MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e6061cd2d846e6be7058e35b0dab7f0513038a410a367be304e2e71c0bfb427. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6e6061cd2d846e6be7058e35b0dab7f0513038a410a367be304e2e71c0bfb427
SHA3-384 hash: 2dcf1524d585a87a1dcfe77cf8d7975fdb47d51e7e27a6fdf26a4c408ece3d10553ccfb95af8c025ae3527b9e7a57bc9
SHA1 hash: a04fd6e89eba5810017bf68c3a6842111ecdaf0e
MD5 hash: fb889bafcc6f226f1e7bfbaec1ae856a
humanhash: autumn-lactose-nebraska-sodium
File name:fb889bafcc6f226f1e7bfbaec1ae856a.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:458'240 bytes
First seen:2023-05-11 18:37:19 UTC
Last seen:2023-05-13 22:51:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6847c4a23533c8db62ddf8eb8d214ba0 (2 x UACModuleSmokeLoader, 2 x Amadey, 1 x DanaBot)
ssdeep 6144:pD7/QKxssbBpImZWE0l5u+EgOBOMxe2H32jrlhQgnC:t7/TxRbBODn5uggE2GHlhQg
Threatray 23 similar samples on MalwareBazaar
TLSH T1F5A47D0362D17C64E6275A728E1EC2F8765EF9518F6D77AF2218EB1F04B21A2C172F11
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0010100601110000 (1 x ArkeiStealer)
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
262
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-05-10 10:53:49 UTC
Tags:
loader smoke trojan amadey ransomware stop stealer vidar arkei miner
Link:
https://app.any.run/tasks/e685b5b3-cb51-4363-a455-252e259ca43e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/388496/
Detection(s):
Win.Packed.Trojanx-10001393-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/645d360a8723e91f5525a30d/reports/84a91fa1-739c-4930-8522-49577b6596f3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/6e6061cd2d846e6be7058e35b0dab7f0513038a410a367be304e2e71c0bfb427
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d76a6951-9b25-4a7e-8ad7-b290e0564904
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1231042
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6e6061cd2d846e6be7058e35b0dab7f0513038a410a367be304e2e71c0bfb427/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-05-10 14:26:12 UTC
File Type:
PE (Exe)
Extracted files:
72
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nzqgdtjnqrxgxzyfry23bwvx6bitaofeccrwpprqjyxhdqf7wqtq._file
Verdict:
malicious
Similar samples:
04e61761f74029f6ba456910866ad2011b9780cbf036a1dd7b050605f98ff7ab
ArkeiStealer
0da9becd4c6f6af2eb648a057cefb53d17cb2f468503a77d49d5e5f63d16d30c
ArkeiStealer
13eb578533117f116142d75633ad3f5fcd8366a145da5e60754139fefd495e98
ArkeiStealer
2068c94f118c1921f4333d97935e35ce175803820c44444277563fe0f82398fb
ArkeiStealer
331952066aee8437403773b213a4b7ebee56e905929e86432c4a7623f05ac79a
ArkeiStealer
7f5027cce0e8aa45f9a86b13328ce878fd640137449638ea0bc28be155e311ad
ArkeiStealer
810be76ae3ecc5ab7f019f91979ac9ebf76ed220a7b42c2254a21ec660f8289f
ArkeiStealer
afd33d4aa80a47b1cf9bb0ea15ba7cedee6dbd453aca2c7bce5fa59d04143363
ArkeiStealer
e0c350a16bb3fec4d9306d413e93241c733412f14cbdc9a4e95e9f973aa1bcff
ArkeiStealer
ee5e1cf8922e2c866beb155a2227d47e98bf31e35507ee135a7c8b1f9a3413ba
ArkeiStealer
+ 13 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:ef32d425b907146eeb9090dbc9455ab1 discovery spyware stealer
Link:
https://tria.ge/reports/230511-w92dpsbg91/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Vidar
Malware Config
C2 Extraction:
https://steamcommunity.com/profiles/76561198272578552
https://t.me/libpcre
Unpacked files
SH256 hash:
cd97797b005217f4c1dcb4b792797328c26910cca9a6b3152db389662303e75b
MD5 hash:
ce75c60cee732a528504e1543d3d3a3f
SHA1 hash:
61db72c6fe7e8afd7ac4279bc656ce044a511e76
Detections:
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/067683be-cf84-41c4-872d-ac9af5fa11d5/
SH256 hash:
6e6061cd2d846e6be7058e35b0dab7f0513038a410a367be304e2e71c0bfb427
MD5 hash:
fb889bafcc6f226f1e7bfbaec1ae856a
SHA1 hash:
a04fd6e89eba5810017bf68c3a6842111ecdaf0e
Link:
https://www.unpac.me/results/067683be-cf84-41c4-872d-ac9af5fa11d5/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6e6061cd2d84/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6e6061cd2d846e6be7058e35b0dab7f0513038a410a367be304e2e71c0bfb427

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:Telegram_Links
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly,rony
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 6e6061cd2d846e6be7058e35b0dab7f0513038a410a367be304e2e71c0bfb427

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2615177/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/388496/

Comments