MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 968844ff2295c9ff1a03e527b1989c07b98aa0df702ed1e83fad251bbe1f3514. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	968844ff2295c9ff1a03e527b1989c07b98aa0df702ed1e83fad251bbe1f3514
SHA3-384 hash:	8d54154de7d6838ddb8a4691016ceeb6a2e4aad2754b6cd2051cfc07cde1a764e4d8ef7c4513647eedf262ee9b4a691c
SHA1 hash:	ba4f383af064bbd1fe7f1d6e5fb4be8a6c993fa3
MD5 hash:	ab5b172f91594490df40fe1e522b0902
humanhash:	ceiling-jersey-comet-connecticut
File name:	968844ff2295c9ff1a03e527b1989c07b98aa0df702ed1e83fad251bbe1f3514
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	1'513'016 bytes
First seen:	2022-05-20 06:54:13 UTC
Last seen:	2022-05-20 07:59:33 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	06a834e3824803366fcfecb5c9777295 (3 x RedLineStealer, 3 x ArkeiStealer, 1 x Gozi)
ssdeep	24576:Wy6sZwKFjd29+dui0jj4oEAlUXJCR04yPgFBWDUSfr4EUQq/XMCMOQKUY0O:idy29+duiNoEfJlSSTPUQq/XjMOQKUY3
TLSH	T14265127019B9C071F1B6247118B46B65593FBDCA9B20CADB92C7F2A53631AF4C432B53
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	f0c8d0f0b0b0c4cc (2 x ArkeiStealer)
Reporter	JAMESWT_WT
Tags:	ArkeiStealer exe exxon-com signed

Code Signing Certificate

Organisation:	exxon.com
Issuer:	GeoTrust RSA CA 2018
Algorithm:	sha256WithRSAEncryption
Valid from:	2021-12-30T00:00:00Z
Valid to:	2022-09-02T23:59:59Z
Serial number:	0a2787fbb4627c91611573e323584113
Intelligence:	18 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:	SHA256
Thumbprint:	23fedc6e3b78445c68840fdf31dc96fafeed68bb95c7321cbc8a745b8eb06fca
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

268

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

968844ff2295c9ff1a03e527b1989c07b98aa0df702ed1e83fad251bbe1f3514

Verdict:

Malicious activity

Analysis date:

2022-05-20 07:37:31 UTC

Tags:

trojan stealer

Link:

https://app.any.run/tasks/568582bb-b7c6-459a-895a-92e4ec98f6da

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/272871/

Detection(s):

SecuriteInfo.com.Variant.Jaik.74668.10726.7436.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a window

Creating a file

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/19119/overview

Behaviour

MalwareBazaar

MeasuringTime

CallSleep

SystemUptime

CheckCmdLine

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/62873b54054dcf0ecad07577/reports/07599721-bdb3-4595-9acc-b67b1a8867e3/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/df383d11-ed46-443f-901d-007640b13415

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/998307

Signature

Found evasive API chain (may stop execution after checking mutex)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found many strings related to Crypto-Wallets (likely being stolen)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/968844ff2295c9ff1a03e527b1989c07b98aa0df702ed1e83fad251bbe1f3514/

Threat name:

Win32.Infostealer.Bandra

Status:

Malicious

First seen:

2022-05-19 14:27:46 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 41 (53.66%)

Threat level:

5/5

Verdict:

malicious

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:1182 discovery spyware stealer suricata

Link:

https://tria.ge/reports/220520-hpsdeahfhp/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Kills process with taskkill

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks computer location settings

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Vidar Stealer

Vidar

suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved

suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer

Malware Config

C2 Extraction:

https://t.me/netflixaccsfree
https://mastodon.social/@ronxik12

Unpacked files

SH256 hash:

72267decca2ea889c70f996611b3dea021a0bc53d17cdfc52b3b91b64ef57be3

MD5 hash:

ef80ba7a1856fec4013ca2a6060e1c16

SHA1 hash:

c06636ac1cb4e5dea7942a056bc3a1a6f687cf25

Link:

https://www.unpac.me/results/2c7c02c4-4d9b-43d9-93ee-ddfe9251bc0e/

SH256 hash:

968844ff2295c9ff1a03e527b1989c07b98aa0df702ed1e83fad251bbe1f3514

MD5 hash:

ab5b172f91594490df40fe1e522b0902

SHA1 hash:

ba4f383af064bbd1fe7f1d6e5fb4be8a6c993fa3

Link:

https://www.unpac.me/results/2c7c02c4-4d9b-43d9-93ee-ddfe9251bc0e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/968844ff2295c9ff1a03e527b1989c07b98aa0df702ed1e83fad251bbe1f3514

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/272871/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample