MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ff9402242153efd2dae7f24a0307d7d1d7169fad524e7d3ae199e5e078f6f37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	5ff9402242153efd2dae7f24a0307d7d1d7169fad524e7d3ae199e5e078f6f37
SHA3-384 hash:	6bc3928a6602ad3bd95933d411b06447be1a663e10c93f00e34dd2b8a2bab7a217eb4611f7dc6bec0c12dccf7d9c33a7
SHA1 hash:	f2cebb8b286164ee134f8eb27da69f79be4076f1
MD5 hash:	6ff1e024abca59d664e3513fbd1c6a0d
humanhash:	friend-fix-edward-oregon
File name:	file
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	891'000 bytes
First seen:	2022-11-24 16:49:37 UTC
Last seen:	2022-11-24 18:28:44 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e6b75ce56bcddfed2c98aa55d2733288 (1 x ArkeiStealer)
ssdeep	24576:HBSUvThyNTrjlohVG0HvjdF8rhaRUON0tITmE:HBrhyJrjlohlN0tU
TLSH	T116159C67EA4389F1DD5702F11547EBBAA938BB0540714D5FFE48CE8CABE2C432879624
TrID	43.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 22.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 9.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	jstrosch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

354

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

No threats detected

Analysis date:

2022-11-24 16:50:07 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/4f9e8f56-ba91-43eb-a9c9-7280a06e7c50

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/338143/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.2730.22204.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug greyware overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/637fa0bc559d07a06f473d4a/reports/a96bf96b-8beb-4823-9cb5-f21ecd8ef58f/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/60988945-6877-4ed7-8d68-21cbf20badc9

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1120665

Signature

C2 URLs / IPs found in malware configuration

Multi AV Scanner detection for domain / URL

Self deletion via cmd or bat file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5ff9402242153efd2dae7f24a0307d7d1d7169fad524e7d3ae199e5e078f6f37/

Threat name:

Win32.Infostealer.Bandra

Status:

Malicious

First seen:

2022-11-24 16:50:09 UTC

File Type:

PE (Exe)

AV detection:

12 of 26 (46.15%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=l74uaisccu7p2lnop4skamd5puoxc2p22usopu5odgpf4b4pn43q._file

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:1686 discovery spyware stealer

Link:

https://tria.ge/reports/221124-vb9fzsga87/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Vidar

Malware Config

C2 Extraction:

https://t.me/headshotsonly
https://steamcommunity.com/profiles/76561199436777531

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/8832765f-32e0-4efe-a8d6-d66d3995ba4b

Unpacked files

SH256 hash:

cbdb563851966743a24fbd9a60b00f4f81d3c01f1b9081a5fa18cf539e2616dd

MD5 hash:

f3e0ae7fed8fdd3c340f26b82776857c

SHA1 hash:

c964845de5b550d1f17e9c28278e39d548b0fa7d

Link:

https://www.unpac.me/results/a45eddf7-d0e7-4a4e-97bc-ef3ce5bed42e/

SH256 hash:

5ff9402242153efd2dae7f24a0307d7d1d7169fad524e7d3ae199e5e078f6f37

MD5 hash:

6ff1e024abca59d664e3513fbd1c6a0d

SHA1 hash:

f2cebb8b286164ee134f8eb27da69f79be4076f1

Link:

https://www.unpac.me/results/a45eddf7-d0e7-4a4e-97bc-ef3ce5bed42e/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5ff940224215/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5ff9402242153efd2dae7f24a0307d7d1d7169fad524e7d3ae199e5e078f6f37

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

exe 5ff9402242153efd2dae7f24a0307d7d1d7169fad524e7d3ae199e5e078f6f37

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/338143/

URLhaus

https://urlhaus.abuse.ch/url/2432087/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample