MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f47198b35478784b38b1094f82d96cb6d50c3edc4a0139ac4ccd9e822c86feb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f47198b35478784b38b1094f82d96cb6d50c3edc4a0139ac4ccd9e822c86feb
SHA3-384 hash: 3ae8dc74ecadb00642a65b1dc72dab0a408074bbdd95688b8cc5a4d9b88376b9196ce6db4956a16ab2266dc6b4358630
SHA1 hash: 7a8ba598eb6a7567e475a2d4827cd28da8780c9d
MD5 hash: 93e9a7b6faee87dca18870bc840ba761
humanhash: eight-don-zebra-grey
File name:Setup.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:4'195'840 bytes
First seen:2022-11-24 07:20:14 UTC
Last seen:2022-11-24 08:37:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 80a65fa6dfd5f90a19614fd9f581e0bc (2 x ArkeiStealer)
ssdeep 98304:U39zUF9aNgo9hfm3pBsdNhDYbSNkH3jNHtJ1DTzY0Djgz9Q:UxUOgulCzsZDYtXjNNrXcz9Q
Threatray 1'123 similar samples on MalwareBazaar
TLSH T1C316236226602254E5D7CC360827BEEB72F20F536642783B6DFABDC528215E1B70395F
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 78e49cc8d8d8c8d8 (1 x ArkeiStealer)
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://88.198.106.9/

Intelligence

File Origin
# of uploads :
2
# of downloads :
269
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2022-11-24 07:21:39 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/cc9a17e2-2dc3-4334-91bd-5141cdd0d2b6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/337957/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.21803.24593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Behavior that indicates a threat
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/637f1b60559d07a06f4728f9/reports/a1403ad3-7e16-429f-a92a-1954033bb71d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9c518f5f-1510-4f5f-982f-985c0b6d2c76
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1120332
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f47198b35478784b38b1094f82d96cb6d50c3edc4a0139ac4ccd9e822c86feb/
Threat name:
Win32.Infostealer.Bandra
Create hunting rule
Status:
Malicious
First seen:
2022-11-24 07:21:15 UTC
File Type:
PE (Exe)
Extracted files:
33
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t5drtczvi6dyjm4lcckpqlmwznwvbq7nysqbhgweztm6qiwin7vq._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
0b4fccfb36c5b91de4f3141099c845d9d90a49c69497bff21bff5d00a353e9df
ArkeiStealer
44bd9084d0e09c6700364fe22001809a5ad5c160bce5a626c468ea1758a09c15
ArkeiStealer
7404cb25819f535125e6c4a213d348d077add914be4620b58ba50d364b538ea6
ArkeiStealer
b9c544f7eef189e45cd0cb1cf50d9d1e163ce810c2b57d111eaf8cd417be24f7
ArkeiStealer
ce3c6cc7e3d80c26246bb01b910992d8c77b1c3f30ec28b79346f15224a3c746
ArkeiStealer
e45dbe7cb55c15faa395640121286cb2d61bb3655e9da26f9ea3d1d2f2c47880
ArkeiStealer
+ 1'113 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1364 discovery spyware stealer
Link:
https://tria.ge/reports/221124-h6n3bage48/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Vidar
Malware Config
C2 Extraction:
https://t.me/headshotsonly
https://steamcommunity.com/profiles/76561199436777531
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4739fa32-4a8d-4bb6-8d4e-470b2cca4ad3
Unpacked files
SH256 hash:
eb52cfc1209980bf2e0b5d6532e4d2f0342783aa4acd7e7447a6d14eb31402d3
MD5 hash:
0c31eae3ec9e67c3e362f3de57bfc786
SHA1 hash:
df898f5d938e7bc54809716f15cd45d6d06b97a8
Link:
https://www.unpac.me/results/999b06da-48d0-458a-a022-85f89a24ff07/
SH256 hash:
9f47198b35478784b38b1094f82d96cb6d50c3edc4a0139ac4ccd9e822c86feb
MD5 hash:
93e9a7b6faee87dca18870bc840ba761
SHA1 hash:
7a8ba598eb6a7567e475a2d4827cd28da8780c9d
Link:
https://www.unpac.me/results/999b06da-48d0-458a-a022-85f89a24ff07/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9f47198b3547/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9f47198b35478784b38b1094f82d96cb6d50c3edc4a0139ac4ccd9e822c86feb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/337957/

Comments