MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a30652e56f30468e942474a7fc74fd07ee5f298a3156cde5a54c3ced630f7159. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a30652e56f30468e942474a7fc74fd07ee5f298a3156cde5a54c3ced630f7159
SHA3-384 hash: c947b2895381dabe3f4c72148b0275ede0a39439be47a1bee7e0496b8b6fad5f4fda76779a82d8f9f6a7fb86d829469e
SHA1 hash: 6686727b7d6a8397ef6fc93ab892a04d3e479cd3
MD5 hash: 68e4ef6953860b73f91d1815f630485c
humanhash: maryland-bakerloo-high-london
File name:68e4ef6953860b73f91d1815f630485c.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:620'544 bytes
First seen:2021-09-23 04:10:36 UTC
Last seen:2021-09-23 04:58:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b423274974f58a1d1a63a5242c6dcf99 (12 x RedLineStealer, 5 x RaccoonStealer, 3 x ArkeiStealer)
ssdeep 12288:dVqrAn6fgd0g/42r+RBCKDXuJYZioq9+isFcblB2xSXw:dVlnBxrkcKDXuJCioq90ElB2k
Threatray 2'938 similar samples on MalwareBazaar
TLSH T101D412213AB1C036F5FB5A35C424CA92267BB5D35AB5908F2B5507AE4EF0681CB7B313
File icon (PE):PE icon
dhash icon 1072c093b0381906 (22 x RedLineStealer, 22 x RaccoonStealer, 20 x Stop)
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://159.69.203.58/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://159.69.203.58/ https://threatfox.abuse.ch/ioc/225251/

Intelligence

File Origin
# of uploads :
2
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
68e4ef6953860b73f91d1815f630485c.exe
Verdict:
Malicious activity
Analysis date:
2021-09-23 04:11:17 UTC
Tags:
trojan stealer vidar loader
Link:
https://app.any.run/tasks/e6da3ef1-729f-4bd3-849e-f53af1c4f5df

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/190456/
Detection(s):
SecuriteInfo.com.Ransom.Stop.P5.28000.21234.UNOFFICIAL
Create hunting rule

Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f7d8cf67-a8db-48f8-84de-97cb8096f869
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/856133
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a30652e56f30468e942474a7fc74fd07ee5f298a3156cde5a54c3ced630f7159/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-09-23 04:11:08 UTC
AV detection:
18 of 45 (40.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=umdffzlpgbdi5fbeost7y5h5a7xf6kmkgflm3znfjq6o2yypofmq._file
Verdict:
malicious
Similar samples:
42a80e1f597446f0739751c300ba920564f0defa00ab759b1c5d0b682f01598d
ArkeiStealer
57af71329fbcd067e4a0e71b6b6a5ccb22c9ba806843928fcb02196259d34da1
ArkeiStealer
69fb7b86d91b3770791529e3edab3aa7ed335c7cc66c8027f401fd4cd4088034
ArkeiStealer
76e3372675b50861ba373f9700db718087d9821cc619e00aca03912f22eeedd1
ArkeiStealer
8470a13ce50314b24f998a31289fb7cd0a9c8e281c14b5f05ae4027554cfec2b
ArkeiStealer
9f7b738f2ff2ae60844f22c5b4e6e6b42312c2f5f32b3992dc65e5ac6d7a177b
ArkeiStealer
e063c47dce8d2f1121ceb4cf4b20688e975646ac831c0e5843d4536d7e1dfbce
ArkeiStealer
e9c16d954e11dae123f981ec7477975abbca8fcbbdbf0a4104eb79ead96ad8c1
ArkeiStealer
f1bb2d91c7594b776d0674a778c3208b73ef8caaf63427fb33c97481d783903b
ArkeiStealer
f35bc946ea6919fa86ef778e39ee36e8b6c2c4e335cd82394ed9a29211779ce8
ArkeiStealer
+ 2'928 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar discovery spyware stealer
Link:
https://tria.ge/reports/210923-erzcysedd5/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Vidar Stealer
Vidar
Unpacked files
SH256 hash:
819b52b95ed6a121fb61281470235786ca607fef713a46c0936b5086d4fe6fbf
MD5 hash:
fa674082d960c66de654e07833cb6c99
SHA1 hash:
6b2e94c3cd6fe76a677624d05fcaad1192358ab5
Link:
https://www.unpac.me/results/83c33b5e-d43a-4a4a-a2b3-38e71be89fff/
SH256 hash:
a30652e56f30468e942474a7fc74fd07ee5f298a3156cde5a54c3ced630f7159
MD5 hash:
68e4ef6953860b73f91d1815f630485c
SHA1 hash:
6686727b7d6a8397ef6fc93ab892a04d3e479cd3
Link:
https://www.unpac.me/results/83c33b5e-d43a-4a4a-a2b3-38e71be89fff/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a30652e56f30468e942474a7fc74fd07ee5f298a3156cde5a54c3ced630f7159

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe a30652e56f30468e942474a7fc74fd07ee5f298a3156cde5a54c3ced630f7159

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1584973/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1586513/
Cape
Cape
https://www.capesandbox.com/analysis/190456/

Comments