MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d9e4b4c86f71fc5b5e5ed8bb72b6ef2ed9ab8c0ad2877bf880f8e029485bfe7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	7d9e4b4c86f71fc5b5e5ed8bb72b6ef2ed9ab8c0ad2877bf880f8e029485bfe7
SHA3-384 hash:	780c98bab445e74c9e478ed4cffe4d01885f30fdcdedfa687f879358f91b35a36ae76ea784e78dfee391689e07a7039b
SHA1 hash:	50d5c0d0775ff7e6c84c35549bd0da5d041c28b8
MD5 hash:	ec0ac23a4d78b472dc4cc6ba718ed1b4
humanhash:	freddie-early-fanta-fanta
File name:	file
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	2'099'872 bytes
First seen:	2022-12-19 08:43:58 UTC
Last seen:	2022-12-19 13:12:05 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a56f115ee5ef2625bd949acaeec66b76 (53 x Stealc, 47 x PureHVNC, 29 x CoinMiner)
ssdeep	49152:HPZDYu8tLPaJtbqySZWkIlVUUnY6JAiJCkdEbtFT1uwp:vqazv1lVQunDduFTMwp
Threatray	7'129 similar samples on MalwareBazaar
TLSH	T1EDA5334A9F39A9D5C84036F67EDD16410E34393CCE4A052F70DEA7E82E5AB976437B08
TrID	38.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 15.6% (.ICL) Windows Icons Library (generic) (2059/9) 15.4% (.EXE) OS/2 Executable (generic) (2029/13) 15.2% (.EXE) Generic Win/DOS Executable (2002/3) 15.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	c8ecf6fe42e8e4a0 (1 x RedLineStealer, 1 x ArkeiStealer)
Reporter	andretavare5
Tags:	ArkeiStealer exe signed

Code Signing Certificate

Organisation:	Toshiba MQ01ABMxx 2.5 WH06ABW020
Issuer:	Toshiba MQ01ABMxx 2.5 WH06ABW020
Algorithm:	sha1WithRSAEncryption
Valid from:	2022-11-25T16:23:06Z
Valid to:	2032-11-26T16:23:06Z
Serial number:	4300c6495c33ff8f444b25d26c992b59
Intelligence:	4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	56d946dd2d7fcd5db567e63566d76e669b73b87a0e94961c62a6b2f4b97fd6dd
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

andretavare5

Sample downloaded from https://vk.com/doc455916046_655158720?hash=Dwzir12RwdYp5vu8lV7ZYLZovLEkwz4uerOgBHsT7hz&dl=GQ2TKOJRGYYDINQ:1670868045:pEwRZ5KIzB3uZedzzgxZW9XzKdVh7YcYmBFuIPJYLAz&api=1&no_preview=1#kisww13

Intelligence

File Origin

# of uploads :

# of downloads :

184

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

vidar

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-12-19 08:45:23 UTC

Tags:

trojan stealer vidar

Link:

https://app.any.run/tasks/e63e3281-0de4-4e1a-97a6-a10fa7c70463

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/347864/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.64190160.22546.22158.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Searching for analyzing tools

Sending a custom TCP request

Launching a process

Creating a file

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Behavior that indicates a threat

Reading critical registry keys

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Forced shutdown of a system process

Stealing user critical data

Unauthorized injection to a system process

Sending an HTTP GET request to an infection source

Verdict:

Malicious

Threat level:

10/10

Confidence:

80%

Tags:

arkei overlay packed vidar

Link:

https://www.filescan.io/uploads/63a024538f89a0881295c7bc/reports/8549c772-58e9-439f-8e28-e79da7e90b45/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Arkei Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/26cf8f61-d1de-44c6-b0ff-8128a60b3829

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1136956

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7d9e4b4c86f71fc5b5e5ed8bb72b6ef2ed9ab8c0ad2877bf880f8e029485bfe7/

Threat name:

Win64.Infostealer.Bandra

Status:

Malicious

First seen:

2022-12-10 14:26:07 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

15 of 26 (57.69%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pwpewteg64p4lnpf5wf3ok3o6lwzvogavuuhpp4ib6haffefx7tq._file

Verdict:

malicious

ArkeiStealer

296e195f7896d20af579930d9bc481bc9d651e79480399c071531417bfede4a7

ArkeiStealer

4e9175b772c839c1ee50597212389675e75454092aaa2d59a88ea222dfab24e2

ArkeiStealer

7e481ee40af6227bc65f7334cffa28ef661ab49cb800ce383aed1cec82515ae5

ArkeiStealer

97df47266aba1d8e7c70c88c8bf0851a53579dfac7d2bb6545ca85e809bbf1c6

ArkeiStealer

9d4a5344f0cb03807c0857078c93768d2ab92ad9cd8aec51922fd80137773ee1

ArkeiStealer

a1f85be67018434f06e910c13c4833aae7689793a7ce80a70ca5028877e9f40e

ArkeiStealer

c633d7549fb4a77e02fa1e48f8fb3e3b41d8a998778d2e2c024949673dad0ba5

ArkeiStealer

eebeb8f37bef6e92068903c7a0dafa6a1a5f86f987ba1ad3336ccc855bfd317e

ArkeiStealer

+ 7'119 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:1679 evasion spyware stealer themida trojan

Link:

https://tria.ge/reports/221219-km5xtshf4y/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks whether UAC is enabled

Checks BIOS information in registry

Loads dropped DLL

Themida packer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Vidar

Malware Config

C2 Extraction:

https://t.me/dishasta
https://steamcommunity.com/profiles/76561199441933804

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/2ef10d90-96bf-40ab-a489-43921d49ae50

Unpacked files

SH256 hash:

7d9e4b4c86f71fc5b5e5ed8bb72b6ef2ed9ab8c0ad2877bf880f8e029485bfe7

MD5 hash:

ec0ac23a4d78b472dc4cc6ba718ed1b4

SHA1 hash:

50d5c0d0775ff7e6c84c35549bd0da5d041c28b8

Link:

https://www.unpac.me/results/3040a892-ac72-4986-808e-4d9b9d56a34b/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7d9e4b4c86f7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/7d9e4b4c86f71fc5b5e5ed8bb72b6ef2ed9ab8c0ad2877bf880f8e029485bfe7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/347864/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample