MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2
SHA3-384 hash: 461b58c309a47a63bd6a43ec6bad2962bccc8fb6e4cee251f5f3958dbf52dc69ce669ac1ac20e28ad66a425cb58cfb0f
SHA1 hash: 68c7c9a49c519319aba55bf686f2388ee782208d
MD5 hash: ecb41ffa4f12fbe99b2a53141ec9f240
humanhash: stream-hamper-stairway-oregon
File name:ecb41ffa4f12fbe99b2a53141ec9f240.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:4'093'717 bytes
First seen:2023-01-10 19:03:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:x8vnvI2bIjGMWwAQ1cdLr3AG3cLMgs7T9/7AwCYyLb+P:Ung2QGMIxLEGMLMlx/7Zcv+P
Threatray 2'819 similar samples on MalwareBazaar
TLSH T1D71612F1EEF5BCF4E0084031B661653C26E75F28DEE8162AC6A7F01564726C276E8D1B
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon e04e4e4e4e4fcfce (2 x ArkeiStealer)
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
187
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
ecb41ffa4f12fbe99b2a53141ec9f240.exe
Verdict:
Malicious activity
Analysis date:
2023-01-10 19:13:15 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/24ddedc0-93be-4cc1-b844-868875cd4b4e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/351657/
Detection(s):
SecuriteInfo.com.Gen.Variant.Razy.582340.18684.14597.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Sending an HTTP GET request
Launching a process
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
DNS request
Unauthorized injection to a recently created process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/63bdb6a6a70bef46551e42fd/reports/1aedfa19-77f4-409e-9b92-f42c431c3846/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/18a1f994-3d31-43a1-829f-f99c172c89c4
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1149084
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sets debug register (to hijack the execution of another thread)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Costura Assembly Loader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 781818 Sample: vAsuMU4ap8.exe Startdate: 10/01/2023 Architecture: WINDOWS Score: 100 70 Multi AV Scanner detection for domain / URL 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Antivirus detection for URL or domain 2->74 76 6 other signatures 2->76 10 vAsuMU4ap8.exe 13 2->10         started        13 rundll32.exe 2->13         started        process3 file4 46 C:\Users\user\AppData\...\sisterservice.exe, PE32+ 10->46 dropped 48 C:\Users\user\AppData\Local\...\bebra.exe, MS-DOS 10->48 dropped 15 sisterservice.exe 1 3 10->15         started        19 bebra.exe 10->19         started        process5 dnsIp6 50 C:\Users\user\AppData\...\aheaddecov.exe, PE32 15->50 dropped 62 Multi AV Scanner detection for dropped file 15->62 22 aheaddecov.exe 15 4 15->22         started        52 youtube-ui.l.google.com 142.250.184.110, 443, 49707 GOOGLEUS United States 19->52 54 www.youtube.com 19->54 64 Tries to harvest and steal browser information (history, passwords, etc) 19->64 66 Sets debug register (to hijack the execution of another thread) 19->66 68 Tries to evade debugger and weak emulator (self modifying code) 19->68 26 cmd.exe 1 19->26         started        file7 signatures8 process9 dnsIp10 56 atomm.com.br 108.167.151.39, 443, 49712 UNIFIEDLAYER-AS-1US United States 22->56 78 Antivirus detection for dropped file 22->78 80 Multi AV Scanner detection for dropped file 22->80 82 Encrypted powershell cmdline option found 22->82 84 Injects a PE file into a foreign processes 22->84 28 aheaddecov.exe 22->28         started        32 powershell.exe 16 22->32         started        34 conhost.exe 26->34         started        36 choice.exe 1 26->36         started        signatures11 process12 dnsIp13 58 142.132.168.13, 49716, 80 UNIVERSITYOFWINNIPEG-ASNCA Canada 28->58 60 t.me 149.154.167.99, 443, 49715 TELEGRAMRU United Kingdom 28->60 86 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 28->86 88 Tries to harvest and steal browser information (history, passwords, etc) 28->88 90 Tries to steal Crypto Currency Wallets 28->90 38 cmd.exe 28->38         started        40 conhost.exe 32->40         started        signatures14 process15 process16 42 conhost.exe 38->42         started        44 timeout.exe 38->44         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2/
Threat name:
ByteCode-MSIL.Adware.RedCap
Create hunting rule
Status:
Malicious
First seen:
2023-01-10 19:04:59 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
21 of 26 (80.77%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oqhxoin6xg2uv6murkfwq5supyuyremyij24ncwq2lxueh7lb3za._file
Verdict:
malicious
Similar samples:
01e1bbb9bb2c3e5ed68df65a2846faa611ec9bfcbf664e0abd5b72005502cac4
ArkeiStealer
2c35ee480e2ea480624011857326defe537063bb383824013a8f8a0b9182e3b1
ArkeiStealer
447ecfab4fe85b150463ef96240ae2690eae0534684af88a61b3e9fee459cd9c
ArkeiStealer
4c98097c2e234a8cb19327c9ddaa9b8c8669dd0f0a95fd71912282e6f0cf50d5
ArkeiStealer
a05b12806135be357756f9bfed4e77836f44919a56351a2aa127ae8eecf54c1c
ArkeiStealer
a14600c06ba898ae24152bfdc01c6c514007dec5d81d95161f5fdb3e6399adc0
ArkeiStealer
ab9aa981e24b6dbe183fff66d17e38fbb7ac1fa54fd1dbf3c4878c65ff18efa4
ArkeiStealer
c75b21d9f3189b648b2b83dae0fb48e49eb5458e8c3c5cfbdbcac460b43acc32
ArkeiStealer
d79a379ce1fcbe1e3548dfde37f6c2591f2ebf8de6c0d0db6f282933e529cf53
ArkeiStealer
+ 2'809 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:811 discovery persistence spyware stealer
Link:
https://tria.ge/reports/230110-xqx3lsch9y/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Vidar
Malware Config
C2 Extraction:
https://t.me/travelticketshop
https://steamcommunity.com/profiles/76561199469016299
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/82088078-df9c-486b-9538-09fcee7abd49
Unpacked files
SH256 hash:
740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2
MD5 hash:
ecb41ffa4f12fbe99b2a53141ec9f240
SHA1 hash:
68c7c9a49c519319aba55bf686f2388ee782208d
Link:
https://www.unpac.me/results/836d46c1-af96-4edc-b0e3-cf2eaa409b26/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/740f7721beb9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:go_binary
Create hunting rule
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2502045/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2289584/
Cape
Cape
https://www.capesandbox.com/analysis/351657/

Comments