MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 886a9bba51b1e3ef2756a680ebc43714e539994f12543e6d0e56a75a7ce81040. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 12


Intelligence 12 IOCs 3 YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 886a9bba51b1e3ef2756a680ebc43714e539994f12543e6d0e56a75a7ce81040
SHA3-384 hash: 6ad49462ea073122ddc84e770a2f9c8c4249c8a9c7a2cbba204d0b866e707117b8855f920c77603b9d80df92ad3178d3
SHA1 hash: 8634998ed6af2ec808f5e237202a10a0aba10d74
MD5 hash: 428e50a20f11a6f4ca68683a3b16c645
humanhash: dakota-hawaii-carbon-idaho
File name:886A9BBA51B1E3EF2756A680EBC43714E539994F12543.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:5'701'276 bytes
First seen:2022-07-04 20:00:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:JcQ6rl0vXIeniqYms/Qm4x3TEcXFnyjZAhChjODQlABqTo5m0uXBzIUbHyA9nS0E:JcVRELniqY1Im4xgcBTCFxlABIj06BcP
TLSH T1E84633153CFA558DDF6751B266BBB3AACFE2BC260774E923AF0354E07E65300E016A41
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://116.202.4.170/1448

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://116.202.4.170/1448 https://threatfox.abuse.ch/ioc/795358/
http://94.130.188.83/937 https://threatfox.abuse.ch/ioc/795396/
91.142.77.230:42925 https://threatfox.abuse.ch/ioc/795397/

Intelligence

File Origin
# of uploads :
1
# of downloads :
283
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Searching for the window
Running batch commands
Sending a custom TCP request
Launching a process
Using the Windows Management Instrumentation requests
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/23776/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys mokes overlay packed shell32.dll smokeloader wacatac
Link:
https://www.filescan.io/uploads/62c34704dd037e27032f9756/reports/f8fc2165-5f7f-4f32-8476-a1043de1ad7d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1d7054fe-c11a-4a97-b846-4dd24c30a52c
Result
Threat name:
Nymaim, RedLine, SmokeLoader, Socelars,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1024428
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (via service or powershell)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
PE file has nameless sections
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Yara detected Nymaim
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 656923 Sample: 886A9BBA51B1E3EF2756A680EBC... Startdate: 04/07/2022 Architecture: WINDOWS Score: 100 147 Malicious sample detected (through community Yara rule) 2->147 149 Antivirus detection for URL or domain 2->149 151 Antivirus detection for dropped file 2->151 153 19 other signatures 2->153 11 886A9BBA51B1E3EF2756A680EBC43714E539994F12543.exe 10 2->11         started        14 rundll32.exe 2->14         started        16 WmiPrvSE.exe 2->16         started        process3 file4 115 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->115 dropped 18 setup_installer.exe 22 11->18         started        21 rundll32.exe 14->21         started        process5 file6 79 C:\Users\user\AppData\...\setup_install.exe, PE32 18->79 dropped 81 C:\Users\user\...\Wed23fdbe2715e56b3b.exe, PE32 18->81 dropped 83 C:\Users\user\AppData\...\Wed23f790a957c.exe, PE32 18->83 dropped 85 17 other files (11 malicious) 18->85 dropped 24 setup_install.exe 1 18->24         started        155 Creates a thread in another existing process (thread injection) 21->155 signatures7 process8 signatures9 187 Adds a directory exclusion to Windows Defender 24->187 189 Disables Windows Defender (via service or powershell) 24->189 27 cmd.exe 24->27         started        29 cmd.exe 1 24->29         started        31 cmd.exe 24->31         started        33 14 other processes 24->33 process10 signatures11 36 Wed23fdbe2715e56b3b.exe 27->36         started        41 Wed23d6e56c9091f80.exe 29->41         started        43 Wed2360f20529648.exe 7 31->43         started        143 Adds a directory exclusion to Windows Defender 33->143 145 Disables Windows Defender (via service or powershell) 33->145 45 Wed233b56ff914b.exe 33->45         started        47 Wed23641246a2def.exe 33->47         started        49 Wed230374d4b3d044bc.exe 33->49         started        51 10 other processes 33->51 process12 dnsIp13 119 185.215.113.15 WHOLESALECONNECTIONSNL Portugal 36->119 121 185.88.178.71 WEIDEIR Iran (ISLAMIC Republic Of) 36->121 129 15 other IPs or domains 36->129 87 C:\Users\user\AppData\...\version10[1].exe, PE32 36->87 dropped 89 C:\Users\user\AppData\...\vceeniozxl[1].exe, PE32 36->89 dropped 91 C:\Users\user\AppData\Local\...\summer[1].exe, PE32 36->91 dropped 97 35 other files (8 malicious) 36->97 dropped 157 Creates HTML files with .exe extension (expired dropper behavior) 36->157 159 Tries to steal Mail credentials (via file / registry access) 36->159 161 Tries to harvest and steal browser information (history, passwords, etc) 36->161 163 Disable Windows Defender real time protection (registry) 36->163 165 Detected unpacking (changes PE section rights) 41->165 167 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 41->167 179 3 other signatures 41->179 53 explorer.exe 41->53 injected 169 Antivirus detection for dropped file 43->169 171 Machine Learning detection for dropped file 43->171 173 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 43->173 58 WerFault.exe 43->58         started        93 C:\Users\user\AppData\...\Wed233b56ff914b.tmp, PE32 45->93 dropped 175 Obfuscated command line found 45->175 60 Wed233b56ff914b.tmp 45->60         started        177 Creates processes via WMI 47->177 62 Wed23641246a2def.exe 47->62         started        123 148.251.234.83 HETZNER-ASDE Germany 49->123 125 192.168.2.1 unknown unknown 49->125 64 WerFault.exe 49->64         started        66 WerFault.exe 49->66         started        127 88.99.75.82 HETZNER-ASDE Germany 51->127 131 3 other IPs or domains 51->131 95 C:\Users\user\AppData\...\Wed23bc57e28a8.tmp, PE32 51->95 dropped 181 2 other signatures 51->181 68 Wed23bc57e28a8.tmp 51->68         started        70 mshta.exe 51->70         started        72 Wed23f790a957c.exe 51->72         started        file14 signatures15 process16 dnsIp17 133 194.195.211.98 NEXINTO-DE Germany 53->133 135 127.0.0.127 unknown unknown 53->135 99 C:\Users\user\AppData\Roaming\jjgwdfa, PE32 53->99 dropped 183 Benign windows process drops PE files 53->183 185 Hides that the sample has been downloaded from the Internet (zone.identifier) 53->185 101 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 60->101 dropped 103 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 60->103 dropped 105 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 60->105 dropped 137 188.114.96.3 CLOUDFLARENETUS European Union 62->137 139 188.114.97.3 CLOUDFLARENETUS European Union 62->139 107 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 62->107 dropped 74 conhost.exe 62->74         started        141 20.189.173.22 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 64->141 109 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 68->109 dropped 111 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 68->111 dropped 113 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 68->113 dropped 76 Wed23bc57e28a8.exe 68->76         started        file18 signatures19 process20 file21 117 C:\Users\user\AppData\...\Wed23bc57e28a8.tmp, PE32 76->117 dropped
Detection:
vidar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/886a9bba51b1e3ef2756a680ebc43714e539994f12543e6d0e56a75a7ce81040/
Threat name:
Win32.Trojan.Redlinestealer
Create hunting rule
Status:
Malicious
First seen:
2021-11-05 01:44:25 UTC
File Type:
PE (Exe)
Extracted files:
275
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rbvjxosrwhr66j2wu2aoxrbxctsttgkpcjkd43iok2tvu7hicbaa._file
Verdict:
unknown
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:onlylogger family:privateloader family:redline family:socelars family:vidar botnet:916 botnet:media0421 botnet:newjust aspackv2 discovery evasion infostealer loader main spyware stealer suricata trojan
Link:
https://tria.ge/reports/220704-yrh6hschh7/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks installed software on the system
Creates a large amount of network flows
Drops Chrome extension
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unexpected DNS network traffic destination
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
OnlyLogger Payload
Vidar Stealer
Modifies Windows Defender Real-time Protection settings
OnlyLogger
PrivateLoader
Process spawned unexpected child process
RedLine
RedLine Payload
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses
suricata: ET MALWARE Win32/PrivateLoader Related Domain in DNS Lookup (fouratlinks .com)
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
Malware Config
C2 Extraction:
http://www.hhgenice.top/
http://45.133.1.107/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
51.178.186.149
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
https://mas.to/@romashkin
135.181.129.119:4805
91.121.67.60:23325
Unpacked files
SH256 hash:
88b2d8a7fbf025987947226c9d6d72c72f93bdc182d05857893027289059ef09
MD5 hash:
3addf1aab7f2237dd61b6857f2832c9c
SHA1 hash:
2e9f422f0717ca2e8fd9d0b4fff720dcd367e2c4
Link:
https://www.unpac.me/results/938c4cd7-fd76-4d54-82e3-732264d2a01a/
SH256 hash:
83c6e5f937becb928c5a2e5bf475db8cc243d9ca4233a69dd70864f3a1faef11
MD5 hash:
12033e8b1b4b23ffb5897779f87ad37d
SHA1 hash:
dff3acd501a0fc4ab51c50e0a90e735c596fc2a0
Link:
https://www.unpac.me/results/938c4cd7-fd76-4d54-82e3-732264d2a01a/
SH256 hash:
f6387627266b9252170ab34ae863d86bbb667cd10179fdc45b2994277d7765dc
MD5 hash:
ea75eaecd7ada71164f511e82ad56857
SHA1 hash:
9ac8476ace0d6f880d59dd9c48b8994c05d03a21
Link:
https://www.unpac.me/results/938c4cd7-fd76-4d54-82e3-732264d2a01a/
SH256 hash:
e6cdba660d5f171d9dda44f91956b4c0992705f4921cf4714c54e066c598178d
MD5 hash:
ae86519c8af5678937a72431fbb83a43
SHA1 hash:
e08795f31250677e92bd43ca93f98d0884693ac8
Link:
https://www.unpac.me/results/938c4cd7-fd76-4d54-82e3-732264d2a01a/
SH256 hash:
f22bee3756acf29c1fe0c7b3e3b578345c2ad751195d12f22039a207f7949b01
MD5 hash:
4be401fc00194dab26d987688139b84d
SHA1 hash:
b1fd19c5df16de67a2d30543c224484f21e6c0c9
Link:
https://www.unpac.me/results/938c4cd7-fd76-4d54-82e3-732264d2a01a/
SH256 hash:
fb01c957f8bd2731d420bcd01d917ac2806a99dd0820b5cfc3e5fd1d0baa7f17
MD5 hash:
8f4417fcef09d1045e731a03c117b3c8
SHA1 hash:
9a36e92f34d8df712eb2078e2120cad01b6fc126
Link:
https://www.unpac.me/results/938c4cd7-fd76-4d54-82e3-732264d2a01a/
SH256 hash:
d75c5a495900c5e99e53ca48bf46633236e7623c7d388a71a42478ad2e245d51
MD5 hash:
ca4699ce10e30d1e33becbf22d546dfa
SHA1 hash:
88e4e77c1a635a1b84d5810f079f3f79c925b83d
Link:
https://www.unpac.me/results/938c4cd7-fd76-4d54-82e3-732264d2a01a/
SH256 hash:
d9493531189f20b006a66c93b031ef148fb9c3014e8d4f8210d9161f3a6ad8f7
MD5 hash:
023b4c627f1bb8842c58382bdd3e57f1
SHA1 hash:
75679d86d10d7ad797cf516ab0209b9e377cbd80
Link:
https://www.unpac.me/results/938c4cd7-fd76-4d54-82e3-732264d2a01a/
SH256 hash:
affdc24bba72ce2e20a1b1f75c5e51607fdeace5f69fa185ca0e9df4b9e5e108
MD5 hash:
4685739c7c9c1bb2a84b6c60c66c2231
SHA1 hash:
5a79de0c2bc72b49f3ecade5e4e81cb70619c3f4
Link:
https://www.unpac.me/results/938c4cd7-fd76-4d54-82e3-732264d2a01a/
SH256 hash:
aea414e72c7285cb115bfc26026e97b31c1e97ed64864715c2e5f2044c97ad56
MD5 hash:
ed3a5a6caa7653128d823d36c97a32b3
SHA1 hash:
44735f32c7a7fd816abdfaf814c03d6b9d398104
Link:
https://www.unpac.me/results/938c4cd7-fd76-4d54-82e3-732264d2a01a/
SH256 hash:
9a41a83912eddfdaa89a64ce6fa37c07a49668df2f303fd32e3562805bc56fe4
MD5 hash:
05302b4adf793985536cbc3852a270db
SHA1 hash:
37408b1f732870f81c594ecc5dab32be5b228938
Link:
https://www.unpac.me/results/938c4cd7-fd76-4d54-82e3-732264d2a01a/
SH256 hash:
6994498f020c05721eb204246518eff7b38d07deefc10f280ab6b97cad0d2672
MD5 hash:
9747cc8b2c40b425d866ee0266370354
SHA1 hash:
3678b71c23e7ef42170d4d6672d338c10b073d52
Link:
https://www.unpac.me/results/938c4cd7-fd76-4d54-82e3-732264d2a01a/
SH256 hash:
483866dd0d2772dccd3b3ddd37f1e96540ddee14136da318b0c5daa91c61020c
MD5 hash:
0a9cf7b3b089d0ebcf925b114e8a4a7d
SHA1 hash:
2634bf2727ba19aaa8bf5d478f27b9f81e22bfa0
Link:
https://www.unpac.me/results/938c4cd7-fd76-4d54-82e3-732264d2a01a/
SH256 hash:
4336d2d2922b6f9c3166f0bdfaf1825694a7167fade474a6b1413af3ea831c4a
MD5 hash:
728eb62a0975b69d7861d79bf4253b42
SHA1 hash:
19820595fb713b521397478b4dd2ca495b9c91a2
Link:
https://www.unpac.me/results/938c4cd7-fd76-4d54-82e3-732264d2a01a/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/938c4cd7-fd76-4d54-82e3-732264d2a01a/
SH256 hash:
012e9fa8ebaaa475cf8004463a660073e0e139a3dd5acfe138e76b03a80f68cf
MD5 hash:
a0d4817976bf8dc7ac52a3101d846fa8
SHA1 hash:
3669d388445bcbba8bc7c825c0648be089550caa
Link:
https://www.unpac.me/results/938c4cd7-fd76-4d54-82e3-732264d2a01a/
SH256 hash:
292cd5748289c853c554fb76b5933dc4f78dc8a4e61dab0b2c035f4107bcdcb6
MD5 hash:
2861a063a41280464207dcb7e59c5340
SHA1 hash:
c0efb6722eeb5dc95cafb0c47670567df05d2da7
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/938c4cd7-fd76-4d54-82e3-732264d2a01a/
Parent samples :
d5e7de2fd5987b8356f29d011cd95ea37875a697120c59387db4d995cf5ed929
886a9bba51b1e3ef2756a680ebc43714e539994f12543e6d0e56a75a7ce81040
f552b32f88a9508a1b3141c1f6a4bcea3f06c7146c87718182b31ca2b3c42166
SH256 hash:
382dc91dfdf466b6335b4c1c51ac8166cdb7b0a1b1f89c38579f04aafbf54e6c
MD5 hash:
19bfee1e23f5ce8adb83a0fee1eb6489
SHA1 hash:
c0e955dc5bd431669ffa0aa85adfd490c957138d
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/938c4cd7-fd76-4d54-82e3-732264d2a01a/
Parent samples :
d5e7de2fd5987b8356f29d011cd95ea37875a697120c59387db4d995cf5ed929
886a9bba51b1e3ef2756a680ebc43714e539994f12543e6d0e56a75a7ce81040
f552b32f88a9508a1b3141c1f6a4bcea3f06c7146c87718182b31ca2b3c42166
66bf743babad7405d2426b25bf8d1bb493f6d9048b55ede138d36a3b8a2f9c8e
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/938c4cd7-fd76-4d54-82e3-732264d2a01a/
SH256 hash:
994f83d2df8d8fef1a48cc0552296aa5854ebab2fd05c66fc9c1e6986fcece88
MD5 hash:
5e7e6ef815c1beb29e19e1857bca57a7
SHA1 hash:
426460f9495529ed199a9513a144f98933974c7a
Link:
https://www.unpac.me/results/938c4cd7-fd76-4d54-82e3-732264d2a01a/
SH256 hash:
047dbca379348ec4872c7e2d1f7d2bfde5f543f204884a431645fa3b6583eb13
MD5 hash:
2a7d892caabc7e285107e2f60e3200e7
SHA1 hash:
7f584ab36ee1715990e52679f4e011e99da45775
Link:
https://www.unpac.me/results/938c4cd7-fd76-4d54-82e3-732264d2a01a/
SH256 hash:
a58671fd6f0e97b1f9b5294325cc1e4d84e6eca48b4b8f03723497e4f7393021
MD5 hash:
b2645c3c2d2d42c509f04397e939c521
SHA1 hash:
eb264feeb0880d8274a17bfb824644a44e231ec4
Link:
https://www.unpac.me/results/938c4cd7-fd76-4d54-82e3-732264d2a01a/
SH256 hash:
aa3d10ba463cc2bc0a930089fb771ed468b63d6f967db266036ca4879d550aaf
MD5 hash:
e886e1e97c8cd48e8cc5965f2d4067e2
SHA1 hash:
a3681ccb64f5614143869818ac9c02504d01cd3f
Link:
https://www.unpac.me/results/938c4cd7-fd76-4d54-82e3-732264d2a01a/
SH256 hash:
0f8c5062d012b535381a04669e23be9d6d0cf07258866aabbb0ad8e40d81322a
MD5 hash:
e3130a6ccbd1c55aa86051cb5e7327dd
SHA1 hash:
8fd40c552a1fe1ca51a7e702a2f2bbf9250aa15e
Link:
https://www.unpac.me/results/938c4cd7-fd76-4d54-82e3-732264d2a01a/
SH256 hash:
886a9bba51b1e3ef2756a680ebc43714e539994f12543e6d0e56a75a7ce81040
MD5 hash:
428e50a20f11a6f4ca68683a3b16c645
SHA1 hash:
8634998ed6af2ec808f5e237202a10a0aba10d74
Link:
https://www.unpac.me/results/938c4cd7-fd76-4d54-82e3-732264d2a01a/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pe_imphash
Create hunting rule
Rule name:privateloader
Create hunting rule
Author:andre@tavares.re
Description:PrivateLoader pay-per-install malware
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_privateloader
Create hunting rule
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.vidar.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments