MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a3e668096ab424f233fc8090774f39537ca9638099fd72ed1ee9099d06e4a5c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	a3e668096ab424f233fc8090774f39537ca9638099fd72ed1ee9099d06e4a5c9
SHA3-384 hash:	1dc49dc781955ba78d74ddbc92a48aedf04ebd6da776d4b0ee507ba49215d2282ca9ab5336abb830a9fbcf59f264f891
SHA1 hash:	c2c46808a063ab1f7a53f5783fa238df5c7da3c1
MD5 hash:	23ea1132ec730a954a89ac0eae76a879
humanhash:	connecticut-mississippi-sodium-victor
File name:	23ea1132ec730a954a89ac0eae76a879.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	1'947'648 bytes
First seen:	2021-11-22 13:28:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3a79b3a3a623bf757e06a6dad01f56a4 (8 x ArkeiStealer)
ssdeep	24576:psIkC0cwFFQWCx8GDSqVFZzjukE6G1+az2mQlNSVE/b72HCL7ElijeNpc+B8IYcL:plmOWCioSiazKlNSVji/MiMjY
Threatray	3'472 similar samples on MalwareBazaar
TLSH	T1CA95CF23B6A14837C53317789C2792599D3AFE016A38688A2FF55F4C4F3D6813F295A3
File icon (PE):
dhash icon	399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

# of downloads :

117

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

23ea1132ec730a954a89ac0eae76a879.exe

Verdict:

Malicious activity

Analysis date:

2021-11-22 13:36:28 UTC

Tags:

trojan stealer vidar loader

Link:

https://app.any.run/tasks/65b563a3-22d1-4c10-aa2c-0de121245f1f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Detection(s):

Win.Malware.Qakbot-9908195-1

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Reading critical registry keys

Delayed writing of the file

Sending a UDP request

Running batch commands

Creating a process with a hidden window

Launching a process

Stealing user critical data

Launching a tool to kill processes

Sending an HTTP GET request to an infection source

Forced shutdown of a browser

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

keylogger packed

Link:

https://www.filescan.io/uploads/619b9b20dd04e7d00e023f90/reports/1e41c55c-382f-4b39-9cc8-0c91fd172b37/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Vidar

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/59a0bec2-96c9-43c7-b261-e4ef2fc8458f

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/893852

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Self deletion via cmd delete

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Yara detected Vidar

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a3e668096ab424f233fc8090774f39537ca9638099fd72ed1ee9099d06e4a5c9/

Threat name:

Win32.Backdoor.Quakbot

Status:

Malicious

First seen:

2021-11-22 13:29:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Verdict:

malicious

ArkeiStealer

0cdd906491990c6ba9c24bdd60172057587859a8e649ba7f4b51fece9a0fdac6

ArkeiStealer

16a5e36b40b0906b94cdf9a96731842d7b9a2a50828d5b1a9a33eb0601518f99

ArkeiStealer

33817c0fd591e7d5d52586f3ad936f366cb1b9473a8a12c80890bd20048b9400

ArkeiStealer

63b24987e11f1b4180f9385e61deb3be8644a12f9bd586a5f71931f4d738e427

ArkeiStealer

6abcfcf5d46cf092d6c11e874ab9211c37511c825af9990b79fa38e8c2a3c1b0

ArkeiStealer

c008e2eee0063a71fe6436aafbf79a91161d436d6300fe3f6bb2cbbd932a2f4f

ArkeiStealer

d1061d18dc4ceceeba9947137e84e68d689e7befb6f038b467a64c474d0c51d0

ArkeiStealer

+ 3'462 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:869 discovery spyware stealer suricata

Link:

https://tria.ge/reports/211122-qq82jsfegr/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses 2FA software files, possible credential harvesting

Checks installed software on the system

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Vidar Stealer

Vidar

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

Malware Config

C2 Extraction:

https://mastodon.online/@valhalla
https://koyu.space/@valhalla

Unpacked files

SH256 hash:

fa580f0e777dfd300e086c6df9f678803d999e25a5f0533417f0c53713a8d68d

MD5 hash:

e288fa85acec82211fd177568d8a8f88

SHA1 hash:

a002ca46d5d550e679c2a97082a81100fbd9762e

Link:

https://www.unpac.me/results/54fcb70f-0a41-4c39-8b8f-b4dad710fcd7/

SH256 hash:

a3e668096ab424f233fc8090774f39537ca9638099fd72ed1ee9099d06e4a5c9

MD5 hash:

23ea1132ec730a954a89ac0eae76a879

SHA1 hash:

c2c46808a063ab1f7a53f5783fa238df5c7da3c1

Link:

https://www.unpac.me/results/54fcb70f-0a41-4c39-8b8f-b4dad710fcd7/

Malware family:

CryptOne

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/a3e668096ab4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a3e668096ab424f233fc8090774f39537ca9638099fd72ed1ee9099d06e4a5c9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

exe a3e668096ab424f233fc8090774f39537ca9638099fd72ed1ee9099d06e4a5c9

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1803210/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/208180/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample