MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a662afc72f832b1d74c887bb57a4ad6848ebb5c16a0eee1bd82729cd00eef84b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a662afc72f832b1d74c887bb57a4ad6848ebb5c16a0eee1bd82729cd00eef84b
SHA3-384 hash: 875fe8b15269f697f2bf2553884845b51d70b69d059526aa140d720a20565cf067dd1b6d8857beb08b2fe1b7e23a5076
SHA1 hash: 5e7a38fb2169fb6f7f86669ed9d79b26b43d910d
MD5 hash: 9ff2a868e5828fba7f8711b072fe8394
humanhash: early-queen-fish-fish
File name:file
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:736'128 bytes
First seen:2023-05-29 14:48:27 UTC
Last seen:2023-05-31 07:25:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:4Eh/dWHJmsGo5zY3lt1KZj6nxqgR1xrEL+VhYxKjzfDI/RdjzP8BAtt1I:7dWlul2Zj6xVxrELk9LDYRVzPFj1I
Threatray 63 similar samples on MalwareBazaar
TLSH T144F4024522B06752DB8C1632A0DBD631DBE16EB3FD3BF59B7F14898628A21701F11B4E
TrID 51.8% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
22.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.4% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon b2696969713342f0 (1 x ArkeiStealer)
Reporter andretavare5
Tags:ArkeiStealer exe signed

Code Signing Certificate

Organisation:SSD Western Digital Blue SA510 1 ТБ SATA (WDS100T3B0A)
Issuer:SSD Western Digital Blue SA510 1 ТБ SATA (WDS100T3B0A)
Algorithm:sha1WithRSAEncryption
Valid from:2023-05-28T12:56:46Z
Valid to:2033-05-29T12:56:46Z
Serial number: 1fb8fb341badb88a4298d83e97c58521
Intelligence: 7 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: aac6cece3aa0a8f37cf33bc1ba10e818741b641cd119aeeb44a4854948cc2ad3
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from https://vk.com/doc791620691_664650826?hash=wLcV4dXPIKiGhbQsP9XarWNsQTzzcZcvmAwnHY98chc&dl=os0tg59en8PZKvzm5DZrUTZenS8RvuCK4Ps0aWpcX60&api=1&no_preview=1#kis_vdr

Intelligence

File Origin
# of uploads :
2
# of downloads :
251
Origin country :
US US
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-05-29 14:50:52 UTC
Tags:
stealer vidar trojan
Link:
https://app.any.run/tasks/578de6df-20e1-4b11-965e-9ac9298418d0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/393108/
Detection(s):
SecuriteInfo.com.MSIL.Generik.LSTISLP.tr.16369.29534.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a process from a recently created file
Launching a process
Stealing user critical data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cmd.exe fingerprint lolbin obfuscated overlay packed
Link:
https://www.filescan.io/uploads/6474bb5f8d9b5a6c973f88a6/reports/36747065-b228-4754-95b7-7f896c21aad1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/a662afc72f832b1d74c887bb57a4ad6848ebb5c16a0eee1bd82729cd00eef84b
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4419569e-6e5e-4b7c-978a-102636abedb3
Result
Threat name:
Clipboard Hijacker, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1244518
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Clipboard Hijacker
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 877524 Sample: file.exe Startdate: 29/05/2023 Architecture: WINDOWS Score: 100 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for dropped file 2->58 60 11 other signatures 2->60 9 file.exe 3 2->9         started        12 oobeldr.exe 2->12         started        process3 file4 40 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 9->40 dropped 15 file.exe 19 9->15         started        20 file.exe 9->20         started        70 Antivirus detection for dropped file 12->70 72 Multi AV Scanner detection for dropped file 12->72 74 Detected unpacking (changes PE section rights) 12->74 76 7 other signatures 12->76 22 schtasks.exe 1 12->22         started        signatures5 process6 dnsIp7 42 t.me 149.154.167.99, 443, 49701 TELEGRAMRU United Kingdom 15->42 44 5.75.209.76, 3306, 49702 HETZNER-ASDE Germany 15->44 46 cdn.discordapp.com 162.159.135.233, 443, 49703 CLOUDFLARENETUS United States 15->46 34 C:\Users\user\AppData\Local\...\KLIPE[1].exe, MS-DOS 15->34 dropped 36 C:\ProgramData\80948342296088506364.exe, MS-DOS 15->36 dropped 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->48 50 Tries to harvest and steal browser information (history, passwords, etc) 15->50 52 Tries to steal Crypto Currency Wallets 15->52 24 80948342296088506364.exe 1 15->24         started        28 conhost.exe 22->28         started        file8 signatures9 process10 file11 38 C:\Users\user\AppData\Roaming\...\oobeldr.exe, MS-DOS 24->38 dropped 62 Antivirus detection for dropped file 24->62 64 Multi AV Scanner detection for dropped file 24->64 66 Detected unpacking (changes PE section rights) 24->66 68 7 other signatures 24->68 30 schtasks.exe 1 24->30         started        signatures12 process13 process14 32 conhost.exe 30->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a662afc72f832b1d74c887bb57a4ad6848ebb5c16a0eee1bd82729cd00eef84b/
Threat name:
Win32.Spyware.Vidar
Create hunting rule
Status:
Malicious
First seen:
2023-05-29 14:49:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
18 of 36 (50.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uzrk7rzpqmvr25giq65vpjfnnbeoxnobniho4g6ye4u42aho7bfq._file
Verdict:
malicious
Similar samples:
199de8b727ceae96afb7c7560092c1d7a4dbe5a005c07ae20cffd9871da52b82
ArkeiStealer
1b09e1ef7e44680e2fdd5909dbae73c46ad9d4d007f9ef077acfa102a613f908
ArkeiStealer
3131f31a4b39b30cc4498c17115c2d24dc588835c9d609076058772d4a96a217
ArkeiStealer
428280c60495d98bb323401c877783e641d21f649684fbacbb29bc8067bf6635
ArkeiStealer
49f412c22d9944bbc1948cd41574d0856a12a7884600298ce129d1ffed5bf6dc
ArkeiStealer
53ede26e1b5b7287a78002c268363493d9aa8b35ab2cdb571444adcd7a4752ce
ArkeiStealer
958085c479df4ae7ebbd407dd43f11edcb0fa4677470c819fcaf5df87191b992
ArkeiStealer
cc1d1ef82f7887443e7902e8e91013f3308804f7143ef769e0b3e98a45aee037
ArkeiStealer
e5447818976ad7af2ae55ccee4baab64d2a76ce8bcd43654ca8361dc19c91ad4
ArkeiStealer
f72c375f5e423f5213174a9e4a7676e34d2cab593802c75d6dc27719d8e7eb00
ArkeiStealer
+ 53 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:2348536df5fca20ff7fa4cddff87192a discovery spyware stealer
Link:
https://tria.ge/reports/230529-r61ksacg4z/
Behaviour
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Vidar
Malware Config
C2 Extraction:
https://steamcommunity.com/profiles/76561199510444991
https://t.me/task4manager
Unpacked files
SH256 hash:
a440b5929848e6071f401a94fc1a040f14094bf7701b151ff409aeaa60e05f95
MD5 hash:
909be53831182d523ccea3c428d59c4f
SHA1 hash:
8f8f99a97544638bdfc02b5f8054f833f46eccaa
Link:
https://www.unpac.me/results/12f1bcf4-2aad-4ae0-91f8-5fd7a1b8ea64/
SH256 hash:
a5cadeef2251eee18e0c50e51ce0705e84dc31c402c95837ab12f26b52c098a9
MD5 hash:
cdb4ce54b1c2ed9e131cdcf7973975b4
SHA1 hash:
875f5f601f8eb198c09e46b23ebf159dbaf03f68
Link:
https://www.unpac.me/results/12f1bcf4-2aad-4ae0-91f8-5fd7a1b8ea64/
SH256 hash:
b23fdfe87465b67022ce2f1d1d4a2406af4830bd73bc00d5747ce0c8e6029d49
MD5 hash:
34936db9e175b414e28c2495ec8caa23
SHA1 hash:
34f7339b054650741235867a943d4399ad3c0fb8
Detections:
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/12f1bcf4-2aad-4ae0-91f8-5fd7a1b8ea64/
SH256 hash:
a662afc72f832b1d74c887bb57a4ad6848ebb5c16a0eee1bd82729cd00eef84b
MD5 hash:
9ff2a868e5828fba7f8711b072fe8394
SHA1 hash:
5e7a38fb2169fb6f7f86669ed9d79b26b43d910d
Link:
https://www.unpac.me/results/12f1bcf4-2aad-4ae0-91f8-5fd7a1b8ea64/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a662afc72f83/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a662afc72f832b1d74c887bb57a4ad6848ebb5c16a0eee1bd82729cd00eef84b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_Links
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly,rony
Description:Vidar Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/393108/

Comments