MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5cf788e38508a9f9dbce08142591763ff947fc590ae2fe162a5f2f1849b2c695. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5cf788e38508a9f9dbce08142591763ff947fc590ae2fe162a5f2f1849b2c695
SHA3-384 hash: ad77a667cacfc622483eec0f46ba0a8979892a6ecd6302661b7546fb4f5ec2ddbbc7f726b80c7744371393a2fbd9c1b5
SHA1 hash: a45c8799654d04cbb514aa10d02fc55c900290d0
MD5 hash: 24c94818282f9fc1a29b2f00b6b018a5
humanhash: butter-white-bulldog-vegan
File name:24c94818282f9fc1a29b2f00b6b018a5
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:682'496 bytes
First seen:2021-10-05 11:56:29 UTC
Last seen:2021-10-05 14:04:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bec5279be0cb3c653f5b0b143b00a99c (3 x RaccoonStealer, 2 x ArkeiStealer, 1 x RedLineStealer)
ssdeep 12288:VpxYZV0CYer9MgqLUFRW75tM72yxAesui+G1U32GI6niDg1QpwUd:N3CYGILUFRW7oSyxdsuPGLrEie
Threatray 3'113 similar samples on MalwareBazaar
TLSH T10FE40114B7A0C035F1B725F649B583B4A62E7E71AB3493CF52E52AEA06746E0EC30357
File icon (PE):PE icon
dhash icon e2f8e8e8aa66a499 (2 x RedLineStealer, 1 x ArkeiStealer)
Reporter zbetcheckin
Tags:32 ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
149
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
24c94818282f9fc1a29b2f00b6b018a5
Verdict:
Malicious activity
Analysis date:
2021-10-05 12:00:01 UTC
Tags:
trojan stealer vidar loader
Link:
https://app.any.run/tasks/9d9f71e7-f04e-4e01-b597-3d8b03df431b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/195007/
Detection(s):
SecuriteInfo.com.Ransom.Stop.Z5.270.30436.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt to an infection source
Sending a TCP request to an infection source
Launching the default Windows debugger (dwwin.exe)
Query of malicious DNS domain
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/615c3d8f98a6280f39325334/reports/dc161175-8591-492b-a040-6df2b8c713b1/overview
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f6a0fc1c-1b0a-4e78-9d81-5782da8aac22
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/864742
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5cf788e38508a9f9dbce08142591763ff947fc590ae2fe162a5f2f1849b2c695/
Threat name:
Win32.Ransomware.Stop
Create hunting rule
Status:
Malicious
First seen:
2021-10-05 11:57:05 UTC
AV detection:
26 of 45 (57.78%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0043de32b946e3da5bf993515848be03979a1bf019b720f4c2a1ad647f120f53
ArkeiStealer
0d165ee8e30b6716bf316118565b781b82ad87c7aff58c1907ae1e2b512f522c
ArkeiStealer
21c2d5c785b09b136e5190ac486ffccf57d97dbe50115ba9361b6377bba522e6
ArkeiStealer
3decf0329e1b897bb576210f182a3e9d1369613a117cb02d6e47ccaaa151c7b9
ArkeiStealer
434a28e5e131dff29b239284643df2370d0f317d0a8621b682c26ec944d8889a
ArkeiStealer
48f9b4bc2bf75c03449857ff0d6b47c35ab97ed8ba444890ccdd4128d9ae1027
ArkeiStealer
774753d2a216a134c971df97df73b7c8efb0f1207e7948dbacff5e2e30f85456
ArkeiStealer
af01014d5078e186ff588ce207c9f4d52413834d791bb6a4dc1d5d9c7155f6e3
ArkeiStealer
e1d5ab87fe1bc0121e1d2e0d5523d8f24cd68040f436410bb3530ad86c385575
ArkeiStealer
f3880cc610096c5ce3a7407741d8679de5b4f163fe1df37a051cb6026afe56d3
ArkeiStealer
+ 3'103 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:903 discovery spyware stealer suricata
Link:
https://tria.ge/reports/211005-n4k6jaaacj/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Vidar Stealer
Vidar
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
https://mas.to/@bardak1ho
Unpacked files
SH256 hash:
c0373cb6700d7314e3b44e685db8a2c2326257e4da94d3c174e84d79c6c26a5a
MD5 hash:
01bf3415c4e09d7cdc4ba42eb68719be
SHA1 hash:
fcb641c5763fd874c956f197ca20fbac6836632a
Link:
https://www.unpac.me/results/e663d375-4c36-42a6-884d-5e53e3864946/
SH256 hash:
5cf788e38508a9f9dbce08142591763ff947fc590ae2fe162a5f2f1849b2c695
MD5 hash:
24c94818282f9fc1a29b2f00b6b018a5
SHA1 hash:
a45c8799654d04cbb514aa10d02fc55c900290d0
Link:
https://www.unpac.me/results/e663d375-4c36-42a6-884d-5e53e3864946/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5cf788e38508a9f9dbce08142591763ff947fc590ae2fe162a5f2f1849b2c695

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 5cf788e38508a9f9dbce08142591763ff947fc590ae2fe162a5f2f1849b2c695

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1655614/
Cape
Cape
https://www.capesandbox.com/analysis/195007/

Comments


Avatar
zbet commented on 2021-10-05 11:56:29 UTC

url : hxxp://89.223.70.202/ruz22nzVkxErrqtL.exe