MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b5a4e40ae69a6a40919083275f37fc759ab609f0aa9d2269135c34a3fe3f053. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b5a4e40ae69a6a40919083275f37fc759ab609f0aa9d2269135c34a3fe3f053
SHA3-384 hash: 6913e14330f22bae84ef54637d359025fa03522f2899baf22bb0cddb5cbb07a3b52cd236032b4e160d7a6ee7cef603f5
SHA1 hash: bdd32c7da01a1d153481e151118cfd3e7f26fe04
MD5 hash: 74369e15aa4278df3fb48af38ff0f6c7
humanhash: bravo-berlin-harry-gee
File name:sotema_3.txt
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:704'000 bytes
First seen:2023-01-22 23:14:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8e7bfbaa758514d278c068fc8527d288 (3 x Smoke Loader, 2 x RedLineStealer, 1 x Glupteba)
ssdeep 12288:33pNnMRrdyclGQimr1DfUYZh6SIm79ybWpncLshlN+tQazCbRwIg1CmkT9:7nMNdy01w8hDEWpcLshlCzKiIgU9
Threatray 774 similar samples on MalwareBazaar
TLSH T13AE4E0007BA2C035F9B701F86979936C693A7EA15B3040CB13E5E6EE5A346E5EC31367
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon ead8ac9cc6e68aa0 (3 x RedLineStealer, 1 x DanaBot, 1 x Amadey)
Reporter jstrosch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
218
Origin country :
US US
Vendor Threat Intelligence
Malware family:
socelars
Create hunting rule
ID:
1
File name:
HEUR-Trojan.Win32.Agent.gen-7a4df2fc82c0b553d.exe
Verdict:
Malicious activity
Analysis date:
2023-01-19 03:02:04 UTC
Tags:
evasion trojan socelars stealer loader amadey rat redline
Link:
https://app.any.run/tasks/fa598afc-e968-40fd-a724-acdc1ef44e2f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/355717/
Detection(s):
Win.Packed.Generic-9874443-0
Create hunting rule

Win.Packed.Generic-9882417-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending an HTTP GET request
DNS request
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Query of malicious DNS domain
Sending a TCP request to an infection source
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/62338/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CPUID_Instruction
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
glupteba greyware mokes packed
Link:
https://www.filescan.io/uploads/63cdc37989bd67c10fd957b8/reports/fd4a74cb-2685-4cde-81a0-d0dc1253a58d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2ac4b4a5-a5df-4566-8478-450f5365d890
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1156650
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8b5a4e40ae69a6a40919083275f37fc759ab609f0aa9d2269135c34a3fe3f053/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-06-24 23:41:08 UTC
File Type:
PE (Exe)
Extracted files:
33
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rnne4qfongtkicizbazhl437y5m2wye7bku5ejurgxbuup7d6bjq._file
Verdict:
malicious
Similar samples:
659784641effc7de35c04bd4ca5e1a343d23047827cc57166fbb26fd39484767
ArkeiStealer
e3387d3f62414fb262da20e54d5775a647443b88cd8a0e738cdc488b95477d4e
ArkeiStealer
ef0c34580084f9855c1e5c3fa9d902688d400baabc7366c8da9ba3d4b708da49
ArkeiStealer
+ 764 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:706 stealer
Link:
https://tria.ge/reports/230122-28j1xsab47/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
Program crash
Vidar Stealer
Vidar
Malware Config
C2 Extraction:
https://sergeevih43.tumblr.com/
Unpacked files
SH256 hash:
796e9d8fb1b6857dccc422e0e1d40b365f87bc2cd15cd2a9c0b76a129fe9766d
MD5 hash:
21660edd8eb4141e734f65d0fe6e513a
SHA1 hash:
caa11e8c2a45c7dcc79f642bd5d97b59a0de67a0
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/cbbaa55e-b260-4b80-93b5-fa7f15adbd98/
Parent samples :
c03c8a4852301c1c54ed27ef130d0de4cdfb98584adef3dda2a096177016a18b
e3387d3f62414fb262da20e54d5775a647443b88cd8a0e738cdc488b95477d4e
1dcab4cdffdf269ea33719990ac81c515345b50fe1c60a3fe7e47d1a59fb7cc0
1a27e7943700b31774ab4347b5d2f92be9a50b8a7daeab5b066a0af53c11cdec
3e0c3d945255efa34ae84ba50f144ed86d2f23e451a6695e3c9120dc57632a3d
c5bf77877c8b8254ff63320397401444788b6ffcf7b0f7d4c31fef2d02132e4d
a62e5c321acf5b890bd7a235ea62b8a4061e9ceb1273310ac5ccae57d583cc5e
7236d2230905b8b69837f4771afd6cfedf8f53fa370bc6e40adde9d29a0b7153
7a4df2fc82c0b553d0b703f51635fd62cf02553706f942c66d752c1d8fae207b
8b5a4e40ae69a6a40919083275f37fc759ab609f0aa9d2269135c34a3fe3f053
SH256 hash:
8b5a4e40ae69a6a40919083275f37fc759ab609f0aa9d2269135c34a3fe3f053
MD5 hash:
74369e15aa4278df3fb48af38ff0f6c7
SHA1 hash:
bdd32c7da01a1d153481e151118cfd3e7f26fe04
Link:
https://www.unpac.me/results/cbbaa55e-b260-4b80-93b5-fa7f15adbd98/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8b5a4e40ae69a6a40919083275f37fc759ab609f0aa9d2269135c34a3fe3f053

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:RedOctoberPluginCollectInfo
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.vidar.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/355717/

Comments