MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 595de5a664edf353ccca6e9e50899774eedf4733f1931b0e6e370d866de3e55a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 12

Intelligence 12 IOCs YARA 5 File information Comments

SHA256 hash:	595de5a664edf353ccca6e9e50899774eedf4733f1931b0e6e370d866de3e55a
SHA3-384 hash:	93324495afbee6e86736ec0d8e5044d4bd4dc5ef061fb301b94b9fcf8322d8232d9a1c7503023528ba5b9f40dad40255
SHA1 hash:	c9c5cff6a7e700139d471b0116e12ea0bb17e98e
MD5 hash:	2bc296129698df69531a64b0911e2b6c
humanhash:	jupiter-social-delta-twenty
File name:	2231160e71faf8674b8efc0cedf3384db3acc5d66f0276c76b18c7cb5f842ce0_unpacked
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	286'720 bytes
First seen:	2022-09-26 08:29:39 UTC
Last seen:	2023-09-05 10:55:03 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	8253e8efea69f2acc297953b24cd5ada (1 x ArkeiStealer)
ssdeep	6144:3NyBcukd1tiFqgFGI4pT2GI7DUiySpxQRqViGe:dyrmDiF3FuqDUiySGqVd
TLSH	T1D8549D257780C032D66784B69D05E7268FBEB8D33921A457A3D4477DBE20A82CF5E387
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	pnx
Tags:	ArkeiStealer exe vidar

Intelligence

File Origin

# of uploads :

# of downloads :

244

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/313511/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Creating a window

Launching cmd.exe command interpreter

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Searching for the window

Launching a process

Stealing user critical data

Launching a tool to kill processes

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware overlay shell32.dll

Link:

https://www.filescan.io/uploads/633163d44207caabde64ec56/reports/3540be3b-24aa-460d-b45d-06b93e926286/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/15b64471-a9ad-4ff2-9f10-653156b5c577

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1077272

Signature

Antivirus / Scanner detection for submitted sample

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/595de5a664edf353ccca6e9e50899774eedf4733f1931b0e6e370d866de3e55a/

Threat name:

Win32.Infostealer.Convagent

Status:

Malicious

First seen:

2022-09-26 08:30:11 UTC

File Type:

PE (Exe)

AV detection:

23 of 25 (92.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lfo6ljte5xzvhtgkn2pfbcmxotxn6rzt6gjrwdtog4gym3pd4vna._file

Verdict:

malicious

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:1672 discovery spyware stealer

Link:

https://tria.ge/reports/220926-kd568sbcbm/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Kills process with taskkill

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Malware Config

C2 Extraction:

https://t.me/huobiinside
https://mas.to/@kyriazhs1975

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/f036e0cd-093d-4387-b058-34987d5a8698

Unpacked files

SH256 hash:

595de5a664edf353ccca6e9e50899774eedf4733f1931b0e6e370d866de3e55a

MD5 hash:

2bc296129698df69531a64b0911e2b6c

SHA1 hash:

c9c5cff6a7e700139d471b0116e12ea0bb17e98e

Detections:

win_vidar_auto

Link:

https://www.unpac.me/results/d0533c5f-33b5-4c04-afe5-506aa2ef1e7d/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/595de5a664ed/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/595de5a664edf353ccca6e9e50899774eedf4733f1931b0e6e370d866de3e55a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	RansomwareTest4 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	RansomwareTest5 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	RansomwareTest6 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	RansomwareTest7 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	win_vidar_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.vidar.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

ArkeiStealer

exe 2231160e71faf8674b8efc0cedf3384db3acc5d66f0276c76b18c7cb5f842ce0

ArkeiStealer

exe 595de5a664edf353ccca6e9e50899774eedf4733f1931b0e6e370d866de3e55a

(this sample)

Dropped by

SHA256 2231160e71faf8674b8efc0cedf3384db3acc5d66f0276c76b18c7cb5f842ce0

Cape

https://www.capesandbox.com/analysis/313511/

Dropped by

MD5 ea9fa7d01bea905b858de54fa01ad7fa

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample