MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6eaa17442216edf6c184c03e3b7468922c1b6d59fbf419f811552e2e86e0bcfe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6eaa17442216edf6c184c03e3b7468922c1b6d59fbf419f811552e2e86e0bcfe
SHA3-384 hash: f7ab0289699ab46d8a70dbf845c7474226fdd2558bb0f7cd3fa0c9c6de0cacdd4683cf8d75532cbd263fba6f2c98e557
SHA1 hash: b92e8db84095e64032683dcdece17b74a8710935
MD5 hash: 2c6a7dd531dca8b94a903922e97a20b9
humanhash: red-autumn-victor-hydrogen
File name:2c6a7dd531dca8b94a903922e97a20b9.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:371'712 bytes
First seen:2022-11-26 15:32:41 UTC
Last seen:2022-11-28 16:30:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 750fa6f6324523d999e9ee554ca92aca (1 x ArkeiStealer, 1 x RedLineStealer)
ssdeep 6144:09YKQWhi9vfPLBmS84QZf4K+wywPIC9jurWDwgv+u1Kc:GTitHv84mfx+wypIqrWfQ
Threatray 1'139 similar samples on MalwareBazaar
TLSH T19284E103BBA531F9CC85E4B8ACB691E2C6FD4A5633D86058322E309B75375BCA79513C
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
2c6a7dd531dca8b94a903922e97a20b9.exe
Verdict:
Malicious activity
Analysis date:
2022-11-26 15:35:44 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/20ec5e97-c5fc-48b9-81ff-ac29f7c2547c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/338811/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.18016.4669.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Creating a window
Running batch commands
Creating a process with a hidden window
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/638231b324da1c12cfe1c0ec/reports/6f4ed585-acaa-4627-b6f0-13ec8187d24c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9fef1a3d-8064-4982-8334-bed86f8d0eeb
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1121634
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6eaa17442216edf6c184c03e3b7468922c1b6d59fbf419f811552e2e86e0bcfe/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-11-26 15:33:12 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n2vborbcc3w7nqmeya7dw5disiwbw3kz7p2bt6arkuxc5bxaxt7a._file
Verdict:
malicious
Similar samples:
08455b4a70ecb4f6ead66f078fd16257334d4afc6b72aaad13eb6617d7c1e1f6
ArkeiStealer
9cd59f476fd53c288245f63281a754b99d65d4198ffc5038e65a5285648d9dcd
ArkeiStealer
d7c42d1df0e957935b672b0633cf3dad39b5d8c85eec4631c62191915af02379
ArkeiStealer
dfe6df52d058c1a19169d2de00c781dc19cb829a95f0c0d533702063c2d002c6
ArkeiStealer
f0527a6ecbe7892f48f746fe60c054681852295c5a897402f09a47e74c617956
ArkeiStealer
+ 1'129 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1686 spyware stealer
Link:
https://tria.ge/reports/221126-sy682aha5v/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Uses the VBS compiler for execution
Vidar
Malware Config
C2 Extraction:
https://t.me/headshotsonly
https://steamcommunity.com/profiles/76561199436777531
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c4c73c57-8a84-4bbc-996a-a61a4612f972
Unpacked files
SH256 hash:
f375207f62f7cca72d811decf1ec77cde9eed83afa8e2513c523882ac24c0243
MD5 hash:
c3d90ead2b64ecec9fa1d75086832b97
SHA1 hash:
bcee2cebdb6a9641da82067821603e9e665a2549
Link:
https://www.unpac.me/results/9e7b903f-aeeb-4fa7-a27a-0852656b168c/
SH256 hash:
6eaa17442216edf6c184c03e3b7468922c1b6d59fbf419f811552e2e86e0bcfe
MD5 hash:
2c6a7dd531dca8b94a903922e97a20b9
SHA1 hash:
b92e8db84095e64032683dcdece17b74a8710935
Link:
https://www.unpac.me/results/9e7b903f-aeeb-4fa7-a27a-0852656b168c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6eaa17442216/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6eaa17442216edf6c184c03e3b7468922c1b6d59fbf419f811552e2e86e0bcfe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 6eaa17442216edf6c184c03e3b7468922c1b6d59fbf419f811552e2e86e0bcfe

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2432087/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/338811/

Comments