MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96448cf668bf7268d6ffbe37fc7d6ade1c89a1af67153a9a2c90d081fa897a22. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 5 File information Comments

SHA256 hash:	96448cf668bf7268d6ffbe37fc7d6ade1c89a1af67153a9a2c90d081fa897a22
SHA3-384 hash:	de8b0a9dffbcd2adbda65bef37a98eca20d798ace818171d48d1b04d7b8ccdd74de7a0b6e62af1b3fd62d4447e6f3d19
SHA1 hash:	89c8b293ebd46a7fcfda74988248238602721df3
MD5 hash:	0109d859430f1420efaed6f1b4e54ce3
humanhash:	ink-muppet-floor-single
File name:	0109d859430f1420efaed6f1b4e54ce3.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	531'968 bytes
First seen:	2021-04-29 13:00:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	27739a2cd475da43e4c647ef57babdb9 (1 x ArkeiStealer, 1 x RedLineStealer)
ssdeep	12288:lq6CNlWsTCvN4xdyLSWlMgRRq1cOOHJF:HyWs9yeWJG+OOpF
Threatray	727 similar samples on MalwareBazaar
TLSH	5AB4120131D1C172D49726BB8465CBB46AAF79211A562F9E0FCE22F80F253E5EB3471E
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Predatorthethief

Link:

https://www.capesandbox.com/analysis/146689/

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Creating a file

Connection attempt

Sending an HTTP GET request

Deleting a recently created file

Replacing files

Reading critical registry keys

Delayed writing of the file

Sending a UDP request

Running batch commands

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Searching for the window

Launching a process

Stealing user critical data

Launching a tool to kill processes

Forced shutdown of a browser

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Vidar

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/702451

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Instant Messenger accounts or passwords

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/96448cf668bf7268d6ffbe37fc7d6ade1c89a1af67153a9a2c90d081fa897a22/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2021-04-29 13:01:48 UTC

AV detection:

17 of 29 (58.62%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=szciz5tix5zgrvx7xy37y7lk3yoitinpm4ktvgrmsdiid6ujpira._file

Verdict:

malicious

ArkeiStealer

387db5d0fff6033a701405b93c2c600aecf09e2610a31a1495b61f0c54fa822b

ArkeiStealer

4139739d5bfa8330e095a68c658040fb42c75cde651e3baa8afafb4fc557b202

ArkeiStealer

4a891dc9dba8058c5a26aee7c2a25d2f4a10fd1acde4680d53c2957c8339d43a

ArkeiStealer

5114da99edb9632526115354fe8f2a052c84c5da406a923799539fc92df4c9c0

ArkeiStealer

84343112791c187d10af9cea8fac68cf4fc03d72352f1fe2def0bf72f9a9afc7

ArkeiStealer

a0ac775ecbfa0ab3218e32b09a0d4fdcd82e7ceaa31241dc106c4fc77e9b5ddb

ArkeiStealer

d2d27adf86c11aade4e8c6a63223f21709382df7266e6889775db56b625cf8fa

ArkeiStealer

ea077019bc7eed24cd45cf0e7b78d8a90ee8a7b8e6a7c7e994d1f62954d00c39

ArkeiStealer

f0d7fc1a1d1800ff702c591a3e9b8c30cb81220d57de13c33875299275f65de1

ArkeiStealer

+ 717 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar discovery spyware stealer

Link:

https://tria.ge/reports/210429-gfdw6dgxze/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Kills process with taskkill

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads local data of messenger clients

Reads user/profile data of web browsers

Downloads MZ/PE file

Vidar

Unpacked files

SH256 hash:

436275cc2f151d14a95004b9974f1e3aa965f860aa76a33bb5e477932049e813

MD5 hash:

ac9ef3cfa081d57337b0dc73fd3954b1

SHA1 hash:

7b8fcac3b54ac3d40ad94c254086cd0f04493ced

Detections:

win_vidar_auto

Link:

https://www.unpac.me/results/9e408ba1-d6c3-427f-a997-53b45bd78c5f/

Parent samples :

ad58ec2f23b9fdd7b6c79b659988711e206303581b0b877cf23c2727591da050
387db5d0fff6033a701405b93c2c600aecf09e2610a31a1495b61f0c54fa822b
d2d27adf86c11aade4e8c6a63223f21709382df7266e6889775db56b625cf8fa
dd8765e13d39efb165d7336eb776a5baa61388ef134f788f0942a49e2bca14cb
4179b3eb2bd04b3bb548247c0d328896aa4c0b82695d2d358e718c63f147a682
9eed042bc90fe77499abd76b660f815af93e7c2a3ddba20b983b70f8685e2732
c1def118520e4ce168185e9fd2acdd32df8e2e0081e1e5477b0798a7074115f2
be4658347938020818dd293339ad3ca4f3f263faf39fc19154d622b6bfd238c5
7d024b9d88b406bec06ca79994e494578f36e610eab21cdc747182f7ec0918f4
f0d7fc1a1d1800ff702c591a3e9b8c30cb81220d57de13c33875299275f65de1
96448cf668bf7268d6ffbe37fc7d6ade1c89a1af67153a9a2c90d081fa897a22
0980017e619dd4c5a946bb827d3aa6bde000c7f533c16f12f9d74c253818730f
d8e57f4c33ba5fc9f984da08a6be1febac3ce5e81b25e7ee3fa26edda758ca41
5fed1d8ef3eabf45f7463e0b9b536a06b0b09e3999efc916904c7f120f97c754
b15f9b08ccfe910f6047bed99091148aec4a22964967121a0c30cb6bf2ad777e

SH256 hash:

96448cf668bf7268d6ffbe37fc7d6ade1c89a1af67153a9a2c90d081fa897a22

MD5 hash:

0109d859430f1420efaed6f1b4e54ce3

SHA1 hash:

89c8b293ebd46a7fcfda74988248238602721df3

Link:

https://www.unpac.me/results/9e408ba1-d6c3-427f-a997-53b45bd78c5f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/96448cf668bf7268d6ffbe37fc7d6ade1c89a1af67153a9a2c90d081fa897a22

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers

Rule name:	MALWARE_Win_Vidar Create hunting rule
Author:	ditekSHen
Description:	Detects Vidar / ArkeiStealer

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

Rule name:	win_vidar_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	with_sqlite Create hunting rule
Author:	Julian J. Gonzalez <info@seguridadparatodos.es>
Description:	Rule to detect the presence of SQLite data in raw image
Reference:	http://www.st2labs.com