MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6511d09ada2bc11a95c06bd20abb66f450b9b2a6ed1f00c723401884ce7a2e61. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6511d09ada2bc11a95c06bd20abb66f450b9b2a6ed1f00c723401884ce7a2e61
SHA3-384 hash: 9093b947a71903420af73e15a03196a237e0d082e69bc32758c705aa76deaadeb09e0c4e1b87d376d7cd0b322c453d7c
SHA1 hash: 85152244f96b8a76ece7a26ba1db4eded3715b80
MD5 hash: 494e03d339c4b84f71f0c122de940860
humanhash: berlin-south-six-alpha
File name:Setup.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:3'999'744 bytes
First seen:2023-01-25 19:48:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash acbbb57a9e219cbd48d9ce15a64944ff (4 x RedLineStealer, 1 x RecordBreaker, 1 x RaccoonStealer)
ssdeep 98304:aVZ0gaAV265MWQT+VagEfsjjTNKBxeY19ICtHm:C3h2ChRogXjXNKBxemtHm
Threatray 1'581 similar samples on MalwareBazaar
TLSH T17F062373125120CAD0D9E9BD8637FE91B1F613BB8F46E8B5A7CE6AC429315E0D213943
TrID 43.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
22.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
223
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2023-01-25 19:50:27 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/86e79ef1-64d3-4dd8-b872-4b3922720f4d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/356822/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a window
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Stealing user critical data
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/63059/overview
Behaviour
MalwareBazaar
Verdict:
No Threat
Threat level:
  2/10
Confidence:
67%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/63d187b1905a5ac3b908c60f/reports/12afeaad-2df2-4a20-b467-bbd43dc27470/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bdbfe237-43ef-4746-aebe-b129073e70d3
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1159004
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 791756 Sample: Setup.exe Startdate: 25/01/2023 Architecture: WINDOWS Score: 100 55 Snort IDS alert for network traffic 2->55 57 Multi AV Scanner detection for domain / URL 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 10 other signatures 2->61 9 Setup.exe 1 2->9         started        process3 signatures4 71 Writes to foreign memory regions 9->71 73 Allocates memory in foreign processes 9->73 75 Tries to detect virtualization through RDTSC time measurements 9->75 77 Injects a PE file into a foreign processes 9->77 12 AppLaunch.exe 24 9->12         started        17 conhost.exe 9->17         started        process5 dnsIp6 49 95.217.16.127, 49715, 80 HETZNER-ASDE Germany 12->49 51 t.me 149.154.167.99, 443, 49714 TELEGRAMRU United Kingdom 12->51 53 dl.uploadgram.me 92.222.250.82, 443, 49716, 49717 OVHFR France 12->53 37 C:\Users\user\AppData\...\Starter[1].exe, PE32 12->37 dropped 39 C:\Users\user\AppData\...\635965506[1].exe, PE32+ 12->39 dropped 41 C:\ProgramData\92398908710653760371.exe, PE32+ 12->41 dropped 43 C:\ProgramData\68398609819664439000.exe, PE32 12->43 dropped 79 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->79 81 Tries to harvest and steal browser information (history, passwords, etc) 12->81 83 Tries to steal Crypto Currency Wallets 12->83 85 Contains functionality to compare user and computer (likely to detect sandboxes) 12->85 19 68398609819664439000.exe 2 12->19         started        22 92398908710653760371.exe 12->22         started        25 cmd.exe 1 12->25         started        file7 signatures8 process9 dnsIp10 63 Antivirus detection for dropped file 19->63 65 Multi AV Scanner detection for dropped file 19->65 67 Machine Learning detection for dropped file 19->67 45 youtube-ui.l.google.com 142.250.203.110, 443, 49718 GOOGLEUS United States 22->45 47 www.youtube.com 22->47 69 Tries to harvest and steal browser information (history, passwords, etc) 22->69 27 cmd.exe 1 22->27         started        29 conhost.exe 25->29         started        31 timeout.exe 1 25->31         started        signatures11 process12 process13 33 conhost.exe 27->33         started        35 choice.exe 1 27->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6511d09ada2bc11a95c06bd20abb66f450b9b2a6ed1f00c723401884ce7a2e61/
Threat name:
Win32.Infostealer.Bandra
Create hunting rule
Status:
Malicious
First seen:
2023-01-25 20:11:47 UTC
File Type:
PE (Exe)
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mui5bgw2fparvfoanpjavo3g6riltmvg5upqbrzdiamijtt2fzqq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
08f22af3870c81cf0f903d784abecd650003adfff360ff0529540091f277d057
ArkeiStealer
2e205ecc398903361efb69b5790716a47b76301e7b8ad3be506fbde96ee6ffe7
ArkeiStealer
4b1338eceb20e531dca686256b82a8aa56e75aeb4b53f54d08900dd75fc0b19f
ArkeiStealer
4c98097c2e234a8cb19327c9ddaa9b8c8669dd0f0a95fd71912282e6f0cf50d5
ArkeiStealer
6e3f1055521e01bd967f22fd68b48410342264b62cf7b7998a6686a2141d4d67
ArkeiStealer
6fac6114554675dba7ba82a4da7076333bdf4dab4786d6632e71ad64fb3bdb35
ArkeiStealer
7f305167fdb6ae8a3781cd257ddef222ee6803f44115d2e1a133f7da67d4eaa0
ArkeiStealer
8116aab7428774d74e15738db29842052c5f1a7c6bb4259026f75872c500b022
ArkeiStealer
b25c916108e990357c009d88c075fda55419b5a13da0a3b2dc5643b607bb6b0e
ArkeiStealer
+ 1'571 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:408 spyware stealer
Link:
https://tria.ge/reports/230125-yjnq2aae28/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Vidar
Malware Config
C2 Extraction:
https://t.me/litlebey
https://steamcommunity.com/profiles/76561199472399815
Unpacked files
SH256 hash:
e4fc49a69acc4f68928dbd318dd6925a3a272d806c5ef9605912bc36a1986d8c
MD5 hash:
9eec15c6ec72ce7654576cec89d56d84
SHA1 hash:
e9b4e93ecef89846976a36e5d1f1c2400b878904
Link:
https://www.unpac.me/results/3604bafe-5ff1-4717-bcf8-a16fc73db35f/
SH256 hash:
355f6154977c09c1f981725dbda814ffdfe73e7f56514df8e5e8bd1adba9a137
MD5 hash:
9b5cc18d170545ff7634e54c0c072e55
SHA1 hash:
30b04b5858a4ec295148bb1a175ec617d119256a
Link:
https://www.unpac.me/results/3604bafe-5ff1-4717-bcf8-a16fc73db35f/
SH256 hash:
6511d09ada2bc11a95c06bd20abb66f450b9b2a6ed1f00c723401884ce7a2e61
MD5 hash:
494e03d339c4b84f71f0c122de940860
SHA1 hash:
85152244f96b8a76ece7a26ba1db4eded3715b80
Link:
https://www.unpac.me/results/3604bafe-5ff1-4717-bcf8-a16fc73db35f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6511d09ada2b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.37
Link:
https://yomi.yoroi.company/submissions/6511d09ada2bc11a95c06bd20abb66f450b9b2a6ed1f00c723401884ce7a2e61

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AppLaunch
Create hunting rule
Author:iam-py-test
Description:Detect files referencing .Net AppLaunch.exe
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Telegram_Links
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/356822/

Comments