MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62b2c989ddd3f2e81d616fc0e26e0fd1791ab938cdf34e73ba285f4cfc4cac7b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 62b2c989ddd3f2e81d616fc0e26e0fd1791ab938cdf34e73ba285f4cfc4cac7b
SHA3-384 hash: b0fa48caf902ddadd6420d0a326add6141403d9d68ed6a404e693e16afae1195d63c889353de9b8b6298f5b2f90d42bc
SHA1 hash: 66b2def3c0aa2e5e749183fc381fe24b200ba07f
MD5 hash: a99fe5b29e2e1e425bc304ee44c05b85
humanhash: mars-maine-triple-undress
File name:SecuriteInfo.com.Trojan.MSIL.Basic.8.Gen.15455.24280
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:808'960 bytes
First seen:2022-04-25 09:31:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:DpMAf998Dd+qVJjOqb1VRFZ6HHxO/AMlfeO4HdKF52SxMzo2lT+mrReLcH62brFQ:DpMBbATXteQFLKoLbM9SPYu/RRN
Threatray 898 similar samples on MalwareBazaar
TLSH T1D805CE537559DA04C5B87AF662609D8002A5AE8E80B1D6F95CB037B925F33C3FE107EE
TrID 49.6% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
21.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.9% (.SCR) Windows screen saver (13101/52/3)
7.1% (.EXE) Win64 Executable (generic) (10523/12/4)
4.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon 0f3375cccc61338f (15 x AgentTesla, 11 x Formbook, 6 x SnakeKeylogger)
Reporter SecuriteInfoCom
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
243
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/266284/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Basic.8.Gen.15455.24280.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/62666a65de94014db625a32e/reports/bea28570-87c2-498b-98ab-dfb1b72dd56a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1d650008-8f90-4aea-a904-c2dc7b269aa4
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/982300
Signature
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 614785 Sample: SecuriteInfo.com.Trojan.MSI... Startdate: 25/04/2022 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 5 other signatures 2->53 8 SecuriteInfo.com.Trojan.MSIL.Basic.8.Gen.15455.exe 3 2->8         started        process3 file4 31 SecuriteInfo.com.T...8.Gen.15455.exe.log, ASCII 8->31 dropped 55 Writes to foreign memory regions 8->55 57 Injects a PE file into a foreign processes 8->57 12 vbc.exe 146 8->12         started        17 vbc.exe 8->17         started        signatures5 process6 dnsIp7 41 116.202.1.195, 49773, 80 HETZNER-ASDE Germany 12->41 43 t.me 149.154.167.99, 443, 49772 TELEGRAMRU United Kingdom 12->43 45 192.168.2.1 unknown unknown 12->45 33 C:\ProgramData\vcruntime140.dll, PE32 12->33 dropped 35 C:\ProgramData\softokn3.dll, PE32 12->35 dropped 37 C:\ProgramData\nss3.dll, PE32 12->37 dropped 39 3 other files (none is malicious) 12->39 dropped 59 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->59 61 Tries to harvest and steal browser information (history, passwords, etc) 12->61 63 Tries to steal Crypto Currency Wallets 12->63 19 cmd.exe 1 12->19         started        21 MpCmdRun.exe 1 12->21         started        65 Found evasive API chain (may stop execution after checking mutex) 17->65 67 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 17->67 file8 signatures9 process10 process11 23 taskkill.exe 1 19->23         started        25 conhost.exe 19->25         started        27 conhost.exe 19->27         started        29 timeout.exe 1 19->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/62b2c989ddd3f2e81d616fc0e26e0fd1791ab938cdf34e73ba285f4cfc4cac7b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-25 07:25:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
19 of 41 (46.34%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mkzmtco52pzoqhlbn7aoe3qp2f4rvojyzxzu4452fbpuz7cmvr5q._file
Verdict:
malicious
Similar samples:
06440b7c6c51686469c0acaf74959c82d045c48daa6c2ef369404e56f41d3c96
ArkeiStealer
258435af9b5281169b504c977c99f056047ad11a6473da4050e5ed96ac2fae96
ArkeiStealer
4798c1efb308026834b2325d0ce09334304208a0659cecdbbf5b023bf704f0e4
ArkeiStealer
49a53fb698c6608f315ec4176b93a2334e99cbcc3bb37fab5d3062bc390961f4
ArkeiStealer
88b3d6137dab7366119bd7c0e1939d2b63a5e7eb54f41fc443d6d9ea7e6d2113
ArkeiStealer
a6b250ec9613b293e9333e2410623c19e3e3544df34525a607dd0ecd36f138f6
ArkeiStealer
ab16df3a8883b6049c041dfb010de4ca1ff8ef1ff598c46b9395833b52f78f83
ArkeiStealer
c8c237f5b4d985add596774c36156c4fa9ee54d44ec544528c64b1c10bd163ea
ArkeiStealer
+ 888 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1300 spyware stealer suricata
Link:
https://tria.ge/reports/220425-lg32qagadq/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Uses the VBS compiler for execution
Vidar Stealer
Vidar
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
Malware Config
C2 Extraction:
https://t.me/mm20220428
https://koyu.space/@ronxik123
Unpacked files
SH256 hash:
7f6a7105151b4236710efa2ad37f84735d2373334eb3f3a010596abb1395c926
MD5 hash:
4275551a1f4866ac8e45d380cbd5b272
SHA1 hash:
d16079e1ed8aec8a3f0d805a71806c23c69af082
Link:
https://www.unpac.me/results/1f95f635-a077-4983-9d7b-d7d73f164cf3/
SH256 hash:
09cd3bc420c8982190990a9673b58c3ab01e933dff0881f1e521d3316f1b9a6b
MD5 hash:
6933707e111286a128ad0f7fa298153f
SHA1 hash:
d1121c8bed634e9684727e8c0aad3f597b0749ad
Link:
https://www.unpac.me/results/1f95f635-a077-4983-9d7b-d7d73f164cf3/
SH256 hash:
34c39e22cf1f26d6d4d081771bdf54455751a9ad8e49b8205c189fd335399667
MD5 hash:
c0dccf176a83e0cdcf722128d7bb2946
SHA1 hash:
7ebb980e21a3fa9e83f1f9494a3bbbc1742b71a6
Link:
https://www.unpac.me/results/1f95f635-a077-4983-9d7b-d7d73f164cf3/
SH256 hash:
96c8af977cd01543be08ce281178b7c3ae97f162eaca8bca702cd751e03ae3fa
MD5 hash:
50dda87107af8cfb1df69f86ec05dcb3
SHA1 hash:
6825bde85d35ec543a6ee1d21237e0476da2b90a
Link:
https://www.unpac.me/results/1f95f635-a077-4983-9d7b-d7d73f164cf3/
SH256 hash:
62b2c989ddd3f2e81d616fc0e26e0fd1791ab938cdf34e73ba285f4cfc4cac7b
MD5 hash:
a99fe5b29e2e1e425bc304ee44c05b85
SHA1 hash:
66b2def3c0aa2e5e749183fc381fe24b200ba07f
Link:
https://www.unpac.me/results/1f95f635-a077-4983-9d7b-d7d73f164cf3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/62b2c989ddd3f2e81d616fc0e26e0fd1791ab938cdf34e73ba285f4cfc4cac7b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb2
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/266284/

Comments