MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa0391688fb348eaa32856bcf0caca596177985f4dd9733f69ab2018ba8d1ff7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	aa0391688fb348eaa32856bcf0caca596177985f4dd9733f69ab2018ba8d1ff7
SHA3-384 hash:	d7c66854db5858c548374dbb4958caf85fe8d24332f398756a0519854f5d83aa17b904c0938226c90f26fbca52ab636b
SHA1 hash:	d2f204852ab8b8d19288eef03549c87cfb9fbda9
MD5 hash:	4ef8ca1609ef52a9a30bcc7e87083b55
humanhash:	solar-six-arkansas-charlie
File name:	4ef8ca1609ef52a9a30bcc7e87083b55.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	697'556 bytes
First seen:	2020-05-08 13:55:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep	12288:pANwRo+mv8QD4+0V16UYt1H0LTKl1DZ8uqwzgai0MHgSgX72MFxY+NswY0Bnvq:pAT8QE+kfXO1mupi0MHgJLvrY+JNvq
Threatray	129 similar samples on MalwareBazaar
TLSH	9BE40235F6828477D0610A72885FD3B6B939BB041F3864CFB7DD4D2C9D332592A612EA
Reporter	abuse_ch
Tags:	ArkeiStealer exe

Intelligence

File Origin

# of uploads :

1

# of downloads :

91

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Rdn

Status:

Malicious

First seen:

2020-05-08 14:35:49 UTC

File Type:

PE (Exe)

AV detection:

26 of 31 (83.87%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vibzc2epwneovizik26pbswklfqxpgc7jxmxgp3jvmqbround73q._file

Verdict:

suspicious

Similar samples:

06c470803b445fa48419f5840100b63e2248b72e64c6c0ef47c44c07ff36d2a9

30ee19d9f9b1e7c313c08903a1d5150461447f5fd989e82a982c1b6462698c4f

341847d9c11face1487ab04072d6ddc5065a379011c6684e56e1f4fa8d8ab3f3

3a7f7b56d9b3c6996f00bd40b7ff5d70e0ce858fc76cc0d89f603a26c34e9e5c

6daf0de596310cb04331ef266b7f0a5ee81672016edd8cd6876124a60534cfdc

7ee9786ce295430044ac02259ca43dd92a036f3146533b308dca24f87e05edd4

d5445db0317af2ab05690f7037065681f908b3ae4da8d53ff5160b6627d74aac

d620778dbbcf11e3a293aeaaebac7b6a9a02e7d8790ca5ffa59bda1e9b9632f4

f8d6f282de8b50d4d9e6fc17f53b0b33cecb4f4fb01f956cca3ba622b4b452aa

fcac1c6c86cda94817da16feb772744ab591e3d1192955b32b074034ea122bf1

+ 119 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar discovery spyware stealer

Link:

https://tria.ge/reports/201109-8yawb2pbla/

Behaviour

Checks processor information in registry

Modifies Internet Explorer settings

Runs .reg file with regedit

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Control Panel

Modifies registry class

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Drops file in Program Files directory

Drops file in Windows directory

Accesses 2FA software files, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Vidar

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe aa0391688fb348eaa32856bcf0caca596177985f4dd9733f69ab2018ba8d1ff7

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/320566/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample