MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f305167fdb6ae8a3781cd257ddef222ee6803f44115d2e1a133f7da67d4eaa0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f305167fdb6ae8a3781cd257ddef222ee6803f44115d2e1a133f7da67d4eaa0
SHA3-384 hash: ed60828fde59615268f0da02b14004a94b14b219c9c2a6b467a1f7fbfa74b069b35416dd666abdddbafbcd43cdb9e7f3
SHA1 hash: 7be379f58663b5dd855685cd5e2c08e17c387c29
MD5 hash: ac3b47ca501942378c9b395344bd9b7e
humanhash: black-crazy-black-fish
File name:Setup.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:4'957'820 bytes
First seen:2023-01-24 01:47:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c08dc19273ae03a6cb79b9f70296408b (1 x ArkeiStealer)
ssdeep 98304:ygmuoOWijt5gJ4fIWLXnq+wmjc6+bXxQJmtloAT:eutWa5gJutLXn9c6AXxKA
Threatray 18'029 similar samples on MalwareBazaar
TLSH T1FF3633DE583F56D6C70B85BD09764E62C309FE2ED8052949318DB70ADBB20A3057BE1B
TrID 52.9% (.EXE) Win32 Executable (generic) (4505/5/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon d4c4c08896b2f0c8 (1 x ArkeiStealer)
Reporter Chainskilabs
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
214
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2023-01-24 01:50:35 UTC
Tags:
stealer loader
Link:
https://app.any.run/tasks/9c008e37-389b-4fe1-9f7e-7f3c8f4f9864

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/356197/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Enabling the 'hidden' option for recently created files
Launching a process
Stealing user critical data
Sending an HTTP GET request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
67%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/63cf38d3447edb203a007e4d/reports/f7636143-5c78-4a14-84c7-4a6f3ce12fa7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/63f8721e-57d6-44a4-b066-057bf9809418
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1157581
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7f305167fdb6ae8a3781cd257ddef222ee6803f44115d2e1a133f7da67d4eaa0/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p4yfcz75w2xiun4bzusx3xxselxgqa7uiek5fynbgp35uz6u5kqa._file
Verdict:
malicious
Similar samples:
2e205ecc398903361efb69b5790716a47b76301e7b8ad3be506fbde96ee6ffe7
ArkeiStealer
3c4f456e84a4b82254480d17bd6db4c0a9ae6259e085b362b10183a82956d1ba
ArkeiStealer
4b1338eceb20e531dca686256b82a8aa56e75aeb4b53f54d08900dd75fc0b19f
ArkeiStealer
4c98097c2e234a8cb19327c9ddaa9b8c8669dd0f0a95fd71912282e6f0cf50d5
ArkeiStealer
6e3f1055521e01bd967f22fd68b48410342264b62cf7b7998a6686a2141d4d67
ArkeiStealer
6fac6114554675dba7ba82a4da7076333bdf4dab4786d6632e71ad64fb3bdb35
ArkeiStealer
88dbf134cd4628fc8b97cc1adf5201cae875df1fa5280b3cbc0306478161e9f4
ArkeiStealer
b25c916108e990357c009d88c075fda55419b5a13da0a3b2dc5643b607bb6b0e
ArkeiStealer
baf02cec33d21e0b9d7ddae2357e89f38c4af289b033c0edc3720105eb210327
ArkeiStealer
+ 18'019 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:15 discovery evasion spyware stealer themida trojan
Link:
https://tria.ge/reports/230124-b74qtshh7v/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar
Malware Config
C2 Extraction:
https://t.me/jetbim2
https://steamcommunity.com/profiles/76561199471266194
Unpacked files
SH256 hash:
30347339bef07fec6392eb35ea70db4954c17eccf43d104274c5c7a961dc19c3
MD5 hash:
be9e4d150382bc5642872486af35d0ff
SHA1 hash:
4e2a6163262d613e8ea7dd7bc26d0e2b6dc4748d
Link:
https://www.unpac.me/results/4c61d708-83d0-4f12-929d-cbc48e261507/
SH256 hash:
7f305167fdb6ae8a3781cd257ddef222ee6803f44115d2e1a133f7da67d4eaa0
MD5 hash:
ac3b47ca501942378c9b395344bd9b7e
SHA1 hash:
7be379f58663b5dd855685cd5e2c08e17c387c29
Link:
https://www.unpac.me/results/4c61d708-83d0-4f12-929d-cbc48e261507/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.92
Link:
https://yomi.yoroi.company/submissions/7f305167fdb6ae8a3781cd257ddef222ee6803f44115d2e1a133f7da67d4eaa0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:Telegram_Links
Create hunting rule
Rule name:TeslaCryptPackedMalware
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/356197/

Comments