MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e5dbdde66ba84fd730b82c4b312107049537a5adb2309068c84892f0315053e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e5dbdde66ba84fd730b82c4b312107049537a5adb2309068c84892f0315053e
SHA3-384 hash: 5e730858f75d04322912284efad7cb97c199195680d96d59e045b515bc65dd44baa8e4bda65a145b3871ae03695fa7e6
SHA1 hash: 78f42e6d0aa474f990fe7ec03bf82c6add7956dc
MD5 hash: b475cb12823bdcd64be9895e5b238d1d
humanhash: beryllium-zulu-sodium-march
File name:b475cb12823bdcd64be9895e5b238d1d
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:587'776 bytes
First seen:2021-07-28 19:27:39 UTC
Last seen:2021-07-28 21:35:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 25027d61d8944eeff611c4ecc2e7c65c (3 x ArkeiStealer, 2 x Smoke Loader, 2 x GCleaner)
ssdeep 12288:46e3NPOq9//TiFO0FS58/lLhW1SGvnGCdNwNsAU4WjY0/OFwa:43NPO0rqn6Tw+74J0Wa
Threatray 1'653 similar samples on MalwareBazaar
TLSH T1F9C4F130A7D0C034F9FB16F549FA9368652E7A712F2452CB62D526DA1728BE8DC31387
dhash icon d4b269969669b2d4 (4 x ArkeiStealer, 1 x NetSupport)
Reporter zbetcheckin
Tags:32 ArkeiStealer exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b475cb12823bdcd64be9895e5b238d1d
Verdict:
Malicious activity
Analysis date:
2021-07-28 19:28:24 UTC
Tags:
trojan stealer vidar loader
Link:
https://app.any.run/tasks/1bdda794-7a77-4c51-b626-c8bc918a724d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/174832/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.8403.9725.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3fce29a5-9a4a-4809-b331-724ff2d7a9e3
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/823369
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
Win32.Trojan.Caynamer
Create hunting rule
Status:
Malicious
First seen:
2021-07-28 19:28:11 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
08c672cbfc638f1cde4a502afb6b0b907b0a665a6b487a9552cbf48abcb516a1
ArkeiStealer
3cee28ef52c59c99b841c6927f5085e483523cb8b606ff9ce5d60b3c13574545
ArkeiStealer
474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c
ArkeiStealer
72b24e99cdd46d7cee31af6d8858782b775db1753d4ed954774a2b1306d5dd89
ArkeiStealer
87be6f628553d89007fd8f7d0758d42906f2ee7d84ca18e961cb463921061a42
ArkeiStealer
a651672f98fba458ca8b6861557119c81d12afcb705c457d65dd2b44dcc499fe
ArkeiStealer
b8b2077a4b818a377153b24328151956d8b13a16bda54c82c9be894fa87eed91
ArkeiStealer
+ 1'643 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:828 discovery spyware stealer suricata
Link:
https://tria.ge/reports/210728-pbwk6b76va/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Vidar Stealer
Vidar
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Malware Config
C2 Extraction:
https://xeronxikxxx.tumblr.com/
Unpacked files
SH256 hash:
4aa1342c81f1ded911266a85df19e47dc18eb8614bc6993b4c41ead37cd8ef22
MD5 hash:
cc3b4532b29e3ed16a7d7df7046f17c9
SHA1 hash:
58fa80d37be140f7de31adc4bf8a710433f63e8d
Link:
https://www.unpac.me/results/63f4a04f-425f-4e19-932c-72dd5b7b9480/
SH256 hash:
8e5dbdde66ba84fd730b82c4b312107049537a5adb2309068c84892f0315053e
MD5 hash:
b475cb12823bdcd64be9895e5b238d1d
SHA1 hash:
78f42e6d0aa474f990fe7ec03bf82c6add7956dc
Link:
https://www.unpac.me/results/63f4a04f-425f-4e19-932c-72dd5b7b9480/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8e5dbdde66ba84fd730b82c4b312107049537a5adb2309068c84892f0315053e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 8e5dbdde66ba84fd730b82c4b312107049537a5adb2309068c84892f0315053e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1488067/
Cape
Cape
https://www.capesandbox.com/analysis/174832/

Comments


Avatar
zbet commented on 2021-07-28 19:27:40 UTC

url : hxxp://147.124.222.75/Bendor.exe