MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76e0252ac375659fb9f2c3acc53856a21cf414ed0890f32bcbded816bad9220f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76e0252ac375659fb9f2c3acc53856a21cf414ed0890f32bcbded816bad9220f
SHA3-384 hash: 99d3071a1b65519dc48c2393d52da168d2f800542ecf4a6630a821a02cde83090192de22e4e9ce7847e020334fcce834
SHA1 hash: 19f32de7196db5b7039415c1056aa3402c92a0ed
MD5 hash: 5cde4a5c2fad12bc819ccc89b6baae53
humanhash: stream-crazy-fruit-muppet
File name:5cde4a5c2fad12bc819ccc89b6baae53
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:710'144 bytes
First seen:2021-09-04 04:20:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 235315ed783e15a9f0262d40cb1ad6da (1 x Stop, 1 x ArkeiStealer)
ssdeep 12288:VZ+QFv+CZ77eFqPTEy2sf8WlxICDjdEQ4E2WqTyDCxGtNB2twCXjgWG:/+QFlDPTSsf881Dj2Q4E2Wiy+7emUWG
Threatray 58 similar samples on MalwareBazaar
TLSH T1E0E401E0A6A0C035E4B711F7D96A8FB8692D7E716B2491CB62D02BDF52306F88D31753
dhash icon d824e7d0c4e72158 (6 x RaccoonStealer, 5 x Stop, 2 x ArkeiStealer)
Reporter zbetcheckin
Tags:32 ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Synapse X-v3.exe
Verdict:
Malicious activity
Analysis date:
2021-09-01 15:47:48 UTC
Tags:
trojan rat redline evasion stealer loader raccoon vidar opendir
Link:
https://app.any.run/tasks/ed4da0a7-9ac8-4e41-ae35-44e6b4fe6c5e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/185245/
Detection(s):
Win.Malware.Generic-9890017-0
Create hunting rule

Win.Malware.Generic-9890019-0
Create hunting rule

Win.Malware.Generic-9890141-0
Create hunting rule

Win.Malware.Generic-9890180-0
Create hunting rule

Win.Malware.Generic-9890231-0
Create hunting rule

Win.Malware.Generic-9890233-0
Create hunting rule

Win.Malware.Generic-9890238-0
Create hunting rule

Win.Dropper.Chapak-9890249-0
Create hunting rule

Win.Packed.Generickdz-9890265-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/349308df-12e8-4ca6-aae5-cd1625f93b1e
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/845124
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/76e0252ac375659fb9f2c3acc53856a21cf414ed0890f32bcbded816bad9220f/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-09-01 06:01:33 UTC
AV detection:
35 of 43 (81.40%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o3qckkwdovsz7opsyowmkocwuiopifhnbcipgk6l33mbnowzeihq._file
Verdict:
unknown
Similar samples:
058ff1d64435282f36001f5f4209ea6931cfafa998919abe3ac500f9da860eeb
ArkeiStealer
2409a78ac9ab93406bc5d9a812061af68e263f7ebeccadb95b1603b1ff128034
ArkeiStealer
935099f2160f2dd5fec6a63ea02c81d80c0b2cbf712b0e48b386a81078a627dd
ArkeiStealer
b37f9988861fbdcdf6d9767818f6099a4f6773553bde2fe24c075e8405fbf869
ArkeiStealer
b5ebaa343b2503597f1357226444b151f4e06f373fddf18e3c296cb386954b92
ArkeiStealer
e0a10b9883175aaf59200cd47395e8cc9e40972cb235622e2dd699563938aec3
ArkeiStealer
fa64812b8f99fb65a97c6fbbf395c2fb891ba7647135d1a304cb6255bd6dc1a9
ArkeiStealer
+ 48 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:937 stealer
Link:
https://tria.ge/reports/210904-eym89sghdp/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Vidar Stealer
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Malware Config
C2 Extraction:
https://lenko349.tumblr.com/
Unpacked files
SH256 hash:
0df66184c4dff5a6e3616e848d2546dc7a69ce8c59a5d693164e0c16657e8a0a
MD5 hash:
4c435756933a7ec1cb073b27ed5d4db7
SHA1 hash:
5796b2e7219767b1199f35ebf8c9c77542a2e246
Detections:
win_oski_g0
Create hunting rule
Link:
https://www.unpac.me/results/0783308e-44e5-4c90-b215-8fd113dc99f4/
SH256 hash:
76e0252ac375659fb9f2c3acc53856a21cf414ed0890f32bcbded816bad9220f
MD5 hash:
5cde4a5c2fad12bc819ccc89b6baae53
SHA1 hash:
19f32de7196db5b7039415c1056aa3402c92a0ed
Link:
https://www.unpac.me/results/0783308e-44e5-4c90-b215-8fd113dc99f4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/76e0252ac375659fb9f2c3acc53856a21cf414ed0890f32bcbded816bad9220f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 76e0252ac375659fb9f2c3acc53856a21cf414ed0890f32bcbded816bad9220f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1590665/
Cape
Cape
https://www.capesandbox.com/analysis/185245/

Comments


Avatar
zbet commented on 2021-09-04 04:20:54 UTC

url : hxxp://37.0.10.214/WW/Real01_1.exe