MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 934be33621f60d5c6026af662631a4de2c054ccd0f132b268e721c73afc8aa37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	934be33621f60d5c6026af662631a4de2c054ccd0f132b268e721c73afc8aa37
SHA3-384 hash:	71ed525445a284260cf651ace99db8751019e835441f2c7594ea9c41e26b22217d1623a2e83f021082cbe987431a53a9
SHA1 hash:	8b9552dc04c79158f51f46a2173a38177352360f
MD5 hash:	58530e234f7de9d773c6590df3b07b77
humanhash:	minnesota-twelve-river-jersey
File name:	file
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	1'549'552 bytes
First seen:	2022-12-17 18:21:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b1399b38767d07f0b2ef1eaad9b63399 (2 x ArkeiStealer, 1 x LgoogLoader)
ssdeep	24576:ACDx4JWz07p9MVQOL8pXSeKKab0aNM9DKE0u6CPT/QO/gvGYkf1fXchNkqcfUxwJ:ACDxk+0ipuSPvb0BDz0yFbdfXMNG3PWi
Threatray	1'093 similar samples on MalwareBazaar
TLSH	T1A5757CE7A03945C5C5B27A36719A83D7E128EC2306EF51BFF544EC0E6EB2186106F19B
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	32e4d2d24464612d (1 x ArkeiStealer)
Reporter	andretavare5
Tags:	ArkeiStealer exe signed

Code Signing Certificate

Organisation:	turbo-prd.intuit.com
Issuer:	DigiCert SHA2 Extended Validation Server CA
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-06-28T00:00:00Z
Valid to:	2023-07-28T23:59:59Z
Serial number:	0357d6d0586290aa0ea19a604d87b9b5
Intelligence:	2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	6b4167852d3e20d2854bb17b89ae9b81d3e4fd7fcfe0c1fb1a860c498553a132
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

andretavare5

Sample downloaded from http://91.213.50.96/files/hobnob.exe

Intelligence

File Origin

# of uploads :

# of downloads :

195

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

vidar

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-12-17 18:23:18 UTC

Tags:

trojan stealer vidar

Link:

https://app.any.run/tasks/2f89f39a-9d4e-41af-9909-44bc10ac415f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/347388/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Сreating synchronization primitives

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Using the Windows Management Instrumentation requests

Running batch commands

Creating a process with a hidden window

Launching a process

Stealing user critical data

Gathering data

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/7badd758-49f8-4c1a-94bb-8f0670ef86ee

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1136345

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Self deletion via cmd or bat file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win32.Spyware.Vidar

Status:

Malicious

First seen:

2022-12-17 18:22:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

10 of 26 (38.46%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=snf6gnrb6ygvyybgv5tcmmne3ywaktgnb4jswjuooiohhl6ivi3q._file

Verdict:

malicious

ArkeiStealer

16d90becedc8db98707d9959052f4e686066eab7ae751b1582016602d5208600

ArkeiStealer

40d0734b985f3b131a175222639d0621b1f7f7a0f90674c676df80191fb215aa

ArkeiStealer

a06867c5e8f32e4f33fc0455b26a792eb1647178918628765aec756c1a21c382

ArkeiStealer

ccd8f858057e8f7b43f3ae2490de946c65dab843514f0239bd9f50ba207fb8da

ArkeiStealer

ce6cc42aa09da7448f7ba9a992584cdd69e76b3759edfabb1cfcadea4edf2abe

ArkeiStealer

cf7e87560e6226eca45aa85b0b0b7b0791c08a94c105e7263cd762a56b02154b

ArkeiStealer

db63bcace9a0c31bb174200f93661ff44664634a56b4c05145bbf382d33451f8

ArkeiStealer

e9dfa7091ae536608ed7d95240cb6abba1033e14af969d271c804edf477ea387

ArkeiStealer

+ 1'083 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/221217-wzcmlabh4w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Program crash

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/cc47adb9-8f70-4a5e-badd-f946b6f1b64b

Unpacked files

SH256 hash:

fb2a029bacb0b8600da35bc20bd42c96b2b5fde672f8a472787f0f613e5b3e1e

MD5 hash:

ab468dd06aba014125a0d07eb52ac622

SHA1 hash:

c5372ec2eb769661b1457e08c20ad72ffe9e0ba2

Link:

https://www.unpac.me/results/333ee2e4-8ab0-479c-9f11-93ea58b40c82/

SH256 hash:

934be33621f60d5c6026af662631a4de2c054ccd0f132b268e721c73afc8aa37

MD5 hash:

58530e234f7de9d773c6590df3b07b77

SHA1 hash:

8b9552dc04c79158f51f46a2173a38177352360f

Link:

https://www.unpac.me/results/333ee2e4-8ab0-479c-9f11-93ea58b40c82/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/934be33621f6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/934be33621f60d5c6026af662631a4de2c054ccd0f132b268e721c73afc8aa37

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/347388/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample