MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e92fd899d267ad5afe11d7dc817fb3db47b5518ee060dc336130eb40e2ebddb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6e92fd899d267ad5afe11d7dc817fb3db47b5518ee060dc336130eb40e2ebddb
SHA3-384 hash: d5290f73fd60a75f4f681f635ef30fce7b9e19d60d9f057e01c0c456f3ca187273561302d9bdf51fccc8ee80f092a077
SHA1 hash: 5e2e8155017152c31369008dd39a27e330ce3a63
MD5 hash: 2ba4c00c7d648e0fbda6a337f0ac4207
humanhash: nineteen-earth-one-tango
File name:2ba4c00c7d648e0fbda6a337f0ac4207.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:740'864 bytes
First seen:2021-10-04 05:28:38 UTC
Last seen:2021-10-04 06:52:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d33805713bf84c5172011e6ee58dcc60 (6 x RedLineStealer, 2 x ArkeiStealer, 2 x RaccoonStealer)
ssdeep 12288:dUYN+OMbL0j7RR41iqN19lDzrJG6PTi9nQOrzFEBvo2zxp6L:dUfnbL041iqNjlDXVG9nnfP636L
Threatray 3'103 similar samples on MalwareBazaar
TLSH T1DAF4014A38C6F7F2E6F20371BB16C3F44A2CB859591A524F639B275E5E3C3C25A25312
File icon (PE):PE icon
dhash icon fcfcb4f4d4d4d8c0 (19 x RedLineStealer, 16 x RaccoonStealer, 14 x Smoke Loader)
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2ba4c00c7d648e0fbda6a337f0ac4207.exe
Verdict:
Malicious activity
Analysis date:
2021-10-04 05:31:37 UTC
Tags:
trojan stealer vidar loader
Link:
https://app.any.run/tasks/195e078e-c7c1-4ccc-9a2b-052ce36bf841

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194419/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.31055.25276.21314.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt to an infection source
Sending a TCP request to an infection source
Launching the default Windows debugger (dwwin.exe)
Query of malicious DNS domain
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bf018b59-6271-4625-b0df-0d94975c932f
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/863645
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6e92fd899d267ad5afe11d7dc817fb3db47b5518ee060dc336130eb40e2ebddb/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-10-03 17:30:53 UTC
AV detection:
25 of 45 (55.56%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=n2jp3cm5ez5nll7bdv64qf73hw2hwviy5yda3qzwcmhlidroxxnq._file
Verdict:
malicious
Similar samples:
1456d9462193175d2b69ad50033a0ec84017e6188e73dfe552b67c823c87517c
ArkeiStealer
8f090d61931e9920773909d24d27317f5196c1b289f85267a2596859b0db9058
ArkeiStealer
9597dff9a745795cdb8000b55fb5a9555a31e1a503a91685b79a13810f0b9b05
ArkeiStealer
b50c7130579836db25bf5264f66b21f4d182ec753ae19fb0a52b33f7ef36dfd4
ArkeiStealer
bcc3a9c9a5b24ccca39b031a255785c80089858197dde7862fd856ae626eefda
ArkeiStealer
c625e0872eb2819660ca4866d6baf587f81312e0cd99e5c1c5e22b009f2e2e7f
ArkeiStealer
da129a056ae920abf92d21a2515c5df006328cc1ba0722b9591eddb0bf253cd9
ArkeiStealer
e072492dcc4f1e70747035ea074f916cb2bcc64424960600c6a160ee2917f150
ArkeiStealer
f2edf69ca64bb435d61ded2c3ca210d1bd19952c19275b7bd65d0d707fedadaa
ArkeiStealer
f4f19c35849214c2b38d32f40819c1ac1756171d18b4e83e2d738a61248d2cc6
ArkeiStealer
+ 3'093 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1008 discovery spyware stealer
Link:
https://tria.ge/reports/211004-f6knsafgh6/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Vidar Stealer
Vidar
Malware Config
C2 Extraction:
https://mas.to/@bardak1ho
Unpacked files
SH256 hash:
3a36485d09c10d881a8a5992c6f293b8239c4da81f3b31927581bbf17b964f9c
MD5 hash:
b55a872097578a66aef4edaddf9af33b
SHA1 hash:
9a05ed83a367e4cffe6de255a43fbafc80154abd
Link:
https://www.unpac.me/results/f130faa2-7125-4eea-84c0-d94bb3897d21/
SH256 hash:
6e92fd899d267ad5afe11d7dc817fb3db47b5518ee060dc336130eb40e2ebddb
MD5 hash:
2ba4c00c7d648e0fbda6a337f0ac4207
SHA1 hash:
5e2e8155017152c31369008dd39a27e330ce3a63
Link:
https://www.unpac.me/results/f130faa2-7125-4eea-84c0-d94bb3897d21/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6e92fd899d26/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6e92fd899d267ad5afe11d7dc817fb3db47b5518ee060dc336130eb40e2ebddb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 6e92fd899d267ad5afe11d7dc817fb3db47b5518ee060dc336130eb40e2ebddb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1586513/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1584973/
Cape
Cape
https://www.capesandbox.com/analysis/194419/

Comments