MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 867acada5e2a7723085e439a6d89226e69af216f719d6001db13bbe04e95f54e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	867acada5e2a7723085e439a6d89226e69af216f719d6001db13bbe04e95f54e
SHA3-384 hash:	87d451e9b00cc790774e39a313fcdfb26d03b81b83b6e1ba1f0f643630e7a6f9524563cda083450b2f3ba9c81b1e524f
SHA1 hash:	5531ffa016232f264a02c65a74f88effc825ca91
MD5 hash:	506be70852e70cea556cb51720fb594f
humanhash:	social-coffee-angel-whiskey
File name:	Setup.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	6'444'032 bytes
First seen:	2022-11-16 17:18:35 UTC
Last seen:	2022-11-16 18:57:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a56f115ee5ef2625bd949acaeec66b76 (53 x Stealc, 46 x PureHVNC, 28 x RedLineStealer)
ssdeep	196608:5mwS70AIDe/o0qd8OmkRD3A4a0uXx4mgj:5m0AUsVqd/vRD3A0uB
Threatray	1'524 similar samples on MalwareBazaar
TLSH	T10D5633354F26A2DBC2DFE1F337ED543A0AC600D898DEDE1E97D4086E526A23D948E11D
TrID	45.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.3% (.EXE) OS/2 Executable (generic) (2029/13) 18.0% (.EXE) Generic Win/DOS Executable (2002/3) 18.0% (.EXE) DOS Executable Generic (2000/1)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

235

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Setup.exe

Verdict:

No threats detected

Analysis date:

2022-11-16 17:21:03 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/9b77e43e-f5c1-4e3b-acd8-2471555a82b1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/334950/

Detection(s):

SecuriteInfo.com.Win64.DropperX-gen.29467.20130.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Searching for analyzing tools

Searching for the window

Launching a process

Searching for synchronization primitives

Сreating synchronization primitives

DNS request

Launching the default Windows debugger (dwwin.exe)

Sending an HTTP GET request

Creating a window

Creating a file

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63751b8665b4ed3de8c86e8a/reports/756864f6-2d99-43c1-8eb0-b2f0100efbd5/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e4029036-8a17-423b-afc7-4eb6a668d04e

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1115084

Signature

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/867acada5e2a7723085e439a6d89226e69af216f719d6001db13bbe04e95f54e/

Threat name:

Win64.Infostealer.Bandra

Status:

Malicious

First seen:

2022-11-16 17:19:17 UTC

File Type:

PE+ (Exe)

AV detection:

11 of 26 (42.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qz5mvws6fj3sgcc6iong3cjcnzu26ilpogowaao3co56atuv6vha._file

Verdict:

suspicious

ArkeiStealer

0ca5c734d0f935bcb1d2ba2345150127daa31d05dc7b3363a2b5215de83ab16f

ArkeiStealer

47fc82f745787ef02d2e51a15e7ce14ab2a1a278b82a49840a48cc337782aac1

ArkeiStealer

51037666d1982db93e3123e88594d409805d3f1d970e9f926dcadb99f77f50f6

ArkeiStealer

54dc032c3503998eaa404dde9c677851856838e737edb3d198fb7c173562859e

ArkeiStealer

5d34b1f77abd61c463bd6ed97eb0b12bed29ac712445fa9d1dd6abe1029fed94

ArkeiStealer

8226b5885ea94def0a895da5a98fdcbd826da231a0eaded5bfa380a84cf8d0d9

ArkeiStealer

99306ce091ffc74939ea41621dd8e947086f6728083a2ff24aa02e3ae91905bd

ArkeiStealer

a647e223490db9af36e0794732566345a266e8793bc9a3e45ea58b5cbcd8435c

ArkeiStealer

+ 1'514 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:1696 evasion spyware stealer themida trojan

Link:

https://tria.ge/reports/221116-vvtvmscb69/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks whether UAC is enabled

Checks BIOS information in registry

Loads dropped DLL

Themida packer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Vidar

Malware Config

C2 Extraction:

https://t.me/hkjkkiiioo
https://t.me/asndmadas19

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/b53be6cb-e5d9-441f-a97e-91dcf5550dcf

Unpacked files

SH256 hash:

867acada5e2a7723085e439a6d89226e69af216f719d6001db13bbe04e95f54e

MD5 hash:

506be70852e70cea556cb51720fb594f

SHA1 hash:

5531ffa016232f264a02c65a74f88effc825ca91

Link:

https://www.unpac.me/results/f46735d2-be22-4375-839b-4008bc93329d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Arkei Stealer

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/867acada5e2a7723085e439a6d89226e69af216f719d6001db13bbe04e95f54e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/334950/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample