MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa12ad772adf47f16f71cd07714ee02ed1fddab1fa80551d6dbc5d50589aebfc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa12ad772adf47f16f71cd07714ee02ed1fddab1fa80551d6dbc5d50589aebfc
SHA3-384 hash: 44df46e069446502083f9ae3c848421605af76a7cacea9e0fda799199b6fe83ac78e21d4e2093d0d4e595794d7809dc2
SHA1 hash: 2f44713c28754eeef871ccbbd9e8784dd145d5f8
MD5 hash: 78c06b9a03f2d8fcb86e7e0a8cedb5da
humanhash: carolina-charlie-lake-arkansas
File name:78c06b9a03f2d8fcb86e7e0a8cedb5da
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:677'376 bytes
First seen:2021-09-02 23:37:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d447818e27b033d337efcc8531718bf1 (3 x ArkeiStealer, 3 x RaccoonStealer, 2 x Stop)
ssdeep 12288:JNfMXf+jBb4HVz+4qjkUOFcXST7UXIopqqQEygFv1nea:vEPXV+4YkUOQt4U1QUFtea
Threatray 3'201 similar samples on MalwareBazaar
TLSH T17BE4F120B6A1C035F5F752F49DB987BCA8387AB05B2481CF62D916ED56382E5DC30787
dhash icon 68e8e8e8aa66a499 (33 x RaccoonStealer, 14 x ArkeiStealer, 11 x RedLineStealer)
Reporter zbetcheckin
Tags:32 ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
153
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
78c06b9a03f2d8fcb86e7e0a8cedb5da
Verdict:
Suspicious activity
Analysis date:
2021-09-02 23:38:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e4f98ccd-2185-4487-b892-9d52d2c13492

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vidar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/184968/
Detection(s):
SecuriteInfo.com.Variant.Fragtor.14930.4030.15440.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Deleting a recently created file
Replacing files
Reading critical registry keys
Creating a window
Delayed writing of the file
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Launching a process
Stealing user critical data
Launching a tool to kill processes
Forced shutdown of a browser
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/82e05a84-9944-4bbb-9d0a-bd01175a67a7
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/844438
Signature
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa12ad772adf47f16f71cd07714ee02ed1fddab1fa80551d6dbc5d50589aebfc/
Threat name:
Win32.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-09-02 19:37:21 UTC
AV detection:
22 of 43 (51.16%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
11adb6fd4fbcb8fe68033ff2bc3b8cc45b980c573f7c58be291383d5b95d6e41
ArkeiStealer
4eaa9724c2cf924f872a54e632937ee67a581fdf8c8bed01b99c2df78b093115
ArkeiStealer
719838a1192ae6b53966159da56635e7a05754eb017f2538ca3f82c580543280
ArkeiStealer
9abec502e3a5167e3851de29c80c681de2c6ab879a0c49646f92761018c7987b
ArkeiStealer
b3748a0976c91a7310d0d38d42c91b1d7ba37364d58c5bed902cc6641d31cadc
ArkeiStealer
c9952fbf329b8a9b3400196c5bfefb8c48bdb7a8a3c8ff4176dc804aed898f1c
ArkeiStealer
e3772dff75f0c54d488300728db28432abacffff7485f8da1b05a3f7cf0bc0ae
ArkeiStealer
e671deac46898cd1ce138deb64f63c2a7d09f40b593213e2337b0ffa08aab8e7
ArkeiStealer
fd0883f748efb5fdce5e83245d3bb5bf94d6c7875fd5147a2c87eb9a0c54b56f
ArkeiStealer
fd5be24f8a05f5a97e1424b367ae6e0db88c55f7ee952392e66f94e17d16b903
ArkeiStealer
+ 3'191 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:937 discovery spyware stealer
Link:
https://tria.ge/reports/210902-3msxdabgf9/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Vidar Stealer
Vidar
Malware Config
C2 Extraction:
https://romkaxarit.tumblr.com/
Unpacked files
SH256 hash:
bfca9778f09b1a070740715d0aa013a8f408bb3b7f06cc008abdc9d621a34b21
MD5 hash:
9e434b8159b8cd1fbae11531d04ef634
SHA1 hash:
cef3cdd7d966f8505ad77250b2f6601a343f83a4
Detections:
win_oski_g0
Create hunting rule
Link:
https://www.unpac.me/results/70a45adb-5973-43df-8c09-298d6c2f51e8/
SH256 hash:
aa12ad772adf47f16f71cd07714ee02ed1fddab1fa80551d6dbc5d50589aebfc
MD5 hash:
78c06b9a03f2d8fcb86e7e0a8cedb5da
SHA1 hash:
2f44713c28754eeef871ccbbd9e8784dd145d5f8
Link:
https://www.unpac.me/results/70a45adb-5973-43df-8c09-298d6c2f51e8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/aa12ad772adf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aa12ad772adf47f16f71cd07714ee02ed1fddab1fa80551d6dbc5d50589aebfc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe aa12ad772adf47f16f71cd07714ee02ed1fddab1fa80551d6dbc5d50589aebfc

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1587393/
Cape
Cape
https://www.capesandbox.com/analysis/184968/

Comments


Avatar
zbet commented on 2021-09-02 23:37:15 UTC

url : hxxp://37.0.10.214/78c06b9a03f2d8fcb86e7e0a8cedb5da.exe