MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99fae1fe1739052540a8a99cb4377fb9c0a575a3b880d96940f6c06b12d50edf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	99fae1fe1739052540a8a99cb4377fb9c0a575a3b880d96940f6c06b12d50edf
SHA3-384 hash:	403d59f50675accdbcc3a0c97edef15824904085779ea5baca606412b51c444847c9f00e51f62950449bdb283b189a38
SHA1 hash:	1d369cabc6195412b85e3ec5c0f07e16b0ae76dc
MD5 hash:	961d8c15db474a4ed6f31558b989430a
humanhash:	king-neptune-eight-asparagus
File name:	Vidar.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	448'000 bytes
First seen:	2020-09-26 03:51:12 UTC
Last seen:	2020-09-26 04:37:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	0f21cf9000e2dd22eaabd876d8669f47 (1 x ArkeiStealer)
ssdeep	12288:xcevXfwQhBz7pSdMdi8263bNeYTleiZGiY:xnvoc59Se2cbRleniY
TLSH	7D94022133E1D032C08739B15424C6B54E7EFCB2D624428B7AE9ABBE6F316A15674F07
Reporter	TrappmanRhett
Tags:	ArkeiStealer vidar

Intelligence

File Origin

# of uploads :

# of downloads :

157

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/65989/

Detection(s):

SecuriteInfo.com.Trojan.Siggen10.30194.6885.27229.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

DNS request

Connection attempt

Sending an HTTP GET request

Creating a file

Deleting a recently created file

Reading critical registry keys

Creating a window

Delayed writing of the file

Running batch commands

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Searching for the window

Stealing user critical data

Launching a tool to kill processes

Forced shutdown of a browser

Result

Threat name:

Vidar

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/475690

Signature

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/99fae1fe1739052540a8a99cb4377fb9c0a575a3b880d96940f6c06b12d50edf/

Threat name:

Win32.Ransomware.WannaCry

Status:

Malicious

First seen:

2020-09-25 23:04:33 UTC

AV detection:

28 of 29 (96.55%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=th5od7qxhecskqfivgolin37xhakk5ndxcans2ka63agwewvb3pq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware discovery

Link:

https://tria.ge/reports/200926-bc8s46z4se/

Behaviour

Checks processor information in registry

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks installed software on the system

JavaScript code in executable

Looks up external IP address via web service

Deletes itself

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

99fae1fe1739052540a8a99cb4377fb9c0a575a3b880d96940f6c06b12d50edf

MD5 hash:

961d8c15db474a4ed6f31558b989430a

SHA1 hash:

1d369cabc6195412b85e3ec5c0f07e16b0ae76dc

Link:

https://www.unpac.me/results/e2f7101a-66c4-41f7-a716-66bcee199db3/

SH256 hash:

3b24ddf5b99d7740712006445937999298bcbeb7afdebde9161757e0963b0a6f

MD5 hash:

dbd8f43d14f28396a50ecac0de24fae7

SHA1 hash:

44d7a25c874f1203732a1a6702bc17c0ab20c7cf

Detections:

win_vidar_auto

Link:

https://www.unpac.me/results/e2f7101a-66c4-41f7-a716-66bcee199db3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/99fae1fe1739052540a8a99cb4377fb9c0a575a3b880d96940f6c06b12d50edf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_vidar_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	with_sqlite Create hunting rule
Author:	Julian J. Gonzalez <info@seguridadparatodos.es>
Description:	Rule to detect the presence of SQLite data in raw image
Reference:	http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/65989/

URLhaus

https://urlhaus.abuse.ch/url/372396/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample