MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b209f87abd2ba2ac812bce1ab1c9738b2ca93626bbd6cac56de7a6dcbaa49b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b209f87abd2ba2ac812bce1ab1c9738b2ca93626bbd6cac56de7a6dcbaa49b7
SHA3-384 hash: 9b7ee39ff8509c6125bf4ea51afef8b9d0389f4a025711b1f543d7945f20a7d7317a6cba08f41f037ff51a4847ceec16
SHA1 hash: cdfa5086679aa2c64cab05c6c9eb7e61189bc040
MD5 hash: 9a9385a7d86a94281327c8c1a9f2305d
humanhash: robert-november-november-ack
File name:9a9385a7d86a94281327c8c1a9f2305d
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:353'792 bytes
First seen:2023-06-26 15:21:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash efaf82812fcbfbe92dea95a0b4ee6ab0 (2 x GCleaner, 1 x ArkeiStealer)
ssdeep 6144:4UlJCncdRDmHJRGu3u0dp24DY1Ovpe+pf:4yJlTmpRv3FdI4DjvpeU
Threatray 4 similar samples on MalwareBazaar
TLSH T18E74C0136390BC60ED264A724E9EC7E8FF1EB5604F59ABA723148A1B85711F2F573311
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 8490a0a890c0d000 (1 x ArkeiStealer)
Reporter zbetcheckin
Tags:32 ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
332
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
arkei
Create hunting rule
ID:
1
File name:
9a9385a7d86a94281327c8c1a9f2305d
Verdict:
Malicious activity
Analysis date:
2023-06-26 15:24:17 UTC
Tags:
stealer arkei vidar
Link:
https://app.any.run/tasks/f3c56627-05a3-489d-b8dd-47b76ef2706c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/403035/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/92769/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
SystemUptime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6499ad1b54672ac65f4ca332/reports/8ad75e76-a659-4b81-b876-94fb23d5b9fe/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/6b209f87abd2ba2ac812bce1ab1c9738b2ca93626bbd6cac56de7a6dcbaa49b7
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c666182d-28e7-4e92-a8e7-3d260a89b10f
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1261553
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Searches for specific processes (likely to inject)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b209f87abd2ba2ac812bce1ab1c9738b2ca93626bbd6cac56de7a6dcbaa49b7/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-06-26 15:22:07 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nmqj7b5l2k5cvsasxtq2whexhczmve3cno6wzlcw3z5g3s5kjg3q._file
Verdict:
malicious
Similar samples:
0a0c50dbc5d0c9811bfd0552ddd075e0e1df2cf07049cc546e41f9bf08cb8290
ArkeiStealer
14c5bb6b23366c33724f1d82856c896c5017eff511b89ba4972f7de02dd46ad8
ArkeiStealer
213fc92be3a96e923f827e1547245810d5b3bebed2bb7cf8b6105b4441e2771a
ArkeiStealer
7ecadf75743a37fed7bb735987a9bfde27d185087b2b65acfe78854742ebd71b
ArkeiStealer
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:e05ec6eedc8e5b4e9a499c750306ff2a discovery spyware stealer
Link:
https://tria.ge/reports/230626-srwtqabb51/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Vidar
Malware Config
C2 Extraction:
https://steamcommunity.com/profiles/76561199520592470
https://t.me/motafan
Unpacked files
SH256 hash:
b207d230e4b63dba0a34d800407d89585a062c02c5c31286aa295f69043350c2
MD5 hash:
fc1ba0544b94b6e6f1188ac272048973
SHA1 hash:
dc2676ed2814ee4f1c353e9e9661f5db6f6c4330
Link:
https://www.unpac.me/results/8ccfc1ef-7d42-41d1-89bb-c3532dd269ae/
SH256 hash:
070ea7b935376a904bd02c2edd002a47b950a7dd308e162a2c36d8e4a384f843
MD5 hash:
b840c9f632637175e4019b3f2c4f9386
SHA1 hash:
d0f9957fa99569d4cc2957e0de96f86f6b235426
Detections:
VidarStealer
Create hunting rule
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/8ccfc1ef-7d42-41d1-89bb-c3532dd269ae/
SH256 hash:
b207d230e4b63dba0a34d800407d89585a062c02c5c31286aa295f69043350c2
MD5 hash:
fc1ba0544b94b6e6f1188ac272048973
SHA1 hash:
dc2676ed2814ee4f1c353e9e9661f5db6f6c4330
Link:
https://www.unpac.me/results/8ccfc1ef-7d42-41d1-89bb-c3532dd269ae/
SH256 hash:
070ea7b935376a904bd02c2edd002a47b950a7dd308e162a2c36d8e4a384f843
MD5 hash:
b840c9f632637175e4019b3f2c4f9386
SHA1 hash:
d0f9957fa99569d4cc2957e0de96f86f6b235426
Detections:
VidarStealer
Create hunting rule
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/8ccfc1ef-7d42-41d1-89bb-c3532dd269ae/
SH256 hash:
6b209f87abd2ba2ac812bce1ab1c9738b2ca93626bbd6cac56de7a6dcbaa49b7
MD5 hash:
9a9385a7d86a94281327c8c1a9f2305d
SHA1 hash:
cdfa5086679aa2c64cab05c6c9eb7e61189bc040
Link:
https://www.unpac.me/results/8ccfc1ef-7d42-41d1-89bb-c3532dd269ae/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6b209f87abd2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6b209f87abd2ba2ac812bce1ab1c9738b2ca93626bbd6cac56de7a6dcbaa49b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Telegram_Links
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly,rony
Description:Vidar Payload
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_vidar
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detection of Vidar Stealer and Variants via strings present in final unpacked payloads

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 6b209f87abd2ba2ac812bce1ab1c9738b2ca93626bbd6cac56de7a6dcbaa49b7

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/403035/
  
URLhaus
https://urlhaus.abuse.ch/url/2672124/

Comments


Avatar
zbet commented on 2023-06-26 15:21:17 UTC

url : hxxp://nuws2bz.top/build.exe