MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e1b586d59bda966bb6ebd2b75ba8f58310dfd619920fd6cb4ba794bbd52847c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6e1b586d59bda966bb6ebd2b75ba8f58310dfd619920fd6cb4ba794bbd52847c
SHA3-384 hash: 985d208a95511cb2d257b9f822a54d77d7436f927c21abd3d883ef3707bc939a6a9d5972960b4c143d4e901d0401aa69
SHA1 hash: b97ab6bb14228ea4f3b5f8bfca4d58400b9cc17c
MD5 hash: 29f7e1b86fed5fca5ab285a50a6f1aa2
humanhash: johnny-hawaii-mexico-comet
File name:29f7e1b86fed5fca5ab285a50a6f1aa2.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:761'856 bytes
First seen:2021-10-03 16:30:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e1dc734f9d3fd8ffe237c21274508ba5 (4 x RedLineStealer, 2 x RaccoonStealer, 2 x ArkeiStealer)
ssdeep 12288:SSsEVSIbV/8rrw0xi8sE8XyxN6tMcKe3KtfPTsXeX6kdO5J6PTOgbvL6+zxF6L:SSXHbZb0xi8GXyxotUe3KBzOX6L7vJLu
Threatray 3'098 similar samples on MalwareBazaar
TLSH T11EF401693182CFF2D9B541F16715C7F05A6EB8699E16A5CF7B88371E3E3C3828621381
File icon (PE):PE icon
dhash icon fcfcd4d4d4d4d8c0 (75 x RedLineStealer, 56 x RaccoonStealer, 23 x Smoke Loader)
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
29f7e1b86fed5fca5ab285a50a6f1aa2.exe
Verdict:
Malicious activity
Analysis date:
2021-10-03 16:34:02 UTC
Tags:
trojan stealer vidar loader
Link:
https://app.any.run/tasks/f410a6f4-7db1-406c-849c-c39cbf6805c9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194368/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt to an infection source
Sending a TCP request to an infection source
Launching the default Windows debugger (dwwin.exe)
Query of malicious DNS domain
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/615c2f0be3d213d202b773bc/reports/58a96f98-fc41-4cd0-bf64-5d3ff1e92fb5/overview
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/af6f1dca-55a6-4460-ab40-44a65c86bc66
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/863466
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Self deletion via cmd delete
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6e1b586d59bda966bb6ebd2b75ba8f58310dfd619920fd6cb4ba794bbd52847c/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-10-03 16:31:12 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nynvq3kzxwuwno3oxuvxlouplayq37lbteqp23fuxj4uxpksqr6a._file
Verdict:
malicious
Similar samples:
1456d9462193175d2b69ad50033a0ec84017e6188e73dfe552b67c823c87517c
ArkeiStealer
8f090d61931e9920773909d24d27317f5196c1b289f85267a2596859b0db9058
ArkeiStealer
9597dff9a745795cdb8000b55fb5a9555a31e1a503a91685b79a13810f0b9b05
ArkeiStealer
b50c7130579836db25bf5264f66b21f4d182ec753ae19fb0a52b33f7ef36dfd4
ArkeiStealer
bb826a7e963a520ca0db23551c77c508b682d3e691b23a627e091785247b841c
ArkeiStealer
bcc3a9c9a5b24ccca39b031a255785c80089858197dde7862fd856ae626eefda
ArkeiStealer
c625e0872eb2819660ca4866d6baf587f81312e0cd99e5c1c5e22b009f2e2e7f
ArkeiStealer
da129a056ae920abf92d21a2515c5df006328cc1ba0722b9591eddb0bf253cd9
ArkeiStealer
e072492dcc4f1e70747035ea074f916cb2bcc64424960600c6a160ee2917f150
ArkeiStealer
f4f19c35849214c2b38d32f40819c1ac1756171d18b4e83e2d738a61248d2cc6
ArkeiStealer
+ 3'088 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1008 discovery spyware stealer
Link:
https://tria.ge/reports/211003-t1c9eafeb5/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Vidar Stealer
Vidar
Malware Config
C2 Extraction:
https://mas.to/@bardak1ho
Unpacked files
SH256 hash:
3a36485d09c10d881a8a5992c6f293b8239c4da81f3b31927581bbf17b964f9c
MD5 hash:
b55a872097578a66aef4edaddf9af33b
SHA1 hash:
9a05ed83a367e4cffe6de255a43fbafc80154abd
Link:
https://www.unpac.me/results/49c8de7b-2f9c-42f5-b29c-290c9ee16e24/
SH256 hash:
6e1b586d59bda966bb6ebd2b75ba8f58310dfd619920fd6cb4ba794bbd52847c
MD5 hash:
29f7e1b86fed5fca5ab285a50a6f1aa2
SHA1 hash:
b97ab6bb14228ea4f3b5f8bfca4d58400b9cc17c
Link:
https://www.unpac.me/results/49c8de7b-2f9c-42f5-b29c-290c9ee16e24/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6e1b586d59bd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6e1b586d59bda966bb6ebd2b75ba8f58310dfd619920fd6cb4ba794bbd52847c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 6e1b586d59bda966bb6ebd2b75ba8f58310dfd619920fd6cb4ba794bbd52847c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1584973/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1586513/
Cape
Cape
https://www.capesandbox.com/analysis/194368/

Comments