MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9068226836b564e7d81a13c015a217bc2870dcfab4bd643c87a4551b6f9d2c97. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9068226836b564e7d81a13c015a217bc2870dcfab4bd643c87a4551b6f9d2c97
SHA3-384 hash: 78670c55ce5820c8503c189c7a14fb058c898b9948d7c253b589aa0b3d896e3385e0a49a95b826a6d4706974823b2c24
SHA1 hash: 99014b77236472549c84c5295e5c41b8be2f1b6f
MD5 hash: 4e120e201ef1e0c75a923215aa66e07b
humanhash: potato-august-dakota-ceiling
File name:4e120e201ef1e0c75a923215aa66e07b
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:691'712 bytes
First seen:2021-09-04 02:44:40 UTC
Last seen:2021-09-04 04:19:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c4966332d8b4d65c8c07803cb5fb54a5 (4 x Stop, 2 x ArkeiStealer, 1 x RaccoonStealer)
ssdeep 12288:qwXJkb4f2LnqOjfkvHcgd3rXWDFbiAEM5lLVXbRWRPM5pBfdIyt/W7THlS:pKnLkv8gB0GAEM5lLVrclkvlH/qJS
Threatray 2'701 similar samples on MalwareBazaar
TLSH T1CAE40260265C943BD1A7C6778826CED4D93EFD61F9A84042B625272F1D30FE09622F9F
dhash icon fcfcf4f4d4dcd8c8 (11 x RaccoonStealer, 3 x ArkeiStealer, 3 x RedLineStealer)
Reporter zbetcheckin
Tags:32 ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4e120e201ef1e0c75a923215aa66e07b
Verdict:
Malicious activity
Analysis date:
2021-09-04 02:45:34 UTC
Tags:
trojan stealer vidar loader
Link:
https://app.any.run/tasks/3d98dcc5-77d1-42e4-b16e-57bfcc4e6388

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/185241/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.15265.15650.7231.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Launching the default Windows debugger (dwwin.exe)
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Deleting a recently created file
Replacing files
Sending a UDP request
Reading critical registry keys
Creating a window
Delayed writing of the file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Launching a process
Stealing user critical data
Launching a tool to kill processes
Forced shutdown of a browser
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8a93602a-21e7-4c2d-a576-cf25578de8f6
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/845113
Signature
Country aware sample found (crashes after keyboard check)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 477544 Sample: yKJcEpcQfF Startdate: 04/09/2021 Architecture: WINDOWS Score: 100 48 Multi AV Scanner detection for domain / URL 2->48 50 Found malware configuration 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 5 other signatures 2->54 6 yKJcEpcQfF.exe 72 2->6         started        process3 dnsIp4 42 49.12.198.69, 49700, 49706, 80 HETZNER-ASDE Germany 6->42 44 romkaxarit.tumblr.com 74.114.154.22, 443, 49699 AUTOMATTICUS Canada 6->44 46 192.168.2.1 unknown unknown 6->46 20 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 6->20 dropped 22 C:\Users\user\AppData\...\freebl3[1].dll, PE32 6->22 dropped 24 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 6->24 dropped 26 9 other files (none is malicious) 6->26 dropped 56 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 6->56 58 Tries to harvest and steal browser information (history, passwords, etc) 6->58 60 Tries to steal Crypto Currency Wallets 6->60 11 WerFault.exe 9 6->11         started        14 WerFault.exe 9 6->14         started        16 WerFault.exe 9 6->16         started        18 7 other processes 6->18 file5 signatures6 process7 file8 28 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 11->28 dropped 30 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 14->30 dropped 32 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->32 dropped 34 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->34 dropped 36 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->36 dropped 38 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->38 dropped 40 4 other malicious files 18->40 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9068226836b564e7d81a13c015a217bc2870dcfab4bd643c87a4551b6f9d2c97/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-09-04 02:45:10 UTC
AV detection:
25 of 43 (58.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sbuce2bwwvsopwa2cpabliqxxquhbxh2ws6wipehurkrw345fslq._file
Verdict:
unknown
Similar samples:
473eca1ccf2024b4d34ad5aa69fa5e2d9319fff477dbaa816a9a71c594d41f63
ArkeiStealer
8ab29d844bc01a8704cd7669bbfe6dbe6f501a7f01f476d2a4ef41bc2b8a4fd6
ArkeiStealer
9cbaafcc5fabe81105cbe09a869c1576dcb8c09c53386a6426ebead635502a67
ArkeiStealer
b3748a0976c91a7310d0d38d42c91b1d7ba37364d58c5bed902cc6641d31cadc
ArkeiStealer
b37f9988861fbdcdf6d9767818f6099a4f6773553bde2fe24c075e8405fbf869
ArkeiStealer
c5b314e206019ebad6abbb02e10d8e20e6f772573f3fc71d07c0b8b036abe681
ArkeiStealer
ca3291276c2ca7e712a191660b9c19eee9395d4d5f5851a5c7fadae04cabc4d4
ArkeiStealer
d17232b6e5a4cae1fa103f41c0ad7ef276891226b65fa0f9bc371ac80aa672f5
ArkeiStealer
e0a10b9883175aaf59200cd47395e8cc9e40972cb235622e2dd699563938aec3
ArkeiStealer
fa64812b8f99fb65a97c6fbbf395c2fb891ba7647135d1a304cb6255bd6dc1a9
ArkeiStealer
+ 2'691 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1002 discovery spyware stealer
Link:
https://tria.ge/reports/210904-c8q2ssghcl/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Vidar Stealer
Suspicious use of NtCreateProcessExOtherParentProcess
Vidar
Malware Config
C2 Extraction:
https://romkaxarit.tumblr.com/
Unpacked files
SH256 hash:
846b2464c47b11d28d603697ff884133a8409d1298806991e154a84c15b75f9c
MD5 hash:
271e205c6b1dee8792c560b7d758110b
SHA1 hash:
5e4e66d108db4c0116bc8c2dd0521733e154796b
Detections:
win_oski_g0
Create hunting rule
Link:
https://www.unpac.me/results/b1b2f362-d14b-406f-b633-ef74c5aec288/
SH256 hash:
9068226836b564e7d81a13c015a217bc2870dcfab4bd643c87a4551b6f9d2c97
MD5 hash:
4e120e201ef1e0c75a923215aa66e07b
SHA1 hash:
99014b77236472549c84c5295e5c41b8be2f1b6f
Link:
https://www.unpac.me/results/b1b2f362-d14b-406f-b633-ef74c5aec288/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9068226836b564e7d81a13c015a217bc2870dcfab4bd643c87a4551b6f9d2c97

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation
Create hunting rule
Author:ditekSHen
Description:Detects executables containing potential Windows Defender anti-emulation checks
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 9068226836b564e7d81a13c015a217bc2870dcfab4bd643c87a4551b6f9d2c97

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/185241/
  
URLhaus
https://urlhaus.abuse.ch/url/1590491/

Comments


Avatar
zbet commented on 2021-09-04 02:44:41 UTC

url : hxxp://37.0.10.214/US/Soft-win.exe