MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91a734562228b80d8c8cf131a07f054d9fbc7709a21dc8f89909a5ccceb1ceb7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	91a734562228b80d8c8cf131a07f054d9fbc7709a21dc8f89909a5ccceb1ceb7
SHA3-384 hash:	932956e5dde1bf104e64b5d8f033af769cef27e93115bfee47d8174fdf47cc0760167494e91eceee585d587dfe8f9d2c
SHA1 hash:	e6ee448fe01db6d60760ed34a283f8172b0e93f2
MD5 hash:	7e941ecf4002b95a59a2c8cfe7e88624
humanhash:	venus-grey-spring-zulu
File name:	7e941ecf4002b95a59a2c8cfe7e88624.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	887'808 bytes
First seen:	2022-11-19 07:11:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	24576:43i31tbTIv7798KFjruZWDUfAuTOAM5hSqzH:X31tXmaKFjwWeiAFqzH
Threatray	617 similar samples on MalwareBazaar
TLSH	T14615CF5CB72996D0C926897378C60312D3BADDE41C9DC2C26A3D3DD1BCB69C53A4A8DC
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	f0f8dc9aaad4e8f0 (1 x ArkeiStealer)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

223

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

4d2a3cc1554ef983894618476b12b0a1.exe

Verdict:

Malicious activity

Analysis date:

2022-11-19 01:35:44 UTC

Tags:

installer opendir loader trojan stealer cryptbot evasion

Link:

https://app.any.run/tasks/814c7fdb-a720-4732-bfce-b8f0a43af11b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/336041/

Detection(s):

SecuriteInfo.com.Malware.PDB-43.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Launching a process

Creating a file

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Reading critical registry keys

Running batch commands

Creating a process with a hidden window

Forced shutdown of a system process

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/637881c86fda73cab64e78f6/reports/b9190280-158d-43fa-8963-d3eb994873a9/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a12e11b1-64fc-4e91-b689-f2f1b6b675b8

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1117037

Signature

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/91a734562228b80d8c8cf131a07f054d9fbc7709a21dc8f89909a5ccceb1ceb7/

Threat name:

Win64.Trojan.Injuke

Status:

Malicious

First seen:

2022-11-18 16:18:59 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sgttivrcfc4a3dem6ey2a7yfjwp3y5yjuio4r6ezbgs4ztvrz23q._file

Verdict:

malicious

ArkeiStealer

1ee453a94d90e6bd3615d306d7139c3abb5b7ea4f9f817a10218606c4aadcddf

ArkeiStealer

2c965072de3cd60d9dc8c066b9e5bd3130e0d03a0502e9598dc5493b2297f290

ArkeiStealer

4da7f43fa70121be771a3049f7c19e864332e5311f14ee1eac2ea25d5349df31

ArkeiStealer

55cf18f4491e2db87c5612b2501dbbd3acd9c6460b1863ab56f5d9209cbecbdc

ArkeiStealer

8755b249212ed03acf40d6c02894ec5a48f62312d7f4dfb802cb17886d8c922f

ArkeiStealer

a17e38eb9cf906557d7e718135d95bb3d7683ddd40093c10b91414e0c84cbb1b

ArkeiStealer

af90b7982f9e83491575881365351306991619644e94fde6382d892f27a7fb1b

ArkeiStealer

c4a2d1a93c9da2d51ae8d0ef88b1dbf6fecd931714d9a09221c4f928f6861ce3

ArkeiStealer

d1ca3f8fb1acd28ee6ce1227880e74fca8aa908ca373931a5180f3cb76bb8fe1

ArkeiStealer

+ 607 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:1707 stealer

Link:

https://tria.ge/reports/221119-h1hy4sea9t/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Loads dropped DLL

Vidar

Malware Config

C2 Extraction:

https://t.me/deadftx
https://www.tiktok.com/@user6068972597711

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/efe4d965-98da-4508-a9a6-22bd35caf3c9

Unpacked files

SH256 hash:

91a734562228b80d8c8cf131a07f054d9fbc7709a21dc8f89909a5ccceb1ceb7

MD5 hash:

7e941ecf4002b95a59a2c8cfe7e88624

SHA1 hash:

e6ee448fe01db6d60760ed34a283f8172b0e93f2

Link:

https://www.unpac.me/results/22a66415-2cae-46b0-93ab-989f991e7891/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/91a734562228/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/336041/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample