MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 704f8a3f1c2a4c9c7cff571df36398bb27d82930a1e0c7a29fd72074015ed75a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 11

Intelligence 11 IOCs 1 YARA File information Comments

SHA256 hash:	704f8a3f1c2a4c9c7cff571df36398bb27d82930a1e0c7a29fd72074015ed75a
SHA3-384 hash:	a6f96067606a450e6691c85210e3352544b323365d6dcda33eb9df4f29a15cd41f0e5eb491d38efcaebfca220cae57ce
SHA1 hash:	487b6ed96adbe65536eda1437bf09346430c5b70
MD5 hash:	b4f29d105544c66e44da1f01c8558014
humanhash:	juliet-lion-seven-solar
File name:	704f8a3f1c2a4c9c7cff571df36398bb27d82930a1e0c.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	6'064'464 bytes
First seen:	2022-09-27 06:48:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6c9b62aae6117060f9867b92d139b95e (9 x ArkeiStealer, 2 x Smoke Loader, 1 x RedLineStealer)
ssdeep	98304:caURnsjfaRQtKp8fm3iMGHucCpHwqQLLw:cznsjfE5dXHwqQH
TLSH	T16E56AF23B34A643EC06B1A3A4927D6D89C3F7F61791ACC4A6BF4194CCF355416E3A60B
TrID	61.8% (.EXE) Inno Setup installer (109740/4/30) 23.4% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 5.9% (.EXE) Win64 Executable (generic) (10523/12/4) 2.5% (.EXE) Win32 Executable (generic) (4505/5/1) 1.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):
dhash icon	e8b2b2aa694937e0 (1 x ArkeiStealer)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

abuse_ch

ArkeiStealer C2:
http://213.170.133.36/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://213.170.133.36/	https://threatfox.abuse.ch/ioc/851840/

Intelligence

File Origin

# of uploads :

# of downloads :

262

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/313839/

Detection(s):

Win.Malware.Nymaim-9968234-0

PUA.Win.Adware.Dealply-6619245-0

PUA.Win.Adware.Dealply-6619266-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

Delayed reading of the file

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/39416/overview

Behaviour

MalwareBazaar

CPUID_Instruction

LanguageCheck

CheckNumberOfProcessor

CheckCmdLine

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

cmd.exe fingerprint greyware keylogger overlay regasm.exe rundll32.exe

Link:

https://www.filescan.io/uploads/63329ce0665fcdb8807a2d22/reports/2b0493e7-ab59-45e0-8263-700660dc60be/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1d870bd1-086c-4834-ad62-0bcfb11ef49a

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1078058

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/704f8a3f1c2a4c9c7cff571df36398bb27d82930a1e0c7a29fd72074015ed75a/

Threat name:

Win32.Spyware.Vidar

Status:

Malicious

First seen:

2022-09-24 23:54:59 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

14 of 40 (35.00%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=obhyupy4fjgjy7h7k4o7gy4yxmt5qkjquhqmpiu724qhiak625na._file

Verdict:

malicious

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:1636 discovery spyware stealer

Link:

https://tria.ge/reports/220927-hlctjscgd8/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Vidar

Malware Config

C2 Extraction:

https://t.me/dghzq
https://t.me/zjsqpz
https://t.me/fqwexzq

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/144f2677-5b60-4908-8715-f7ea358eaa6b

Unpacked files

SH256 hash:

7068853103b2999b2850135721a430820c7d6547933a2dcb3f75135aecc3bd95

MD5 hash:

fd9378a8799014f0a0d37e3faaf38fde

SHA1 hash:

e6b80c8135f2a46a2828b530f649f5ce4d45c442

Detections:

win_vidar_auto

Link:

https://www.unpac.me/results/f7fe396e-0c23-4b52-afd0-56bf2bafb886/

Parent samples :

704f8a3f1c2a4c9c7cff571df36398bb27d82930a1e0c7a29fd72074015ed75a
190c83f974c9c37fee8f95cf82df2c20c2615662482ca42e373a74a439ac945d

SH256 hash:

f6ca8a05cff95a69b812d60bb66b7b262a509e06b44136ee2cc7ea58dbebeae1

MD5 hash:

4c543a3c34cdd41c71f7a98352f13609

SHA1 hash:

1f29c220f002a7bfe856794a0639e4d317c31d96

Link:

https://www.unpac.me/results/f7fe396e-0c23-4b52-afd0-56bf2bafb886/

SH256 hash:

704f8a3f1c2a4c9c7cff571df36398bb27d82930a1e0c7a29fd72074015ed75a

MD5 hash:

b4f29d105544c66e44da1f01c8558014

SHA1 hash:

487b6ed96adbe65536eda1437bf09346430c5b70

Link:

https://www.unpac.me/results/f7fe396e-0c23-4b52-afd0-56bf2bafb886/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/704f8a3f1c2a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/704f8a3f1c2a4c9c7cff571df36398bb27d82930a1e0c7a29fd72074015ed75a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/313839/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample