MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c6fd1a60f813387c28a390ad7cb20ee217a1afdd44a5e90830871cb893d07b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c6fd1a60f813387c28a390ad7cb20ee217a1afdd44a5e90830871cb893d07b1
SHA3-384 hash: 05a0deacbc74ea70d01df03a6e92baeea0e3f5e8719b5d42b9add50c1f1141f8eafc52224c8f4ca8210bd0f3dcd1eefd
SHA1 hash: edabd9046dcfd2bc3b67522a5da0bee72077a497
MD5 hash: 7b73b737d16ef924bb896ecf62cea11a
humanhash: sad-oven-vermont-diet
File name:9e823478f8b4cc0fea25c68e63e9ae85f2274a419dc6c.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:4'205'568 bytes
First seen:2022-11-24 07:05:15 UTC
Last seen:2022-11-24 08:37:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 017f1b735efb908c67e906635ee4b33d (3 x ArkeiStealer)
ssdeep 98304:ylKF/xupJR/EgwFC8qJ6iUkJZ+7aXD6Wl2cPP0hi:ylCoJgFCXp5D/PPP6i
Threatray 1'186 similar samples on MalwareBazaar
TLSH T17816226362452255D0D28C358527FEA3B1B72E624E4168357EFABDCB2C328E0F71395B
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4505/5/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon b2e0b496a6cadaf2 (1 x RaccoonStealer, 1 x ArkeiStealer, 1 x RedLineStealer)
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://88.198.106.9/

Intelligence

File Origin
# of uploads :
2
# of downloads :
276
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
9e823478f8b4cc0fea25c68e63e9ae85f2274a419dc6c.exe
Verdict:
Malicious activity
Analysis date:
2022-11-24 07:06:08 UTC
Tags:
stealer trojan vidar
Link:
https://app.any.run/tasks/30126bea-701e-4f1d-8fef-5ab1b6bf59bd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/337954/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.18242.29998.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Behavior that indicates a threat
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/637f17dd5be128ac718e9d4a/reports/446cf881-00ac-4376-ba4b-45a5bfd9628f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a393cf3e-8f7b-4faf-bf5a-8b4cac81bacd
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1120327
Signature
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
PE file contains section with special chars
Self deletion via cmd or bat file
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9c6fd1a60f813387c28a390ad7cb20ee217a1afdd44a5e90830871cb893d07b1/
Threat name:
Win32.Infostealer.Bandra
Create hunting rule
Status:
Malicious
First seen:
2022-11-24 07:06:19 UTC
File Type:
PE (Exe)
Extracted files:
29
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=trx5djqpqezypqukhefnpsza5yqxugx52rff5eedbby4xcj5a6yq._file
Verdict:
unknown
Similar samples:
0334c599a15d0b9991a2a7ae2c8d30e6c4736b60d6b756133bb2bda95c745245
ArkeiStealer
137f888429094a1dece66c656564cde7d4f60f7b132c8105c6eaaecd95f3f9d9
ArkeiStealer
360b2afefd68c3ded857f70836cee28007aac12118476e45d151af93c7fbc7f2
ArkeiStealer
58ae170573fd183ada1906291ca170724608a6a6217d84a6e5f0e400c3b1f481
ArkeiStealer
ae0f564dcf94cd6492d29ebfc3d797d45dacd146c40218ed8c87076d5775bbbe
ArkeiStealer
e438b0686e14786fa975d2d724c0fb8615e868a1210c57e0323d537cbb08c665
ArkeiStealer
+ 1'176 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1364 discovery spyware stealer
Link:
https://tria.ge/reports/221124-hw3sqaag4t/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Vidar
Malware Config
C2 Extraction:
https://t.me/headshotsonly
https://steamcommunity.com/profiles/76561199436777531
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a05f4260-d45e-472c-beb4-f7c1226edbf7
Unpacked files
SH256 hash:
75048d6d9ad93e1feab21bee88be9b97d9f3a8c1a2d9b0d6a2c48262e8b88ab1
MD5 hash:
7745fba9671592c557ec8669e01c3366
SHA1 hash:
40ab0a4002cf0da4019497c2285d63b1705f1832
Link:
https://www.unpac.me/results/b9e23418-dc7d-4536-9755-de617f90b105/
SH256 hash:
9c6fd1a60f813387c28a390ad7cb20ee217a1afdd44a5e90830871cb893d07b1
MD5 hash:
7b73b737d16ef924bb896ecf62cea11a
SHA1 hash:
edabd9046dcfd2bc3b67522a5da0bee72077a497
Link:
https://www.unpac.me/results/b9e23418-dc7d-4536-9755-de617f90b105/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9c6fd1a60f81/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9c6fd1a60f813387c28a390ad7cb20ee217a1afdd44a5e90830871cb893d07b1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/337954/

Comments