MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76b7e0265f5fd3d3fead08df85a41d4fac0ab5bd881f9c44dca6987e69c9b63c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	76b7e0265f5fd3d3fead08df85a41d4fac0ab5bd881f9c44dca6987e69c9b63c
SHA3-384 hash:	1ed294ccd13f133bd5901b85dcf8997c86910b60e4c4346c01071188e856cc426257569d9d0cca4ed2861f6e07ec5f1a
SHA1 hash:	bc02cf5282fa75a16d6dcdd71a23c1b40eb28ceb
MD5 hash:	641be2c98b6b46e8dacf34789090afd6
humanhash:	april-winter-triple-queen
File name:	641be2c98b6b46e8dacf34789090afd6.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	3'403'776 bytes
First seen:	2021-10-22 08:03:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f835dd1d0ecf6e80cc8d40b09f2d5bf8 (1 x ArkeiStealer)
ssdeep	49152:PlJnEIeGH3xSdKa+jDLWa2oRvxlqdsY5M09odfWzFM3Hx1:P/n/H3xqK5jDLWarxOsY5M5dPR
Threatray	3'410 similar samples on MalwareBazaar
TLSH	T1F2F5AF32B281843BD07B273CDD5BA7995A6A7E102E38994B3BEC4D4C0F39641791D2DB
File icon (PE):
dhash icon	399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

198

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

http://ec2-3-144-126-110.us-east-2.compute.amazonaws.com/?6172d9fac77e7=7963065366eadac8992c55fa9295469ea207e4abArray&m=29&q=Voicemod%20Pro%202.19%20Crack%20%20%20License%20Key%20(2021)%20Free%20Download&dedica=17&tron=6172d9fac77ea.asp

Verdict:

Malicious activity

Analysis date:

2021-10-22 15:34:49 UTC

Tags:

loader trojan evasion rat redline opendir kelihos stealer vidar raccoon backdoor dcrat

Link:

https://app.any.run/tasks/2abbec69-a91f-4592-b25a-721818823b23

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/199316/

Detection(s):

SecuriteInfo.com.Artemis641BE2C98B6B.13659.27859.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Connection attempt to an infection source

Sending a TCP request to an infection source

Query of malicious DNS domain

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

greyware keylogger

Link:

https://www.filescan.io/uploads/61727073db358dd15ed2f1c4/reports/4b58c490-7552-4df4-9a1b-ce1f74213228/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a30b5b87-f336-46a1-9b7a-d08541b41ac2

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/875067

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Self deletion via cmd delete

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Vidar

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/76b7e0265f5fd3d3fead08df85a41d4fac0ab5bd881f9c44dca6987e69c9b63c/

Threat name:

Win32.Trojan.Chapak

Status:

Malicious

First seen:

2021-10-21 21:34:24 UTC

AV detection:

8 of 28 (28.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=o236ajs7l7j5h7vnbdpylja5j6wavnn5rapzyrg4u2mh42ojwy6a._file

Verdict:

malicious

ArkeiStealer

4290f5fbbd5d7ff8054de896fe4231d83a149f099ee867c75969468e0078e8f1

ArkeiStealer

4bc52cd8296fcffc22b5ca8ebf2b161260d71c8d34658f45c9c93cf6d65749e9

ArkeiStealer

76b7e0265f5fd3d3fead08df85a41d4fac0ab5bd881f9c44dca6987e69c9b63c

ArkeiStealer

7a5444f5316764d3960132052abe097784a29b7390e0ece10c86b804c125100f

ArkeiStealer

90618d3aa5146d27b46476a4c7bfcc2e5323b74dcbcf2c0af6b4f00c4c2d9297

ArkeiStealer

9fefd930a1cc7b257fe5a65bc3eda3167bc0f82895f288fc34eaca3411b2688b

ArkeiStealer

+ 3'400 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:1045 discovery spyware stealer

Link:

https://tria.ge/reports/211022-jyaemabch3/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Kills process with taskkill

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Vidar Stealer

Vidar

Malware Config

C2 Extraction:

https://mas.to/@xeroxxx

Unpacked files

SH256 hash:

4e0889ab868d8c938a97f78e4e196f714fc187e38e8d50e5d831b8cdf7dcc442

MD5 hash:

b0adcda685db84a4ad1edb3fb7e375ba

SHA1 hash:

7198817a7cda76ddcf2c50de3e8db2e1f7c9f885

Link:

https://www.unpac.me/results/ee45a018-1fad-4434-abfc-3e8d06954df9/

SH256 hash:

76b7e0265f5fd3d3fead08df85a41d4fac0ab5bd881f9c44dca6987e69c9b63c

MD5 hash:

641be2c98b6b46e8dacf34789090afd6

SHA1 hash:

bc02cf5282fa75a16d6dcdd71a23c1b40eb28ceb

Link:

https://www.unpac.me/results/ee45a018-1fad-4434-abfc-3e8d06954df9/

Malware family:

CryptOne

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/76b7e0265f5f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/76b7e0265f5fd3d3fead08df85a41d4fac0ab5bd881f9c44dca6987e69c9b63c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/199316/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample