MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77648473a36693ce3547880cb361f10ed937f0d43839cad51de7c8d4ac9709b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77648473a36693ce3547880cb361f10ed937f0d43839cad51de7c8d4ac9709b8
SHA3-384 hash: e694f2cea749a05461809b358094ba2471d880ed76c760e6d602c9e4323885b936a1ba1f4722735f279d98516e8e3414
SHA1 hash: 5838ed28692587997aaf07063bcddb3efe6b09a2
MD5 hash: 400896e3d39fe62e6675a86b3c7adeaa
humanhash: london-tennessee-steak-juliet
File name:njcasnjnj111.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'560'576 bytes
First seen:2022-12-01 14:42:12 UTC
Last seen:2022-12-01 15:06:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c4d010441c17e8245adced7fdcad59f4 (4 x ParallaxRAT, 1 x ArkeiStealer, 1 x RemcosRAT)
ssdeep 24576:NVmnZSXUpShfGnZSXUpShfGnZSXUpShfL4Qmv8ZjEOP:NVMwEwswEwswEwL4QQ8ZXP
Threatray 17'015 similar samples on MalwareBazaar
TLSH T1CD757C613080D157C8F6D5F29382D57290A5EDBDE727AB5B21CAFF2F70BA380520A749
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon c8868696969eb092 (1 x ArkeiStealer, 1 x RemcosRAT)
Reporter JAMESWT_WT
Tags:ArkeiStealer exe fakevideolan vidar

Intelligence

File Origin
# of uploads :
2
# of downloads :
196
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
njcasnjnj111.exe
Verdict:
Malicious activity
Analysis date:
2022-12-01 14:43:10 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/33c8a5e0-db70-498c-b7c9-1b3627e272eb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/341165/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.28109.8167.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Сreating synchronization primitives
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
arkei exploit greyware overlay packed
Link:
https://www.filescan.io/uploads/6388bd76fa645277f5036f53/reports/debcd354-7b76-4da1-b958-e0f737ac43d7/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/0f641c93-378d-4e37-9d64-4a7183e73fca
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1125459
Signature
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/77648473a36693ce3547880cb361f10ed937f0d43839cad51de7c8d4ac9709b8/
Threat name:
Win32.Adware.RedCap
Create hunting rule
Status:
Malicious
First seen:
2022-12-01 14:43:10 UTC
File Type:
PE (Exe)
Extracted files:
37
AV detection:
15 of 26 (57.69%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o5sii45dm2j44nkhraglgyprb3mtp4guha44vvi547enjlexbg4a._file
Verdict:
malicious
Similar samples:
040aa152e739826874a268f4ffb8be80dd256e7817cdb2c25329d25a5264671e
ArkeiStealer
2bc35780b427873d03d777f75b112473d6593fdf7eab195dd75a6ba1ec1daec9
ArkeiStealer
61436285b70355a6e0239c982c9b4a12cf2061c5b9c1eb2f4ff97133c549e891
ArkeiStealer
6aa8c7811e02d48797f51fd635e97060112122222638a725306ba6b690f691d1
ArkeiStealer
84fea2a219fbf4d19c67c05b3e1eecb20cee840e8c5072578aa8f03362270aba
ArkeiStealer
9579c6c9e07b1c6329bac90c764b3b427e0bfd97e797c5e5b9db1a7db477d5e7
ArkeiStealer
9d5670638fac6e9e5670cd6985894e9b2fcf1fb334973e5e3424fb246f835e11
ArkeiStealer
ba4fb2a15fa8baf942cdb9bddc882288290dbb6663b701b67e9ae48c85d362cb
ArkeiStealer
faf9fafa302622d32b46956c7ff81da78773366c0e120936a61ceea4c489c5b8
ArkeiStealer
+ 17'005 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1711 discovery spyware stealer
Link:
https://tria.ge/reports/221201-r3lbpacf2t/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Vidar
Malware Config
C2 Extraction:
https://t.me/asifrazatg
https://steamcommunity.com/profiles/76561199439929669
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b668a218-eec5-4bab-8985-c744857ab2c0
Unpacked files
SH256 hash:
318669e2d74cdff6f6220d4477ad6ec44837909acbb34bbe624e014086eadd8b
MD5 hash:
5019b2491543dc41b07c4dff166b04cb
SHA1 hash:
51ff1465de50d53eb2e7cb06d7bf84a5e701993e
Link:
https://www.unpac.me/results/140f752e-84a5-4466-89f5-86fb76658d6e/
SH256 hash:
77648473a36693ce3547880cb361f10ed937f0d43839cad51de7c8d4ac9709b8
MD5 hash:
400896e3d39fe62e6675a86b3c7adeaa
SHA1 hash:
5838ed28692587997aaf07063bcddb3efe6b09a2
Link:
https://www.unpac.me/results/140f752e-84a5-4466-89f5-86fb76658d6e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/77648473a366/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/77648473a36693ce3547880cb361f10ed937f0d43839cad51de7c8d4ac9709b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 77648473a36693ce3547880cb361f10ed937f0d43839cad51de7c8d4ac9709b8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2440874/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/341165/

Comments