MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d922444b2e91da8a44dbfb03637dc2b35468bddba5871034e10dcea9ced6efa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	9d922444b2e91da8a44dbfb03637dc2b35468bddba5871034e10dcea9ced6efa
SHA3-384 hash:	0712dafd5097131f00fd8cba657dd8848a5488bb8374391b52d09373f141e995ce5d7fc60aeaa77087180b295bb2958d
SHA1 hash:	6311f73bddb89a436a4a441b05b49b781b47b53f
MD5 hash:	d25682fcd8c3d61bee85eb504e6f2cfe
humanhash:	maine-bacon-quebec-mississippi
File name:	d25682fcd8c3d61bee85eb504e6f2cfe.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	630'272 bytes
First seen:	2022-12-06 14:11:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:w8UEVeVaqaHBSeNiyiK7XVCtosfKxJF/6m:kaqwnNiyiK7FCtoQKx31
Threatray	750 similar samples on MalwareBazaar
TLSH	T145D4024EBF02309DE7BCD1FA71FA086D6734EB6B4650FDCEB209442E99C51266C85B09
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	d8c88c1eafcbdb38 (1 x ArkeiStealer)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

189

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-12-03 15:46:29 UTC

Tags:

installer trojan loader gcleaner

Link:

https://app.any.run/tasks/73f54367-23fa-4331-a92d-f6df23c8c660

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/343474/

Detection(s):

SecuriteInfo.com.Malware.PDB-63.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Reading critical registry keys

Running batch commands

Creating a process with a hidden window

Forced shutdown of a system process

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/638f4db41651015c7bfb4cc4/reports/d1f759bc-6a59-4271-ae32-dc9309035ea8/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/650396d6-e7c5-4183-abae-f6045bbf9e69

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1129204

Signature

.NET source code contains very large array initializations

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9d922444b2e91da8a44dbfb03637dc2b35468bddba5871034e10dcea9ced6efa/

Threat name:

ByteCode-MSIL.Trojan.Heracles

Status:

Malicious

First seen:

2022-12-03 02:26:57 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

9 of 26 (34.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=twjcirfs5eo2rjcnx6ydmn64fm2unc65xjmhca2ocdoovhhnn35a._file

Verdict:

malicious

ArkeiStealer

0c8296da5ca468087ecaeac3bb9b4475f075ae0ba654c9cc05a017f96d974d98

ArkeiStealer

292234b4e44187b5549566ead6297f05dc6b40310e4f1b1384ce190a79891117

ArkeiStealer

58fd04fe003160c5aca2e839d8588bd86b9a2b3ddcd8e3ddd5616182e9d9c45f

ArkeiStealer

73a4ca1224bc4657443596157d3ce150bcd4b6dd32217f2467818c7efea4ee43

ArkeiStealer

7a3d9a2e7fbcdd35fa3c5c195892b4c7940c669cde48def4832aa7e91736d532

ArkeiStealer

80a71a90b99f4518e5f98a419975d93caeefb87b8c76c3e42f59565174b5ca53

ArkeiStealer

8530384fa6b45ff0c2b2ea199c016f81b60fe8b7c846a7103f90b06691a4e01d

ArkeiStealer

866056e13d99c7a721a0e66aef8c2526dd2b8b6cecc90b0583699a175eeb66b7

ArkeiStealer

f161040af3fb9580715153cf18fab2993f4d16a71ddc99cf14c641772dfbf0ac

ArkeiStealer

+ 740 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:1364 spyware stealer

Link:

https://tria.ge/reports/221206-rhvdvsec72/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Loads dropped DLL

Vidar

Malware Config

C2 Extraction:

https://t.me/asifrazatg
https://steamcommunity.com/profiles/76561199439929669

Unpacked files

SH256 hash:

9d922444b2e91da8a44dbfb03637dc2b35468bddba5871034e10dcea9ced6efa

MD5 hash:

d25682fcd8c3d61bee85eb504e6f2cfe

SHA1 hash:

6311f73bddb89a436a4a441b05b49b781b47b53f

Link:

https://www.unpac.me/results/88428f99-9917-4a1c-950c-d37fdd96c78b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/9d922444b2e91da8a44dbfb03637dc2b35468bddba5871034e10dcea9ced6efa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/343474/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample