MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 768f937ddc3c623826e129ea564b79e0b7a46e05476b84971e61875cb9ebf16b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 768f937ddc3c623826e129ea564b79e0b7a46e05476b84971e61875cb9ebf16b
SHA3-384 hash: 53dcf027341ed0471b2af3877a269412486327e2de79d3e425e6ef3218d9b7961649568483852eb846d2bae69abdc184
SHA1 hash: aefd5860a3179d248db5a9135611c13e3bd519c6
MD5 hash: a6fbb8b7b10a115a27ce73e1c43f60e4
humanhash: pasta-magnesium-five-juliet
File name:Avast Premium Security crack.bin
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:2'768'415 bytes
First seen:2022-07-17 15:50:11 UTC
Last seen:2022-07-17 16:41:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e1888d3e3e34368cefc07e8f747b2817 (9 x RedLineStealer, 1 x Formbook, 1 x ArkeiStealer)
ssdeep 24576:xHRGbOrvmvlY7YyAB3XC0MHXdC0/OKbLqGnG/x1XA+wlHQKp0xoJwDLpzrxBvRaW:hpr+1ubTG5CFlwS0xoJwDZml3G
TLSH T1DFD53C136A8B0D75DDD23BB4A1CB633AA734ED30CA3A9B7FB608C53559532C46C1A742
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter KdssSupport
Tags:ArkeiStealer exe


Avatar
KdssSupport
Uploaded with API

Intelligence

File Origin
# of uploads :
2
# of downloads :
348
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Avast Premium Security.zip
Verdict:
Malicious activity
Analysis date:
2022-07-17 13:05:06 UTC
Tags:
trojan stealer
Link:
https://app.any.run/tasks/f2255178-5d32-441d-90d1-e106ced90131

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/291363/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.89833.880.6292.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/26513/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Certishell
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3f4e1eb7-5c10-49d6-81f2-aec38e99a57b
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
evad.troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1034883
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 667376 Sample: Avast Premium Security crack.exe Startdate: 17/07/2022 Architecture: WINDOWS Score: 100 47 ftl.deekshith.eu.org 2->47 49 t.me 2->49 51 2 other IPs or domains 2->51 59 Snort IDS alert for network traffic 2->59 61 Multi AV Scanner detection for domain / URL 2->61 63 Antivirus detection for URL or domain 2->63 65 9 other signatures 2->65 10 Avast Premium Security crack.exe 1 2->10         started        signatures3 process4 signatures5 75 Writes to foreign memory regions 10->75 77 Injects a PE file into a foreign processes 10->77 13 AppLaunch.exe 31 10->13         started        18 conhost.exe 10->18         started        process6 dnsIp7 53 95.217.246.3, 49738, 80 HETZNER-ASDE Germany 13->53 55 ftl.deekshith.eu.org 188.114.97.3, 443, 49742 CLOUDFLARENETUS European Union 13->55 57 3 other IPs or domains 13->57 39 C:\Users\user\AppData\...\635965506[1].exe, PE32+ 13->39 dropped 41 C:\Users\user\AppData\...\Starter[1].exe, PE32 13->41 dropped 43 C:\ProgramData\22695295896033089184.exe, PE32 13->43 dropped 45 C:\ProgramData\06857635806674476532.exe, PE32+ 13->45 dropped 79 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->79 81 Tries to harvest and steal browser information (history, passwords, etc) 13->81 83 Tries to steal Crypto Currency Wallets 13->83 20 22695295896033089184.exe 13->20         started        23 06857635806674476532.exe 13->23         started        25 cmd.exe 13->25         started        file8 signatures9 process10 signatures11 67 Antivirus detection for dropped file 20->67 69 Multi AV Scanner detection for dropped file 20->69 71 Machine Learning detection for dropped file 20->71 73 Tries to harvest and steal browser information (history, passwords, etc) 23->73 27 cmd.exe 23->27         started        29 conhost.exe 25->29         started        31 taskkill.exe 25->31         started        33 timeout.exe 25->33         started        process12 process13 35 conhost.exe 27->35         started        37 choice.exe 27->37         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/768f937ddc3c623826e129ea564b79e0b7a46e05476b84971e61875cb9ebf16b/
Threat name:
Win32.Spyware.Vidar
Create hunting rule
Status:
Suspicious
First seen:
2022-07-17 02:18:20 UTC
File Type:
PE (Exe)
AV detection:
23 of 26 (88.46%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o2hzg7o4hrrdqjxbfhvfms3z4c32i3qfi5vyjfy6mgdvzopl6fvq._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1375 spyware stealer suricata
Link:
https://tria.ge/reports/220717-tagh5segfk/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Vidar Stealer
Vidar
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
Malware Config
C2 Extraction:
https://t.me/tgch_hijuly
https://c.im/@olegf9844h
Unpacked files
SH256 hash:
cb3400db4efc1faecff2ba627c57e75bf11813d0984a3433f28f306c931b49fa
MD5 hash:
a80f4cf3862d21be15a5da2fe7aa304f
SHA1 hash:
0d4796ccae273f3a9a1219821a73543cd058492f
Link:
https://www.unpac.me/results/989a003a-28e3-472d-b981-6306e986ec52/
SH256 hash:
768f937ddc3c623826e129ea564b79e0b7a46e05476b84971e61875cb9ebf16b
MD5 hash:
a6fbb8b7b10a115a27ce73e1c43f60e4
SHA1 hash:
aefd5860a3179d248db5a9135611c13e3bd519c6
Link:
https://www.unpac.me/results/989a003a-28e3-472d-b981-6306e986ec52/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/768f937ddc3c623826e129ea564b79e0b7a46e05476b84971e61875cb9ebf16b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 768f937ddc3c623826e129ea564b79e0b7a46e05476b84971e61875cb9ebf16b

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/291363/

Comments