MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a13f0c897638d4741e7936fa15e0e46c9a328406a43146fe4c2bf786b542087. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 4 File information Comments

SHA256 hash:	7a13f0c897638d4741e7936fa15e0e46c9a328406a43146fe4c2bf786b542087
SHA3-384 hash:	00da817f76d7eb8dd98f2300238fad93a913c8585081a3a0499a4238f12a790a7fd59c649d215f7b1305cb8209d65776
SHA1 hash:	03ac6f2dee1d6854153c65c4277f97dc0bc211ef
MD5 hash:	08709f9689c1f83f421dc0d4de3fec36
humanhash:	kansas-victor-friend-lima
File name:	SecuriteInfo.com.Trojan.GenericKDZ.73501.3931.24762
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	647'680 bytes
First seen:	2021-03-14 17:52:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5ea6dd2e51322da74caf634abb28fae0 (2 x ArkeiStealer, 1 x Smoke Loader)
ssdeep	12288:uZgsq77sV5Z5QkeUzzirzqzUsDOr2Hc9pUl02TBg5Dui3EFSIKD:uZgsBTQLUz8uzUEOr2Hc/UZTBaDUSr
Threatray	456 similar samples on MalwareBazaar
TLSH	BFD4E020E7A0D036F5B302B186F5867976347D326B3885CB63C0279B5A786E6DD31B63
Reporter	SecuriteInfoCom
Tags:	ArkeiStealer

Intelligence

File Origin

# of uploads :

# of downloads :

203

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Trojan.GenericKDZ.73501.3931.24762

Verdict:

Malicious activity

Analysis date:

2021-03-14 17:56:06 UTC

Tags:

trojan stealer vidar loader

Link:

https://app.any.run/tasks/36456270-3e6c-4e50-852e-908bc5976d47

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/124218/

Detection(s):

SecuriteInfo.com.Trojan.GenericKDZ.73501.3931.24762.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Creating a file

Connection attempt

Sending an HTTP GET request

Deleting a recently created file

Replacing files

Reading critical registry keys

Creating a window

Delayed writing of the file

Sending a UDP request

Running batch commands

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Searching for the window

Launching a process

Stealing user critical data

Launching a tool to kill processes

Forced shutdown of a browser

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Vidar

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/638928

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7a13f0c897638d4741e7936fa15e0e46c9a328406a43146fe4c2bf786b542087/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2021-03-14 00:08:58 UTC

AV detection:

18 of 28 (64.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=pij7bsexmoguoqphsnx2cxqoi3e2gkcanjbri37eyk7xq22uecdq._file

Verdict:

unknown

ArkeiStealer

216ab21badb89b973736f1ccdc2d2842eac2ce03c437521baf198626c0a14238

ArkeiStealer

3ecfe375bd64aa9e53b2d439c8ea9974af664aa36d060239ae7ddd1d796e0309

ArkeiStealer

7f588ecbff9405b87fa5b809b52d0b667f19a09e47bafc2cf1f5f9d5f19f16c1

ArkeiStealer

9c2eb5790e7874950db0e51764ba68bb4a0fa5be68b659717c73363883da0db7

ArkeiStealer

b699a2766f106ff77377780bad431b72ef1748bf989e09f2b82fb73cf30cbde3

ArkeiStealer

bd3f29c731f654a578d5b05a32e704ed571a78374b719acfe8f22d58b2a1c714

ArkeiStealer

ca689501b79de8430f0900c86e9a6b5c93b2d7cc68bc0b8921bb6ebb005f6893

ArkeiStealer

daac1aafd4f0f7b1e1e0112e913285543d73179216bc42cdf67036dae67955f0

ArkeiStealer

fc3285382ad7f58ef51da1a1041f1b67710d1ffc5633133fc126af1804be7702

ArkeiStealer

+ 446 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar discovery spyware stealer

Link:

https://tria.ge/reports/210314-4156a5cy2s/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Kills process with taskkill

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads local data of messenger clients

Reads user/profile data of web browsers

Vidar

Unpacked files

SH256 hash:

2bddbb533743b91bddceec55d6801d74ed429eac227e79028f9efd8cec9b9c6e

MD5 hash:

b0d15fd5c581c54a53283c5c509ef5bb

SHA1 hash:

ca0a3f16a3cc04a0e09bc78d38a5a4a31a52db0e

Detections:

win_vidar_auto

Link:

https://www.unpac.me/results/367c2883-66cf-4fc0-9e7f-f8c841ab9c55/

Parent samples :

7a13f0c897638d4741e7936fa15e0e46c9a328406a43146fe4c2bf786b542087
4f42a3f5ab0feccba70fb3637052bb95359d2152f1b73d787b25ba0f75cec13a
e9236502d303a733b1daf06ec731e09a67becdcf9d7178d10e7f5d6def2ace93
6494bacf6dba73268bc68c1078306b5e2665bee110f93e9235a6672e0ef434e1

SH256 hash:

7a13f0c897638d4741e7936fa15e0e46c9a328406a43146fe4c2bf786b542087

MD5 hash:

08709f9689c1f83f421dc0d4de3fec36

SHA1 hash:

03ac6f2dee1d6854153c65c4277f97dc0bc211ef

Link:

https://www.unpac.me/results/367c2883-66cf-4fc0-9e7f-f8c841ab9c55/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7a13f0c897638d4741e7936fa15e0e46c9a328406a43146fe4c2bf786b542087

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

Rule name:	win_vidar_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	with_sqlite Create hunting rule
Author:	Julian J. Gonzalez <info@seguridadparatodos.es>
Description:	Rule to detect the presence of SQLite data in raw image
Reference:	http://www.st2labs.com