MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 886342b2453f5e52cc908b181da9ddfd3d47ba2b63e85a8e00a23253c1d51192. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 886342b2453f5e52cc908b181da9ddfd3d47ba2b63e85a8e00a23253c1d51192
SHA3-384 hash: 08d0207b877dd3c3fff57c791798b0ac3eff864be612024b171f07b83c9c6c5d6cbc8be12cba701b879b9c250bbc2765
SHA1 hash: ba02905e73d0418d903a58929e557b3b74148dd0
MD5 hash: 7b5eb5a52643f40b375b706b40bf8a40
humanhash: july-hawaii-purple-glucose
File name:indicat.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:4'790'008 bytes
First seen:2023-10-02 10:00:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'640 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 49152:Jzk4X/Mhd2N4b58p591FKs2uSrvevqsn/SI5cBi2Z0L5KXwD8RxwDmC/TLrZT8w/:Jzk4Ehd2L0rvevqsx5c82C0wDXrZTj/
TLSH T1EB268E43BBA9CD12C15E6B33C6E6141843F6E9826723E70F36C523690D533EE4D59A8B
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f4f0b0f0f0aae260 (1 x ArkeiStealer)
Reporter r3dbU7z
Tags:ArkeiStealer exe signed vidar

Code Signing Certificate

Organisation:Asus ROG Zephyrus M16 2023
Issuer:Asus ROG Zephyrus M16 2023
Algorithm:sha512WithRSAEncryption
Valid from:2023-09-29T20:36:01Z
Valid to:2025-08-14T00:00:00Z
Serial number: 458c43f348ef34458e3020ea1e100524
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 4f14fc953a66965557fdfdfb0a44c693c8424d4aba784666d520362499714e0a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
460
Origin country :
RU RU
Vendor Threat Intelligence
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/452587/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.16016.29153.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin overlay packed packed regasm replace
Link:
https://www.filescan.io/uploads/651a94a91edabd9982a2f65c/reports/25bf0e2e-cd44-49ed-a6ee-b946eaccba30/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/886342b2453f5e52cc908b181da9ddfd3d47ba2b63e85a8e00a23253c1d51192
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Arkei Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3ac9d42f-7fd2-49ce-8435-b1b53e29cefc
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1317843
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/886342b2453f5e52cc908b181da9ddfd3d47ba2b63e85a8e00a23253c1d51192/
Threat name:
Win32.Spyware.Vidar
Create hunting rule
Status:
Malicious
First seen:
2023-10-01 22:44:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
14 of 24 (58.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rbrufmsfh5pffteqrmmb3ko57u6uporlmpufvdqauizfhqovcgja._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:d0d3edaa495a7bc0efab04dcfaf7ca47 discovery spyware stealer
Link:
https://tria.ge/reports/231002-l1pcnsgg2x/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Vidar
Malware Config
C2 Extraction:
https://steamcommunity.com/profiles/76561199555780195
https://t.me/solonichat
Unpacked files
SH256 hash:
182f57d8c89fee4667fbb3420a9877b8198c4b9d0867660172c13dd9044f6f64
MD5 hash:
626b2239011878b0d6b779006bd66a91
SHA1 hash:
c79ecfe4c27d42c9d8f88a0be738790c56143d7d
Link:
https://www.unpac.me/results/df7df012-7ce0-4b93-87ee-67897fbbd968/
SH256 hash:
6a26df7ee49de6fec6c5de1f3f7a94075d2dfbc50922e3b30fd8111f2e734f33
MD5 hash:
f45c1512d5a47375e6e396b4d1111e58
SHA1 hash:
8af036b8c60d10e85cf82212930bb04bc0553f36
Link:
https://www.unpac.me/results/df7df012-7ce0-4b93-87ee-67897fbbd968/
SH256 hash:
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
MD5 hash:
544cd51a596619b78e9b54b70088307d
SHA1 hash:
4769ddd2dbc1dc44b758964ed0bd231b85880b65
Link:
https://www.unpac.me/results/df7df012-7ce0-4b93-87ee-67897fbbd968/
SH256 hash:
c414c3d4c7c33019e707f3046d8f6a9ee3e4a96a104cffe73aedca43a5149e9d
MD5 hash:
2a295517424732a3b2f484ccebce2356
SHA1 hash:
2b1958b05e504fb6faf04bf9a661594f3e7165ac
Detections:
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/df7df012-7ce0-4b93-87ee-67897fbbd968/
SH256 hash:
886342b2453f5e52cc908b181da9ddfd3d47ba2b63e85a8e00a23253c1d51192
MD5 hash:
7b5eb5a52643f40b375b706b40bf8a40
SHA1 hash:
ba02905e73d0418d903a58929e557b3b74148dd0
Link:
https://www.unpac.me/results/df7df012-7ce0-4b93-87ee-67897fbbd968/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/886342b2453f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/886342b2453f5e52cc908b181da9ddfd3d47ba2b63e85a8e00a23253c1d51192

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with unregistered version of .NET Reactor
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_Links
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly,rony
Description:Vidar Payload
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.vidar.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 886342b2453f5e52cc908b181da9ddfd3d47ba2b63e85a8e00a23253c1d51192

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/452587/

Comments