MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 755e0cf8d26a723b697ab65a8bcd4a5d2131e0971a3ac959310167a0cae1e622. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 755e0cf8d26a723b697ab65a8bcd4a5d2131e0971a3ac959310167a0cae1e622
SHA3-384 hash: 61a1ec405fa9ae50cba251fe32d4a6392f47bb7db97a648fdcb0f6b4646f3028d4b93df640270ab2b9bea76199501c87
SHA1 hash: 0102adeffa936f66cf1bcbb34d1794270668a8ec
MD5 hash: d98931d0f091bb718be7823941c58ab7
humanhash: cup-pennsylvania-sweet-blue
File name:library_1
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:640'000 bytes
First seen:2022-11-11 06:20:26 UTC
Last seen:2022-11-11 07:48:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b8b949414a1cbbc9af7d834ae8be805f (11 x RedLineStealer, 5 x RaccoonStealer, 4 x ArkeiStealer)
ssdeep 12288:K+HXuuiMofnO1V5+XdlA+Ff1frK/lGRgOUqmq9kR6lhKX6E5UsZLCjZn+Z3N:hHXubZ/O1Af1frK/cRgOnmq9g6XEm7Zu
Threatray 1'769 similar samples on MalwareBazaar
TLSH T144D43366B08BE207D586BB313265E16EE28E50E744C1AED4C1C5F7F5F8B86507C482BD
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter JAMESWT_WT
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
161
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
ficker
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-08 03:32:08 UTC
Tags:
installer evasion loader trojan ficker stealer vidar
Link:
https://app.any.run/tasks/5c25ed4c-1c1c-4916-8fbd-cbbb1570ae72

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/332278/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/636de9d237a53af3a7f55cfe/reports/f6921989-7ff3-4583-a848-b40037d21dc0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4ea9e35f-213f-4523-ad4a-2297bafb6b71
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1111034
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
DLL side loading technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file has nameless sections
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 743730 Sample: library_1.exe Startdate: 11/11/2022 Architecture: WINDOWS Score: 100 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus detection for URL or domain 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 6 other signatures 2->46 8 library_1.exe 1 2->8         started        process3 signatures4 48 Contains functionality to inject code into remote processes 8->48 50 Writes to foreign memory regions 8->50 52 Allocates memory in foreign processes 8->52 54 Injects a PE file into a foreign processes 8->54 11 AppLaunch.exe 20 8->11         started        16 WerFault.exe 23 9 8->16         started        18 WerFault.exe 8->18         started        20 conhost.exe 8->20         started        process5 dnsIp6 34 ioc.exchange 45.79.113.18, 443, 49722 LINODE-APLinodeLLCUS United States 11->34 36 t.me 149.154.167.99, 443, 49713 TELEGRAMRU United Kingdom 11->36 38 2 other IPs or domains 11->38 28 C:\ProgramData\sqlite3.dll, PE32 11->28 dropped 56 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->56 58 Tries to harvest and steal browser information (history, passwords, etc) 11->58 60 DLL side loading technique detected 11->60 62 Tries to steal Crypto Currency Wallets 11->62 22 cmd.exe 11->22         started        30 C:\ProgramData\Microsoft\...\Report.wer, Unicode 16->30 dropped 32 C:\ProgramData\Microsoft\...\Report.wer, Unicode 18->32 dropped file7 signatures8 process9 process10 24 conhost.exe 22->24         started        26 timeout.exe 22->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/755e0cf8d26a723b697ab65a8bcd4a5d2131e0971a3ac959310167a0cae1e622/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-11-07 08:08:15 UTC
File Type:
PE (Exe)
AV detection:
32 of 40 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ovpaz6gsnjzdw2l2wznixtkkluqtdyexdi5mswjraft2bsxb4yra._file
Verdict:
malicious
Similar samples:
1adc68849d784b9530292b7187f492aa1d798d89a099a9eb8105fdfc9edaf2a0
ArkeiStealer
1d9dd4ae9d1ba20dbf36549110c16150525122f3aa7fdd390c66b7a6bfb752e4
ArkeiStealer
6c56b6a178c64adef96a65fab45b58a7378b17262420a31addd0ec239e12e7c7
ArkeiStealer
6da9ec8ffe3cc51e53b82fc3975ee1b70cb1ac97a58455d4a132576bb82f3095
ArkeiStealer
7102856b7e81454d903c903302d33df0175a66b7923bd578ec1e79c0eb6a0cd5
ArkeiStealer
a334fa92fab1199f16a272b0f2f63465750f98bed946d23f8f7ae498206ca553
ArkeiStealer
afeafca67e182853fa5be8431fa8df6b0e84fbf5aee18b692b7c5c068ec02ecf
ArkeiStealer
da271da1daacb415125be5ab9eacc9fdf9738776c83fc512c146e467d5930ded
ArkeiStealer
+ 1'759 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1707 spyware stealer
Link:
https://tria.ge/reports/221111-g4b5ashgg2/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Vidar
Malware Config
C2 Extraction:
https://t.me/tg_turgay
https://ioc.exchange/@xiteb15011
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/708326d3-4ae2-403e-bb5c-e4ac5dbafa15
Unpacked files
SH256 hash:
e3456c7226ab54173d75dc68a53d779a8492c24bf33729226334ee6d5c3770ef
MD5 hash:
7691efa80979e71e47d36a28ce8e0a39
SHA1 hash:
55c2ace8f00a050222cad7aec5ae8045e9a433a9
Link:
https://www.unpac.me/results/4fce332b-39f9-4d71-bb09-3db1c73afc85/
SH256 hash:
755e0cf8d26a723b697ab65a8bcd4a5d2131e0971a3ac959310167a0cae1e622
MD5 hash:
d98931d0f091bb718be7823941c58ab7
SHA1 hash:
0102adeffa936f66cf1bcbb34d1794270668a8ec
Link:
https://www.unpac.me/results/4fce332b-39f9-4d71-bb09-3db1c73afc85/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/755e0cf8d26a723b697ab65a8bcd4a5d2131e0971a3ac959310167a0cae1e622

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/332278/

Comments