MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 942f4661c17b49061467e305b9d5fe5be2a061f1def29bec379c7588149dc6e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 942f4661c17b49061467e305b9d5fe5be2a061f1def29bec379c7588149dc6e1
SHA3-384 hash: ab16692c53a0822449eb3cd7d6c2b96cff44ae4856b2a6a94122a3e6ab0e16949cf38c42478ef1c05125f64f19b58d14
SHA1 hash: b44dd52e92b0d9eb6e7a4b242819f0687e137d03
MD5 hash: c309d31a1e63d91902f57babfc2ef7a8
humanhash: jersey-helium-michigan-wisconsin
File name:c309d31a1e63d91902f57babfc2ef7a8.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:575'488 bytes
First seen:2021-04-21 15:06:57 UTC
Last seen:2021-04-21 16:07:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8fd60dafad060fd6212af469fec2faa3 (5 x ArkeiStealer, 4 x RedLineStealer)
ssdeep 12288:b4UR6OLWZuK/2jkBsb9OyTQYN+ic0m+hWU7PxB4dj4:HR6iGN/exbcysc4+hWU7My
Threatray 659 similar samples on MalwareBazaar
TLSH 2EC4F0317681CC32D05240B64619CBB18E7B7CBA5A1DADCB7BC51BB80F252E5F61BB09
Reporter abuse_ch
Tags:ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/142215/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.31599.23310.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a file
Connection attempt
Sending an HTTP GET request
Sending a UDP request
Deleting a recently created file
Replacing files
Reading critical registry keys
Delayed writing of the file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Launching a process
Stealing user critical data
Launching a tool to kill processes
Forced shutdown of a browser
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/691265
Signature
Country aware sample found (crashes after keyboard check)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/942f4661c17b49061467e305b9d5fe5be2a061f1def29bec379c7588149dc6e1/
Threat name:
Win32.Trojan.Chapak
Create hunting rule
Status:
Malicious
First seen:
2021-04-21 15:14:27 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sqxumyobpneqmfdh4mc3tvp6lprkaypr33zjx3bxtr2yqfe5y3qq._file
Verdict:
malicious
Similar samples:
034e1739b306d259b4cff7a3954200468ea2577f716c10346f3e7f86cd5b4ad7
ArkeiStealer
1b9d19121084397c2e419fc9d37fa9ed7be2b7f772f3be94e83c20642b178d0a
ArkeiStealer
3aecc29c243a0781768603d0a25b331963aaa1ef6a56f0677eb760a34bf2ea2c
ArkeiStealer
4ea6fdc5d3e43ec34dc3ab0452653cd3025050478065633bd992403009639337
ArkeiStealer
5ec867a0bdc659c8266dd9000d873495170cdd9e9b4687749966260bab4a55f0
ArkeiStealer
6e103abcfb4169053025991dbb9032edde3809fc42403f5d107d0d29237ba971
ArkeiStealer
a1e4b4392a9f93d88db073b123bc5a9a186157f5afaa9bf5433a71e5f7756192
ArkeiStealer
aac55c1eebf403b1c8db9eed2812e6a84d95f4321738bd09bb4fd6630db94b96
ArkeiStealer
b8a1b4a3338480556ea537f577d27f4506280f77eb0834f92568ae412f66cd7a
ArkeiStealer
ef8005272329b2b0185a50722611c97629694f2a4c7d5ab68e77b7506f708138
ArkeiStealer
+ 649 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar discovery spyware stealer
Link:
https://tria.ge/reports/210421-2fm2d1kp9x/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Vidar
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/942f4661c17b49061467e305b9d5fe5be2a061f1def29bec379c7588149dc6e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 942f4661c17b49061467e305b9d5fe5be2a061f1def29bec379c7588149dc6e1

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/142215/
  
URLhaus
https://urlhaus.abuse.ch/url/1147399/
  
Delivery method
Distributed via web download

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-21 16:09:01 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
1) [B0012.001] Anti-Static Analysis::Argument Obfuscation
2) [C0003.002] Communication Micro-objective::Connect Pipe::Interprocess Communication
3) [C0049] File System Micro-objective::Get File Attributes
4) [C0051] File System Micro-objective::Read File
5) [C0052] File System Micro-objective::Writes File
6) [C0007] Memory Micro-objective::Allocate Memory
7) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
8) [C0040] Process Micro-objective::Allocate Thread Local Storage
9) [C0041] Process Micro-objective::Set Thread Local Storage Value
10) [C0018] Process Micro-objective::Terminate Process