MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9246fb98c415ca4531a663cd71a3fa2a09843fe8ca84520891eda8fb57d42b31. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 15

Intelligence 15 IOCs YARA 10 File information Comments

SHA256 hash:	9246fb98c415ca4531a663cd71a3fa2a09843fe8ca84520891eda8fb57d42b31
SHA3-384 hash:	9e99ab78f0fdb3a73a01eeae406c24e58e66359f0c493325579ddca6c96f42aa7390798f8293792534bf4fd9307e8824
SHA1 hash:	2152a68d666039e737b2b4d2f1389334bd6fc763
MD5 hash:	e8fa74f4c311b7b81c65c31be3f27bf0
humanhash:	utah-eight-foxtrot-queen
File name:	file
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	1'040'384 bytes
First seen:	2023-07-10 18:17:40 UTC
Last seen:	2023-07-12 08:34:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7d778758ec3a7b9a67aee00a1e103889 (1 x ArkeiStealer)
ssdeep	24576:h9z62mzCIUOk/nZTdqWYPEdx5Vdj1nhTN:P62nIDstgPwp1hTN
Threatray	11 similar samples on MalwareBazaar
TLSH	T19625AFAA5A4445E8C752023390AEC57344157CE3ABA074E5E749F22303B3E87EB7B67D
TrID	38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 24.6% (.EXE) Win64 Executable (generic) (10523/12/4) 11.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 10.5% (.EXE) Win32 Executable (generic) (4505/5/1) 4.7% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	08480e0f0f0f3700 (1 x ArkeiStealer)
Reporter	andretavare5
Tags:	ArkeiStealer exe

andretavare5

Sample downloaded from https://vk.com/doc808950829_664026229?hash=cWKMfQXfaJw82pgsZ7yIQYwtTabYguamdTcELHwqFl8&dl=SEuvgDJN5kIvFZDBaSpodsLAvhLzGHHOD6dFmzYWpy4&api=1&no_preview=1#11

Intelligence

File Origin

# of uploads :

# of downloads :

323

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

No threats detected

Analysis date:

2023-07-10 18:20:35 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b684f6b9-1e3b-4260-abf4-64a7d921ce62

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/414623/

Detection(s):

SecuriteInfo.com.Variant.Lazy.359476.20834.21362.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Using the Windows Management Instrumentation requests

Creating a window

Stealing user critical data

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/97049/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

installer packed

Link:

https://www.filescan.io/uploads/64ac4b5bb1d2dc145c1c24ad/reports/a8116e39-26d5-4ff7-8049-0c1cb5b17d48/overview

Verdict:

Malicious

Labled as:

Lazy.Generic

Link:

https://www.hybrid-analysis.com/sample/9246fb98c415ca4531a663cd71a3fa2a09843fe8ca84520891eda8fb57d42b31

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Vidar

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/133526d1-9821-4bed-a88e-447f68d58173

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1270068

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9246fb98c415ca4531a663cd71a3fa2a09843fe8ca84520891eda8fb57d42b31/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2023-07-10 18:18:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

13 of 24 (54.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sjdpxggecxfekmngmpgxdi72fieyip7izkcfecer5wupwv6ufmyq._file

Verdict:

malicious

ArkeiStealer

4c4e0fa35a2a634ad8c070f7ffe6f79f62ac9d12af74231797b68ece3e2cf1a1

ArkeiStealer

53a99e923bf781c9ec40617de5e2cbe99ece163b0d10a64dc767e4914ba5686b

ArkeiStealer

cc4fe2e3e3e91e0eaea7673afe3849e0f98d820742f790cccd6d7aacf2f07007

ArkeiStealer

d481da91692bf781cefe21ee5fbc3b22423df3370284c0d591959334b5185a06

ArkeiStealer

fa70210641dbdb01ebd60ff4b1e39efeeaa16d4570ef97f9f20824f5adb7d43c

ArkeiStealer

fcf0641fcc32da69751ebcce2f5d24213f90f0f9d008b29dea10bfeb356435c3

ArkeiStealer

+ 1 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:1afa8b9542f648607426d2ee0b36d202 discovery spyware stealer

Link:

https://tria.ge/reports/230710-wxk6yscf28/

Behaviour

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Vidar

Malware Config

C2 Extraction:

https://steamcommunity.com/profiles/76561199523054520
https://t.me/game4serv

Unpacked files

SH256 hash:

9246fb98c415ca4531a663cd71a3fa2a09843fe8ca84520891eda8fb57d42b31

MD5 hash:

e8fa74f4c311b7b81c65c31be3f27bf0

SHA1 hash:

2152a68d666039e737b2b4d2f1389334bd6fc763

Link:

https://www.unpac.me/results/d7f3f80b-9067-4eb5-966d-572f7a49fca4/

Malware family:

Vidar.A

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9246fb98c415/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9246fb98c415ca4531a663cd71a3fa2a09843fe8ca84520891eda8fb57d42b31

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	has_telegram_urls Create hunting rule
Author:	Aaron DeVera<aaron@backchannel.re>
Description:	Detects Telegram URLs

Rule name:	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs Create hunting rule
Author:	ditekSHen
Description:	Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Telegram_Links Create hunting rule

Rule name:	Vidar Create hunting rule
Author:	kevoreilly,rony
Description:	Vidar Payload

Rule name:	win_vidar Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detection of Vidar Stealer and Variants via strings present in final unpacked payloads

Rule name:	win_vidar_strings_jun_2023 Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detection of Vidar Stealer and Variants via strings present in final unpacked payloads

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/414623/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample