MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8864cd7cbc654d6a0abd75fe8152562f1a9837122bf829832fb4093be252b2e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8864cd7cbc654d6a0abd75fe8152562f1a9837122bf829832fb4093be252b2e2
SHA3-384 hash: 879f954d0e99e9e04a8f38b46576b61a18849caeee150b9b744ba68bbe605e05b9b18c2a16a87920c415db885b83ca3b
SHA1 hash: 669b0a9b1cba6ffacf5e975462767138624c88bb
MD5 hash: c610df9a9e6f7d21499db050d432f9f9
humanhash: oklahoma-music-thirteen-floor
File name:file
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:4'694'016 bytes
First seen:2022-11-24 10:13:16 UTC
Last seen:2022-11-27 10:13:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 407e3b5378b3b0b56c578f72b3227fa9 (5 x ArkeiStealer)
ssdeep 98304:/B9kgT3HqFYzqbO0LO0hEOQbzc5fW1uTSITB4rc2UTBG5sq:5KgTedO09EOoufW414rY9G5L
Threatray 16'702 similar samples on MalwareBazaar
TLSH T1BC2633A257627F79C0CB88F166208237F3735E52255CB58B8E7B394BBE464434EE281D
TrID 52.9% (.EXE) Win32 Executable (generic) (4505/5/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 01d8d8d8d4d4da01 (9 x CoinMiner, 2 x ArkeiStealer, 1 x LaplasClipper)
Reporter andretavare5
Tags:ArkeiStealer exe


Avatar
andretavare5
Sample downloaded from https://vk.com/doc760750097_656732885?hash=rPQ4EszJHesDoDOtl72yVpNBOcdzE6z4G9NYZFByagH&dl=G43DANZVGAYDSNY:1669282477:7IhtUMlz8mdYTHSQ0ai9UpLxw6lJpJBeRNj5BwMfxpP&api=1&no_preview=1#CRYPTO_ALL

Intelligence

File Origin
# of uploads :
1'901
# of downloads :
280
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-24 10:14:48 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/daa9d672-a812-4716-9a70-ec0ff3b6bd61

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/338015/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Running batch commands
Creating a process with a hidden window
Launching a process
Stealing user critical data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/637f43ecc2c8d19cd07c42fb/reports/667625bb-ff61-4146-816b-5d695cfd9a43/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/47ad2ef8-f77d-4bd8-95af-e73e89091169
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1120432
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8864cd7cbc654d6a0abd75fe8152562f1a9837122bf829832fb4093be252b2e2/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2022-11-24 10:14:25 UTC
File Type:
PE (Exe)
Extracted files:
69
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rbsm27f4mvgwucv5ox7icuswf4njqnysfp4ctazpwqetxysswlra._file
Verdict:
suspicious
Similar samples:
22d9733647f48990bbe74bd5236545bb2d77d2b85cf5fa671bdd5276ebe8f6c6
ArkeiStealer
234c1a6aa873bd2e02df3f7e52cad468e0a017b345994cc22e93a44a4748c2e0
ArkeiStealer
b9e2df677315f07b08f43626c99817ab16c1aceb5812b2ea20cdbc96cdbead4a
ArkeiStealer
c6af08db8d058efc88312d44e1906f4e7cec8d27bd99af3ccd9b09c045551ee3
ArkeiStealer
de96e27483b81bec57e86f32954d7de623bb7a6c89aefa721c136fb60d148768
ArkeiStealer
e61234a0934d7955c0bafda460b8220f7012958415e05635d61d433a6e0c9006
ArkeiStealer
e8075dd2f74391aabe1a85eeb7282620b5be0236d6d0a23e7474cf033dd1628a
ArkeiStealer
f763556b253fa22454cdc3e21f288cfcf360c4938b14258ee00e9a3c0e39ae17
ArkeiStealer
+ 16'692 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1679 discovery evasion spyware stealer trojan
Link:
https://tria.ge/reports/221124-l9n39sfg92/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Vidar
Malware Config
C2 Extraction:
https://t.me/headshotsonly
https://steamcommunity.com/profiles/76561199436777531
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4deaa19f-7e71-4159-8c7b-08d2e6fb45a6
Unpacked files
SH256 hash:
57df976949925df38084d14e93ddbf0f6189876a5603a0c49cfd35122a767a3b
MD5 hash:
9cb202d288ed1f04a694c196e19f74f7
SHA1 hash:
22702a3e97a778c699833793037f17b77ecc2239
Link:
https://www.unpac.me/results/f04587db-374a-4675-9684-2fd9fb371084/
SH256 hash:
8864cd7cbc654d6a0abd75fe8152562f1a9837122bf829832fb4093be252b2e2
MD5 hash:
c610df9a9e6f7d21499db050d432f9f9
SHA1 hash:
669b0a9b1cba6ffacf5e975462767138624c88bb
Link:
https://www.unpac.me/results/f04587db-374a-4675-9684-2fd9fb371084/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8864cd7cbc65/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/8864cd7cbc654d6a0abd75fe8152562f1a9837122bf829832fb4093be252b2e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/338015/

Comments