MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8880c50c5b835f082ffc1b49fd4f53cfd795103b17b60587d7765556df418f8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 7 File information Comments

SHA256 hash:	8880c50c5b835f082ffc1b49fd4f53cfd795103b17b60587d7765556df418f8f
SHA3-384 hash:	4657591aed410e1f852edf4c58c8836ff920bd161cda1075a4c8231e567332126ab0f374943b1ee1a5b4b36c72aa243b
SHA1 hash:	d653342eb665f82b336c7531eb10915509f6b7f3
MD5 hash:	8f0c690d27ce5ad69c5a145534e37b34
humanhash:	foxtrot-pip-florida-eighteen
File name:	file
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	500'736 bytes
First seen:	2022-09-26 07:57:52 UTC
Last seen:	2022-09-26 12:07:28 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a05b6b647653f286b723f7b8ec217b15 (1 x ArkeiStealer)
ssdeep	12288:UN1cypy1o1sU+tR6EkMN9F8fXcGuudhDpstntJ6A2TD:UN5pH+PQEkMbF8fJ3Dpspy
Threatray	1 similar samples on MalwareBazaar
TLSH	T15BB4F111B9D18432C472253209F4DBBAA63DB9700B5659EFA7E80F7E4F303D19731A6A
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	andretavare5
Tags:	ArkeiStealer exe

andretavare5

Sample downloaded from https://vk.com/doc710354602_652445735?hash=gLnLuAk0vpVSvSoG4bMejDtLzdFZcA7bArZSNZKcmVH&dl=G4YTAMZVGQ3DAMQ:1663874328:ZhIeDZzEIhHcSebkgCKMFc8edquwyo9vESUXrHgKFUD&api=1&no_preview=1#svd1kus

Intelligence

File Origin

# of uploads :

# of downloads :

221

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/313465/

Detection(s):

SecuriteInfo.com.Variant.Lazy.203132.20742.21948.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the system32 subdirectories

Creating a file

Sending a custom TCP request

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/39176/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

67%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/63315c044207caabde64e59a/reports/79fee8ca-bf53-4a05-8da8-4a2b7f184168/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/84b1d0e3-09b9-492c-b7ee-21efb57d4e32

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1078801

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Self deletion via cmd or bat file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8880c50c5b835f082ffc1b49fd4f53cfd795103b17b60587d7765556df418f8f/

Threat name:

Win32.Infostealer.Bandra

Status:

Malicious

First seen:

2022-09-25 04:22:30 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rcamkdc3qnpqql74dne72t2tz7lzkeb3c63alb6xozkvnx2br6hq._file

Verdict:

malicious

ArkeiStealer

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/220926-jtt88shhh6/

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/4770e7d2-ab18-41df-aab5-3e7f3296218c

Unpacked files

SH256 hash:

f3aa6475086cad5924e3811dfe57f6b96093820db67a1030a24389b38b6f5980

MD5 hash:

11f78e39516074b90636a57d7a5c4972

SHA1 hash:

84aded6e32d8ba4eaac4a8b7d2371f91c7900e86

Detections:

win_vidar_auto

Link:

https://www.unpac.me/results/4f4f8780-458a-4793-a0fa-32b896f1fb48/

Parent samples :

d858f935b50e98ec5892abd549e73d303138cb2818436a270714537ab2f2664c
8880c50c5b835f082ffc1b49fd4f53cfd795103b17b60587d7765556df418f8f

SH256 hash:

8880c50c5b835f082ffc1b49fd4f53cfd795103b17b60587d7765556df418f8f

MD5 hash:

8f0c690d27ce5ad69c5a145534e37b34

SHA1 hash:

d653342eb665f82b336c7531eb10915509f6b7f3

Link:

https://www.unpac.me/results/4f4f8780-458a-4793-a0fa-32b896f1fb48/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8880c50c5b835f082ffc1b49fd4f53cfd795103b17b60587d7765556df418f8f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	RansomwareTest4 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	RansomwareTest5 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	RansomwareTest6 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	RansomwareTest7 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	win_vidar_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.vidar.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/313465/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample