MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79b5365df45d5d8b1a392453e513c43fd3ffb32fa4b7446c2953e14a498a96bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 7 File information Comments

SHA256 hash:	79b5365df45d5d8b1a392453e513c43fd3ffb32fa4b7446c2953e14a498a96bb
SHA3-384 hash:	f761e226412ee7c3f188a3c26b5f0b8aa9612055d3184b0a7b0b6abad6e77123c32be2fd09cdd61883e487cc800e1558
SHA1 hash:	b77e042580ffd9646813172ff74f9b42ce0c2d69
MD5 hash:	763861dd11039e6077c8a375189a884b
humanhash:	table-happy-minnesota-enemy
File name:	79b5365df45d5d8b1a392453e513c43fd3ffb32fa4b7446c2953e14a498a96bb
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	3'023'360 bytes
First seen:	2022-06-10 07:45:29 UTC
Last seen:	2022-06-10 08:49:32 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	bee6b6031caef490ea53179b1f7393a7 (3 x ArkeiStealer)
ssdeep	49152:vhwAouxw3AvnMainfj0feprnnq07Pg04xEZe6WSZvcoR2YC9SUE3AYaYmwsBIFt7:lML0WpqWPf4xEZKCcoqCAYaLPI1yUuTU
Threatray	17'302 similar samples on MalwareBazaar
TLSH	T18DE533B2B7051070F3BC43F423619E7A9BBD6C9F88C15BA31AC51396EE76746768900E
TrID	52.9% (.EXE) Win32 Executable (generic) (4505/5/1) 23.5% (.EXE) Generic Win/DOS Executable (2002/3) 23.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	ccc7dbe5a3d383ce (1 x ArkeiStealer)
Reporter	crep1x
Tags:	ArkeiStealer exe vidar

Intelligence

File Origin

# of uploads :

# of downloads :

395

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

79b5365df45d5d8b1a392453e513c43fd3ffb32fa4b7446c2953e14a498a96bb

Verdict:

Malicious activity

Analysis date:

2022-06-10 08:34:19 UTC

Tags:

trojan stealer

Link:

https://app.any.run/tasks/16bbc8ac-9fbb-41bf-8a25-554a586586dc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/278584/

Detection(s):

SecuriteInfo.com.Variant.Fragtor.99788.26532.11604.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for analyzing tools

Searching for the window

Сreating synchronization primitives

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Creating a window

Sending a custom TCP request

Stealing user critical data

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62a2f701c6d7350cc0121579/reports/b752155a-7f01-4168-8c52-b3cb94fbb269/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Arkei Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3e32d0d8-f9be-4081-a5e0-9a6a288194e9

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1010658

Signature

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found evasive API chain (may stop execution after checking computer name)

Found evasive API chain (may stop execution after checking mutex)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Hides threads from debuggers

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/79b5365df45d5d8b1a392453e513c43fd3ffb32fa4b7446c2953e14a498a96bb/

Threat name:

Win32.Spyware.Vidar

Status:

Malicious

First seen:

2022-06-01 17:46:08 UTC

File Type:

PE (Exe)

Extracted files:

176

AV detection:

22 of 26 (84.62%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pg2tmxpulvoywgrzerj6ke6eh7j77mzpus3ui3bjkpquusmks25q._file

Verdict:

malicious

ArkeiStealer

18f5a7d7fa2e52091504106547fc9c1e2d540ff70d75544c550765599c65be1b

ArkeiStealer

478095690b73f317b9ff209fd4c8a80aba031dfddf84e9ff95fb5168dc8d7453

ArkeiStealer

5972343370247c01cd49e0fda028bdece0507c15ec3773311ed41688da9b9e30

ArkeiStealer

5dd5eaef8d41d319b5b45be1d275139f08f59423c1326da20acdddf196a41022

ArkeiStealer

82a108c44defd4e43bf5bdee2bbadbf7f62870683557276b698d15845267c722

ArkeiStealer

89ec309c384717284199d66d01669738ce37d9fb445a8f7f2259dfd6ca888f5d

ArkeiStealer

e6cea0eb49c9b461c624ded82d794e9353499644a47f7975a6ab030a9f8123b8

ArkeiStealer

ffc1b9735633836ed935e403d56dd31a464f39c0814e22cb19bb3af6cd54b270

ArkeiStealer

+ 17'292 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar discovery evasion spyware stealer suricata trojan

Link:

https://tria.ge/reports/220610-jly78adch3/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks whether UAC is enabled

Reads user/profile data of web browsers

Checks BIOS information in registry

Loads dropped DLL

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Vidar Stealer

Vidar

suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer

Unpacked files

SH256 hash:

b3a66b818e83e5443e0f60dd814a65825547d804de80ae4bae083c8b56e71626

MD5 hash:

231fcf027516d866ec1a6a7b82edc706

SHA1 hash:

dcd5eceaad839b124def64e26e15bb2fd7379016

Link:

https://www.unpac.me/results/c58bfc1a-13ba-43c3-99fb-03480312d489/

SH256 hash:

79b5365df45d5d8b1a392453e513c43fd3ffb32fa4b7446c2953e14a498a96bb

MD5 hash:

763861dd11039e6077c8a375189a884b

SHA1 hash:

b77e042580ffd9646813172ff74f9b42ce0c2d69

Link:

https://www.unpac.me/results/c58bfc1a-13ba-43c3-99fb-03480312d489/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/79b5365df45d5d8b1a392453e513c43fd3ffb32fa4b7446c2953e14a498a96bb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	INDICATOR_EXE_Packed_MPress Create hunting rule
Author:	ditekSHen
Description:	Detects executables built or packed with MPress PE compressor

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing potential Windows Defender anti-emulation checks

Rule name:	MALWARE_Win_Vidar Create hunting rule
Author:	ditekSHen
Description:	Detects Vidar / ArkeiStealer

Rule name:	Vidar Create hunting rule
Author:	kevoreilly
Description:	Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/278584/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample