MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77109a0bbb0d37926a327f63491d41be714c6fbed0a3ea4e5565e1349120d9a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77109a0bbb0d37926a327f63491d41be714c6fbed0a3ea4e5565e1349120d9a3
SHA3-384 hash: bec3fb3ac0878a78f963cb8b83c32895575394a5e4271712270866f1a2ebbf597a097897b7f8b2d4562f904da600adb2
SHA1 hash: 7d16c6eba7dcb9c009a14efc15a793edefe5b220
MD5 hash: c5768c1fc421330a0c66dbb8b6c51c81
humanhash: uncle-violet-eight-cup
File name:file
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:2'152'208 bytes
First seen:2022-12-30 16:29:42 UTC
Last seen:2022-12-30 18:32:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a56f115ee5ef2625bd949acaeec66b76 (53 x Stealc, 47 x PureHVNC, 28 x RedLineStealer)
ssdeep 49152:YSBqCgQxsXs4I7dVgbEMnMQBnu2M3Yl/YdNDzzVDiSzPRISoe:YSBqpc53gbNVnxM3YGrDP1iSPWSo
Threatray 7'181 similar samples on MalwareBazaar
TLSH T1CCA5230B1762A99EC7FE0E76FBD7927502072C24B917A7597520315DDB30F8F88680AE
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon d4b2e8cccc68b2d4 (1 x ArkeiStealer)
Reporter jstrosch
Tags:ArkeiStealer exe signed X64

Code Signing Certificate

Organisation:HDD Toshiba SATA-III 10Tb HDWG460EZSTA N300 (7200rpm) 2048Mb 2.5 Rtl
Issuer:HDD Toshiba SATA-III 10Tb HDWG460EZSTA N300 (7200rpm) 2048Mb 2.5 Rtl
Algorithm:sha1WithRSAEncryption
Valid from:2022-10-22T18:03:55Z
Valid to:2032-10-23T18:03:55Z
Serial number: 68aa0845fd86768b49854d38c8874ccc
Intelligence: 16 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 61f7108f73abea106b894c3e8326bc3280dc116f05e1a79ab2bf4500b9db2653
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Suspicious activity
Analysis date:
2022-12-30 16:32:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1c088b3e-022d-425c-a4d5-0dbf2ddd409c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.Trojan-gen.4595.7448.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Launching a process
Creating a file
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a process from a recently created file
Changing a file
Running batch commands
Creating a process with a hidden window
Creating a window
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/63af1210b9b1c173751ffc7f/reports/441d2038-ced0-4801-9cdc-2a031ae56ec2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/019c1b45-a972-4885-991c-cc98dc485860
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1143259
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 775989 Sample: file.exe Startdate: 30/12/2022 Architecture: WINDOWS Score: 100 46 Antivirus detection for URL or domain 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected Vidar stealer 2->50 52 4 other signatures 2->52 9 file.exe 3 2->9         started        process3 file4 32 C:\Users\user\AppData\Local\...\file.exe.log, CSV 9->32 dropped 58 Query firmware table information (likely to detect VMs) 9->58 60 Tries to detect sandboxes and other dynamic analysis tools (window names) 9->60 62 Writes to foreign memory regions 9->62 64 3 other signatures 9->64 13 InstallUtil.exe 22 9->13         started        signatures5 process6 dnsIp7 40 t.me 149.154.167.99, 443, 49722 TELEGRAMRU United Kingdom 13->40 42 185.130.47.169, 49723, 80 PRIVEXSE Sweden 13->42 44 game-pc.world 188.114.97.3, 443, 49724, 49725 CLOUDFLARENETUS European Union 13->44 34 C:\Users\user\AppData\Local\...\gama[1].exe, PE32 13->34 dropped 36 C:\ProgramData\66822374659035392100.exe, PE32 13->36 dropped 66 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->66 68 Tries to harvest and steal browser information (history, passwords, etc) 13->68 70 Tries to steal Crypto Currency Wallets 13->70 18 66822374659035392100.exe 1 13->18         started        22 cmd.exe 1 13->22         started        file8 signatures9 process10 dnsIp11 38 65.21.213.208, 3000, 49727 CP-ASDE United States 18->38 54 Machine Learning detection for dropped file 18->54 56 Tries to harvest and steal browser information (history, passwords, etc) 18->56 24 cmd.exe 1 18->24         started        26 conhost.exe 22->26         started        28 timeout.exe 1 22->28         started        signatures12 process13 process14 30 conhost.exe 24->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/77109a0bbb0d37926a327f63491d41be714c6fbed0a3ea4e5565e1349120d9a3/
Threat name:
Win64.Infostealer.Bandra
Create hunting rule
Status:
Malicious
First seen:
2022-12-30 16:30:14 UTC
File Type:
PE+ (Exe)
Extracted files:
10
AV detection:
12 of 26 (46.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o4ijuc53bu3ze2rsp5rushkbxzyuy3562cr6utsvmxqtjeja3grq._file
Verdict:
unknown
Similar samples:
06ece311c226daf62863e5791def4efee02dacfeacc6b7635095d0a63b715a99
ArkeiStealer
083842534185758ad03c0a124d2a0a629225d97f3e3c4776c1ff727adeaae4c6
ArkeiStealer
296e195f7896d20af579930d9bc481bc9d651e79480399c071531417bfede4a7
ArkeiStealer
7d9e4b4c86f71fc5b5e5ed8bb72b6ef2ed9ab8c0ad2877bf880f8e029485bfe7
ArkeiStealer
7e481ee40af6227bc65f7334cffa28ef661ab49cb800ce383aed1cec82515ae5
ArkeiStealer
97df47266aba1d8e7c70c88c8bf0851a53579dfac7d2bb6545ca85e809bbf1c6
ArkeiStealer
a1f85be67018434f06e910c13c4833aae7689793a7ce80a70ca5028877e9f40e
ArkeiStealer
e3b0a6b1e8aa4cc6407d49b2bc8607549fc5b25cd2b11fc66a41127266c3ca47
ArkeiStealer
eebeb8f37bef6e92068903c7a0dafa6a1a5f86f987ba1ad3336ccc855bfd317e
ArkeiStealer
ef25f0485a77e2a012eaeef4f0f5911fa655a5bf98f8e03e07e6b3e49cb16416
ArkeiStealer
+ 7'171 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:546 evasion spyware stealer themida trojan
Link:
https://tria.ge/reports/221230-tztvrsbb9w/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar
Malware Config
C2 Extraction:
https://t.me/misteryworldismyhome
https://t.me/montgomerywavesgetlucky
https://t.me/prokl3hfy
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/862f3718-d32d-4671-80bb-bd76110fc724
Unpacked files
SH256 hash:
77109a0bbb0d37926a327f63491d41be714c6fbed0a3ea4e5565e1349120d9a3
MD5 hash:
c5768c1fc421330a0c66dbb8b6c51c81
SHA1 hash:
7d16c6eba7dcb9c009a14efc15a793edefe5b220
Link:
https://www.unpac.me/results/4b6d0671-3295-4d55-b2d9-1f340f6d30be/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/77109a0bbb0d37926a327f63491d41be714c6fbed0a3ea4e5565e1349120d9a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 77109a0bbb0d37926a327f63491d41be714c6fbed0a3ea4e5565e1349120d9a3

(this sample)

  
Delivery method
Distributed via web download

Comments