MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53b9574dfc4abdd1b4ce4a65220e0a202cc4113a0d6dc0301f921dd9000e70fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 53b9574dfc4abdd1b4ce4a65220e0a202cc4113a0d6dc0301f921dd9000e70fe
SHA3-384 hash: 334ed05aebec52e037873b126abf8c0c3142b513f189717edba227e0004875dbfae4afcc4ac2b917cac82408dcca9570
SHA1 hash: e8c260dd3c7ef1276b5a3434c1c8907c5653b609
MD5 hash: a9d2515d9de2febd7339b2882c6be83d
humanhash: colorado-georgia-georgia-sixteen
File name:file
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:356'864 bytes
First seen:2022-10-27 19:28:12 UTC
Last seen:2022-10-28 13:25:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d6f3b53e54110b981e8d25178c917088 (3 x Tofsee, 3 x Smoke Loader, 2 x RedLineStealer)
ssdeep 6144:XT4o1txipVXbIR2HZ7Z4JT7N1pnJhKPdi0:X0o1txodbIR+7Z4p7LfhKPdr
Threatray 797 similar samples on MalwareBazaar
TLSH T1F874F112B9CEC471C485003C4839CAB47A7EBD73D562C5AB3B543B6FAE702D1A67325A
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 480c1c4c4f594b14 (172 x Smoke Loader, 134 x RedLineStealer, 98 x Amadey)
Reporter andretavare5
Tags:ArkeiStealer exe


Avatar
andretavare5
Sample downloaded from https://vk.com/doc733883836_657689106?hash=cq1zVTUgJVxNhfMLegF1dCoM4drv36lyBpB7MJFTHDH&dl=G4ZTGOBYGM4DGNQ:1666896771:sRgPjgcSza1sVG4X4kSZUDqxsmIibW2WJIuK0WBPEmP&api=1&no_preview=1#a9_10

Intelligence

File Origin
# of uploads :
426
# of downloads :
253
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/325115/
Detection(s):
Win.Packed.Tofsee-9951336-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Stealing user critical data
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/40eacb21-772b-4b71-802c-35acaa7227b0
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1099735
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/53b9574dfc4abdd1b4ce4a65220e0a202cc4113a0d6dc0301f921dd9000e70fe/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-10-27 20:14:34 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ko4votp4jk65dngojjssedqkeawmiej2bvw4ama7sio5saaood7a._file
Verdict:
malicious
Similar samples:
1adc68849d784b9530292b7187f492aa1d798d89a099a9eb8105fdfc9edaf2a0
ArkeiStealer
1beb50ab8de7ec33aec7deb5365fbebce3a91bfe9cf31387a5bf326ace08d48b
ArkeiStealer
1ebe93b170185c9898d90829867fd281a34568c054f832cee5027db73b63bba6
ArkeiStealer
2a929266c1c731452ab4171a4c6cb980d6c84a6cc81e2bec5b1dacec075113bf
ArkeiStealer
826f0582dad21366bf3251b4d39478f9a893eab86d8b83a4d09d97f42564b5b5
ArkeiStealer
a3282df5188935d442674443e22d2f8bc5d5390a778b386a675d2a66a619d47b
ArkeiStealer
dd56aa044bfb8c5acdc0a475b724252ea9e9d760d4bdf510e304c58aabd33e41
ArkeiStealer
+ 787 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:937 discovery spyware stealer
Link:
https://tria.ge/reports/221027-x678hsdcfq/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Vidar
Malware Config
C2 Extraction:
https://t.me/slivetalks
https://c.im/@xinibin420
Unpacked files
SH256 hash:
027bbe8e0a35469278bb7295f2a87e2307a481287034529cd33fff3aace65c0b
MD5 hash:
1b2b492d831454ea0b0d89211f43dcdd
SHA1 hash:
7dc8a4b375bd72eede2eba4d0c70035ef5e3e11c
Link:
https://www.unpac.me/results/b2abc7b2-d575-46e6-88f6-a68ff8a068cb/
SH256 hash:
53b9574dfc4abdd1b4ce4a65220e0a202cc4113a0d6dc0301f921dd9000e70fe
MD5 hash:
a9d2515d9de2febd7339b2882c6be83d
SHA1 hash:
e8c260dd3c7ef1276b5a3434c1c8907c5653b609
Link:
https://www.unpac.me/results/b2abc7b2-d575-46e6-88f6-a68ff8a068cb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/53b9574dfc4abdd1b4ce4a65220e0a202cc4113a0d6dc0301f921dd9000e70fe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Vidar
Create hunting rule
Author:kevoreilly,rony
Description:Vidar Payload
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Vidar_114258d5
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/325115/

Comments