MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 826f0582dad21366bf3251b4d39478f9a893eab86d8b83a4d09d97f42564b5b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 8

Intelligence 8 IOCs 1 YARA 5 File information Comments

SHA256 hash:	826f0582dad21366bf3251b4d39478f9a893eab86d8b83a4d09d97f42564b5b5
SHA3-384 hash:	5f0f141c65b0b36f988caf2eed7797c1223a82713e57f3cfa8ed2a5cdd7e811f31a248aeac5d2d810909598a84aa5b13
SHA1 hash:	2c04e445f01a32364924f9cfdd3ace5949a0c0ea
MD5 hash:	674f0b844f4101bee9d32bd82b10921a
humanhash:	blossom-pennsylvania-oscar-kansas
File name:	file
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	203'080 bytes
First seen:	2022-10-27 19:08:24 UTC
Last seen:	2022-10-28 07:09:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	3072:zuEs0JIo2i3beHQqeTR1R40sMuvQG4eWwHe9hKZ8vQMz:d2OrEvQG4esn
Threatray	796 similar samples on MalwareBazaar
TLSH	T19C1429A1FBEC6091D121FE78F8330CB795B70C7AE98D8055902D79375BBA3E9851A093
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	fccce6e6e2e6a6e4 (1 x ArkeiStealer)
Reporter	andretavare5
Tags:	ArkeiStealer exe

andretavare5

Sample downloaded from https://vk.com/doc733883836_657689203?hash=UmPp25LDKHWzyoH8qcYCVS5Ujz8hJzJzIK0hSELx8p4&dl=G4ZTGOBYGM4DGNQ:1666896849:BBKJhelRJaJCIIrlhGYB5kItBJafcgTAM6KvUzaqghL&api=1&no_preview=1#face1

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://195.201.253.169/	https://threatfox.abuse.ch/ioc/878075/

Intelligence

File Origin

# of uploads :

252

# of downloads :

243

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/325103/

Detection(s):

SecuriteInfo.com.IL.Trojan.MSILZilla.23472.15553.253.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Creating a file in the %temp% directory

Creating a file in the system32 subdirectories

Running batch commands

Unauthorized injection to a recently created process

Creating a file

Launching a process

Sending a custom TCP request

Reading critical registry keys

Creating a window

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Blocking the Windows Defender launch

Stealing user critical data

Sending an HTTP GET request to an infection source

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/0161c8a0-7ece-4857-90f0-5ae8fc620a2c

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1099720

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/826f0582dad21366bf3251b4d39478f9a893eab86d8b83a4d09d97f42564b5b5/

Threat name:

ByteCode-MSIL.Trojan.Scarsi

Status:

Malicious

First seen:

2022-10-27 19:23:03 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

8 of 42 (19.05%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qjxqlaw22ijwnpzskg2nhfdy7gujh2vynwfyhjgqtwl7ijleww2q._file

Verdict:

malicious

ArkeiStealer

0a696cdecabbeb02700dfec14eaa5b165d17267f311ef7ddbb7264caddc551a3

ArkeiStealer

15aa3f4843cd93375a309e74000e94018cb9215b55e208384687cb10ad8fed91

ArkeiStealer

27253651170386863b148afb2a0fdda7780ae65cbc31405acbd99fa06b44b79f

ArkeiStealer

334fb1c3def58d304673a7be8b63399d481bc45a8c33567003c09784efd16ebd

ArkeiStealer

50b4e60ae4821dc249f2a2c2477818f0736a23a8f8968f34bb5bfb3c64a00722

ArkeiStealer

da3982e0dddf4fe1791280c0af465e261f1835e81075e5eaa8356b477e451464

ArkeiStealer

+ 786 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:1753 discovery evasion spyware stealer trojan

Link:

https://tria.ge/reports/221027-xtsbjadaf3/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Modifies Windows Defender Real-time Protection settings

Modifies security service

UAC bypass

Vidar

Malware Config

C2 Extraction:

https://t.me/slivetalks
https://c.im/@xinibin420

Unpacked files

SH256 hash:

826f0582dad21366bf3251b4d39478f9a893eab86d8b83a4d09d97f42564b5b5

MD5 hash:

674f0b844f4101bee9d32bd82b10921a

SHA1 hash:

2c04e445f01a32364924f9cfdd3ace5949a0c0ea

Link:

https://www.unpac.me/results/7dc36eee-4025-4be5-87e9-363e1d2d16c8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/826f0582dad21366bf3251b4d39478f9a893eab86d8b83a4d09d97f42564b5b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Vidar Create hunting rule
Author:	kevoreilly,rony
Description:	Vidar Payload

Rule name:	Windows_Trojan_Vidar_114258d5 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/325103/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample