to kill processes

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm mikey packed

Link:

https://www.filescan.io/uploads/63312695d2599dea2743f18e/reports/e5d3cc3f-7a17-4abb-8999-da7a76b1c7a6/overview

Result

Verdict:

MALICIOUS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0b7b2a85-7da1-413e-8d6a-49c01b2b9a07

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1077141

Signature

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Self deletion via cmd or bat file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/536a39f5ff898717ba9b02b146e0cc11bab0ae6d2cb7e7c6926a92171daadb98/

Threat name:

ByteCode-MSIL.Trojan.Zilla

Status:

Malicious

First seen:

2022-09-25 02:39:49 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=knvdt5p7rgdrpou3akyunygmcg5lbltnfs36prusnkjbohnk3oma._file

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:1680 discovery spyware stealer

Link:

https://tria.ge/reports/220926-eryfnaaeem/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Vidar

Malware Config

C2 Extraction:

https://t.me/huobiinside
https://mas.to/@kyriazhs1975

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/7a570739-01d1-439a-8171-8caccb5696ed

Unpacked files

SH256 hash:

2fbb97b8c570f0026753b843abc8eadc4be3a6c03d4726764b950f26eb7b13ee

MD5 hash:

bded05ca2009e9759528d0b3a3b912ba

SHA1 hash:

4e82bfa4b520a4200863b12a57d2e08f4452e6e4

Detections:

win_vidar_auto

Link:

https://www.unpac.me/results/8d648a2c-81cb-4cc0-9550-a3021b9a3e44/

SH256 hash:

536a39f5ff898717ba9b02b146e0cc11bab0ae6d2cb7e7c6926a92171daadb98

MD5 hash:

40178549fa7c3f5d179f0a1fd3e5aae1

SHA1 hash:

68bdfc13657aa855ed981382eb6e920b86ab7326

Link:

https://www.unpac.me/results/8d648a2c-81cb-4cc0-9550-a3021b9a3e44/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/536a39f5ff89/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/536a39f5ff898717ba9b02b146e0cc11bab0ae6d2cb7e7c6926a92171daadb98

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.