MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9579c6c9e07b1c6329bac90c764b3b427e0bfd97e797c5e5b9db1a7db477d5e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9579c6c9e07b1c6329bac90c764b3b427e0bfd97e797c5e5b9db1a7db477d5e7
SHA3-384 hash: 2a724ffb02dee3af4d9399d2468baa1302fc62a2656185e73bad2a66d7991c89164888f88c8753364da69ea97fa8d41c
SHA1 hash: 8cae343f019c102382fe0f71ba82457efae941bd
MD5 hash: 67201a471f81ad7faf702c15483f97bd
humanhash: april-batman-freddie-white
File name:67201a471f81ad7faf702c15483f97bd
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'924'256 bytes
First seen:2022-11-17 15:04:00 UTC
Last seen:2022-11-17 16:52:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 50712ab27b49fdb22a0256a270d2c961 (2 x RemcosRAT, 2 x ArkeiStealer, 1 x RecordBreaker)
ssdeep 24576:W4aRznObHhBiqpDlxaPggDXchm3IKUnrpKXv2OH5rR9IAfMcuK8Bgrlj8Rq0o2:Qh4iqpD3a4wXchv7p2vbxfMmbBG
Threatray 16'495 similar samples on MalwareBazaar
TLSH T1DD95CFB4D302BAEFE30D15F941B2BF53117C66442B128B2A9D4D6E250B37997B8D883D
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d4cca89496a0ccb2 (2 x AgentTesla, 1 x Loki, 1 x ArkeiStealer)
Reporter zbetcheckin
Tags:32 ArkeiStealer exe signed

Code Signing Certificate

Organisation:*.tutubamba.com
Issuer:*.tutubamba.com
Algorithm:sha256WithRSAEncryption
Valid from:2022-11-15T14:20:25Z
Valid to:2023-11-15T14:40:25Z
Serial number: 66ddcd2b87d8158a4040fad8315f9fb7
Thumbprint Algorithm:SHA256
Thumbprint: 6497c5643d2ff5082719bf9179a6ad9334fa1bae21fffbf8d12c6421bbbf684d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
239
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
67201a471f81ad7faf702c15483f97bd
Verdict:
Malicious activity
Analysis date:
2022-11-17 15:06:13 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/f6bece4d-cbd7-4d58-813e-af5f0b2680f2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/335382/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.14887.24790.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Сreating synchronization primitives
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Running batch commands
Creating a process with a hidden window
Launching a process
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63764d63f75d59fef0b9ae93/reports/218fc770-86af-41b4-8263-ef07dd58febf/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d0d2cfe0-cefd-4cbc-8aec-8b6a9ab583ed
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1116098
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9579c6c9e07b1c6329bac90c764b3b427e0bfd97e797c5e5b9db1a7db477d5e7/
Threat name:
Win32.Infostealer.Bandra
Create hunting rule
Status:
Malicious
First seen:
2022-11-16 06:57:39 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sv44nspapmoggkn2zeghmsz3ij7ax7mx46l4lznz3mnh3ndx2xtq._file
Verdict:
malicious
Similar samples:
040aa152e739826874a268f4ffb8be80dd256e7817cdb2c25329d25a5264671e
ArkeiStealer
2bc35780b427873d03d777f75b112473d6593fdf7eab195dd75a6ba1ec1daec9
ArkeiStealer
2fbf3507320d77ce68ad429c66ddcf0d53cedcb3cf8396c1057c820737bf9e11
ArkeiStealer
4268c628b2cfcf6700dc00f43a474bd0fa720b43008bc3684631453542523bea
ArkeiStealer
49263745f35d59a6845e6d654980d96ec831d0f7be41ae11a4669098f3a50740
ArkeiStealer
6aa8c7811e02d48797f51fd635e97060112122222638a725306ba6b690f691d1
ArkeiStealer
9579c6c9e07b1c6329bac90c764b3b427e0bfd97e797c5e5b9db1a7db477d5e7
ArkeiStealer
9d5670638fac6e9e5670cd6985894e9b2fcf1fb334973e5e3424fb246f835e11
ArkeiStealer
ba4fb2a15fa8baf942cdb9bddc882288290dbb6663b701b67e9ae48c85d362cb
ArkeiStealer
+ 16'485 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1754 discovery spyware stealer
Link:
https://tria.ge/reports/221117-sfk8vaaf8y/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Vidar
Malware Config
C2 Extraction:
https://t.me/deadftx
https://www.ultimate-guitar.com/u/smbfupkuhrgc1
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fc4a2aa9-7830-4b0d-9ac8-19954a0c977e
Unpacked files
SH256 hash:
073e00c11a7b5d9bf2cd743d95fbc28dbfb2982a1557a123fac5a8599dfd5360
MD5 hash:
e8d186ff7fa4e62e67a6e3a800a818f4
SHA1 hash:
47d11efb9e8da9acfc6a729069574963a041722c
Link:
https://www.unpac.me/results/67950ceb-536d-49e6-8a7c-f761e7011767/
SH256 hash:
9579c6c9e07b1c6329bac90c764b3b427e0bfd97e797c5e5b9db1a7db477d5e7
MD5 hash:
67201a471f81ad7faf702c15483f97bd
SHA1 hash:
8cae343f019c102382fe0f71ba82457efae941bd
Link:
https://www.unpac.me/results/67950ceb-536d-49e6-8a7c-f761e7011767/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9579c6c9e07b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe 9579c6c9e07b1c6329bac90c764b3b427e0bfd97e797c5e5b9db1a7db477d5e7

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2422665/
Cape
Cape
https://www.capesandbox.com/analysis/335382/

Comments


Avatar
zbet commented on 2022-11-17 15:04:05 UTC

url : hxxps://360tradeoption.com/resource.bin