MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5455441cf085fe5e5c605e6870fadd4f47f215d4525e23f5b75eaabec8cf3705. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5455441cf085fe5e5c605e6870fadd4f47f215d4525e23f5b75eaabec8cf3705
SHA3-384 hash: bb56e29f4c2620c4234888e4817d279e8903d637f9db00cca6028524f7289cc2a9c7d3170506a04ef62e399a0c30eddf
SHA1 hash: 5afe35415acae916a7ab8dc5eb7a86492514bfc9
MD5 hash: 9f0e096c8e695b93ada6b1ae02ad6510
humanhash: mirror-batman-pennsylvania-six
File name:hvll3pmn.bat
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:263'769 bytes
First seen:2022-12-21 01:49:49 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 6144:3l+5Q6oiuTUHNiVfR1Ru7ZQLw6My8Cj5xb06zR8Ncm3zrg:V+C1iuThReit38Cb0aRQw
Threatray 17'535 similar samples on MalwareBazaar
TLSH T1FA44128E826D5C14B6987E81259F2EE565DC11AA0891E9D331F02C7882FBFC85E4F573
Reporter r3dbU7z
Tags:ArkeiStealer bat dropper

Intelligence

File Origin
# of uploads :
1
# of downloads :
259
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
hvll3pmn.bat
Verdict:
Malicious activity
Analysis date:
2022-12-21 01:52:50 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/dfb4bdea-1c0c-44d4-8836-c8c1b7f5c2a7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/348583/
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/63a2664ce10f7185fe72ed8a/reports/d909cfa8-6f7d-454a-9109-7b6d2677f475/overview
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1138355
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Found many strings related to Crypto-Wallets (likely being stolen)
Obfuscated command line found
Self deletion via cmd or bat file
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 771085 Sample: hvll3pmn.bat Startdate: 21/12/2022 Architecture: WINDOWS Score: 80 39 Yara detected Vidar stealer 2->39 41 C2 URLs / IPs found in malware configuration 2->41 43 Found many strings related to Crypto-Wallets (likely being stolen) 2->43 8 cmd.exe 2 2->8         started        process3 file4 31 C:\Users\user\Desktop\hvll3pmn.bat.exe, PE32 8->31 dropped 45 Suspicious powershell command line found 8->45 12 hvll3pmn.bat.exe 36 8->12         started        17 powershell.exe 7 8->17         started        19 conhost.exe 8->19         started        signatures5 process6 dnsIp7 35 t.me 149.154.167.99, 443, 49695 TELEGRAMRU United Kingdom 12->35 37 95.216.251.188, 49696, 80 HETZNER-ASDE Germany 12->37 33 C:\Users\user\...\hvll3pmn.bat.exe.log, ASCII 12->33 dropped 47 Obfuscated command line found 12->47 49 Self deletion via cmd or bat file 12->49 51 Tries to harvest and steal browser information (history, passwords, etc) 12->51 53 2 other signatures 12->53 21 cmd.exe 1 12->21         started        23 powershell.exe 5 12->23         started        file8 signatures9 process10 process11 25 conhost.exe 21->25         started        27 timeout.exe 1 21->27         started        29 conhost.exe 23->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5455441cf085fe5e5c605e6870fadd4f47f215d4525e23f5b75eaabec8cf3705/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=krkuihhqqx7f4xdalzuhb6w5j5d7efoukjpch5nxl2vl5sgpg4cq._file
Verdict:
malicious
Similar samples:
221bcfad93520868aec7972924ea2cc5827dbf3da3965e2599b9668033ac7ec8
ArkeiStealer
3a56c8b9269a6dd225bc150dfd6bcf058aeadd2d5196ed02cec5bf00521238d9
ArkeiStealer
635329a3e60baf7fc0d50d16b87c4ddc8f9300c710696dde863c3d90abb1b4a3
ArkeiStealer
841572da329176a7f23da214406a8c5d19c4107206df3d83bfcd8dd6dc906ecf
ArkeiStealer
b14b1aee43f78548e382e6a5b5b59208f65f7c3a8e7aa1e3bdf7d8bea5217146
ArkeiStealer
b6c8d4806e4080ddee5a5b5ff6f3f12074fae9bd31464a147c7ac6851755ca4c
ArkeiStealer
bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494
ArkeiStealer
d2c0dcfcf2d60c5aad8a239bbd8b064b4953e536187230aa1d9b5fffbdeb5c39
ArkeiStealer
ed75d66b5d971ec01613881d3e088081222411e8315428e6cb049d5699ce31bc
ArkeiStealer
fad1b92b67d6509a5d114b43395bd428b8fff6b827198083f1abc801a9c78525
ArkeiStealer
+ 17'525 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/221221-b8991abd98/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5455441cf085fe5e5c605e6870fadd4f47f215d4525e23f5b75eaabec8cf3705

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Telegram_Links
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Batch (bat) bat 5455441cf085fe5e5c605e6870fadd4f47f215d4525e23f5b75eaabec8cf3705

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/348583/

Comments