MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 676ba4f2375a2e7c7dcd4949090db27254ddf06d5d8dc6ef88072ebef8a97784. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	676ba4f2375a2e7c7dcd4949090db27254ddf06d5d8dc6ef88072ebef8a97784
SHA3-384 hash:	3351cb67a9e63ad41511e9364653f243f6bfcd62a96a7a8c8de86a3cfcb44805e54e89a8f5e9f16cd7bd35256f0586f7
SHA1 hash:	5225130296a214dcd4b3b1c68e2fdc7f4c89cef4
MD5 hash:	88eed5fa37d62e09fbac197f93b328bf
humanhash:	ink-lactose-victor-rugby
File name:	Order100382323.xll
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	683'520 bytes
First seen:	2022-03-04 19:30:32 UTC
Last seen:	Never
File type:	xll
MIME type:	application/x-dosexec
imphash	a31761b5a590c4c499d5f4a347d75c12 (23 x Formbook, 17 x AgentTesla, 6 x RedLineStealer)
ssdeep	12288:Yn/zDvGHAykHSzLW/4+8bzbBSreMdIxgFK/UqW53ZJ:azbGHAzHAjX1TcL9
Threatray	79 similar samples on MalwareBazaar
TLSH	T1D5E4AE5BF7C7FAB0E6BE867A82B1851C527774520360A78F664072896D23392493DF0F
Reporter	abuse_ch
Tags:	ArkeiStealer xll

Intelligence

File Origin

# of uploads :

1

# of downloads :

314

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Artemis4EBC548DF517.17970.15145.UNOFFICIAL

Result

Verdict:

Malicious

File Type:

Office Add-Ins - Suspicious

Link:

https://app.docguard.net/676ba4f2375a2e7c7dcd4949090db27254ddf06d5d8dc6ef88072ebef8a97784/results/dashboard

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/676ba4f2375a2e7c7dcd4949090db27254ddf06d5d8dc6ef88072ebef8a97784/

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2022-03-04 19:31:09 UTC

File Type:

PE+ (Dll)

Extracted files:

2

AV detection:

11 of 27 (40.74%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=m5v2j4rxlixhy7onjfeqsdnsojkn34dnlwg4n34ia4xl56fjo6ca._file

Verdict:

unknown

Similar samples:

1c7e66126306537a453d7a792978464aa8ad5ac2f34bd1fccfffe7e0b9c6d85c

1cbc8581430d4a524a0805f30ce5368340fc943635c76de083527446508027b1

2f617a71f3eaab15248aa9a964c464e71d8ec784417e79c38b5951ddfa39c2de

30980176792fc176767dfd338ef7fd0b73f04b66cd63e1e3b0bbf485bc064ed4

b2991de24bb7a821f3baf980d08ce4bb3d6bd851fefe846147a563340d398d73

b99ee6d1625f7b0c9685c3bb49173c4425e39fbfe6a1a4eb6faf039b1ecbbfb8

ce5c54ac577153e15fb793c022b54fb473752b876525111d6aac97369e72e85e

e0a8a096299e8b28d1166af3321045635294e03227d45515f5c48f4fd38e943b

e8ec7dcf12edf07c6099157c32557f41ebd74ddee6b125d1e34dcc4259dc10a7

fc80f7f615d4130160c30ec1c8e4cd885a7f42978ead2509cfdd350ad3547882

+ 69 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:770 discovery spyware stealer suricata

Link:

https://tria.ge/reports/220304-x8dfxshdck/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Enumerates system info in registry

Kills process with taskkill

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

Vidar Stealer

Vidar

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/676ba4f2375a2e7c7dcd4949090db27254ddf06d5d8dc6ef88072ebef8a97784

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample