MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac2fb6674e44ec4e06a12aa1fed4b46fbc064c7940c603aa83344d04f738a3cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac2fb6674e44ec4e06a12aa1fed4b46fbc064c7940c603aa83344d04f738a3cb
SHA3-384 hash: f8e2a98d696ffcd6f16bd38b27f513343d51b026efee3ceb30ac026b8b245a9ab7f84aa2f3325e6e75b8c20b5d1ca20c
SHA1 hash: 7f3ea2e3f8b4338024f1e75d464bba8f507706f5
MD5 hash: ca783503849f597d3ee2d6555adc1513
humanhash: wyoming-texas-nuts-happy
File name:SecuriteInfo.com.Variant.Zusy.340597.28655.16207
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:553'984 bytes
First seen:2021-02-21 10:46:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9df31cb2808d83d4fa20c7197d4ce79b (1 x ArkeiStealer)
ssdeep 12288:4Op68AyrPulXB+vhpdUqRU2k6ZYks4ylA3uPt3/Ib:4O81aCBO6qRPk6KFA3uPGb
Threatray 762 similar samples on MalwareBazaar
TLSH 21C4CF23B2A2C03AC0B331718E1A97655EBAFD20053398976BD81A1D5F645E1EF39773
Reporter SecuriteInfoCom
Tags:ArkeiStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/118138/
Detection(s):
SecuriteInfo.com.Variant.Zusy.340597.28655.16207.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a file
Connection attempt
Sending an HTTP GET request
Deleting a recently created file
Replacing files
Reading critical registry keys
Creating a window
Delayed writing of the file
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
DNS request
Stealing user critical data
Launching a tool to kill processes
Forced shutdown of a browser
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/613406
Signature
Antivirus / Scanner detection for submitted sample
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac2fb6674e44ec4e06a12aa1fed4b46fbc064c7940c603aa83344d04f738a3cb/
Threat name:
Win32.Infostealer.Vidar
Create hunting rule
Status:
Malicious
First seen:
2021-02-21 09:40:38 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vqx3mz2oitwe4bvbfkq75vfun66amtdziddahkudgrgqj5zyupfq._file
Verdict:
malicious
Similar samples:
30c29e58e71a8e3b2468d14dfdd1624b17af3f5c8ea560bfd1a278c3a513c5a9
ArkeiStealer
9b7090bc251c0a791b460096094d6aeb5be9dbf70dd5547ee7f3df6ce3cc69b4
ArkeiStealer
a3b8fa8ebf771261dee5745e62187ea8da346131f79222056aa61d426a6b6a8f
ArkeiStealer
ac1bddf60c98cb507f43077da521f73c9c19bea7553beb307fb0d0fa1f356657
ArkeiStealer
b2ca76052b184c69881e79f3f7549ae884f38a57f50f5801fa40aa953f20b11b
ArkeiStealer
bd3f29c731f654a578d5b05a32e704ed571a78374b719acfe8f22d58b2a1c714
ArkeiStealer
bed2f26c88cb673e07a6c880dd946151584a215f3da9980d6b14fba2d01ec6f3
ArkeiStealer
c1fd5b744ec1119e4d2340e68d38c9f58752c6cac4432f11162cc951c754f1a4
ArkeiStealer
c43430e7fdd512d017ac41b7b7cf8f7a58fb5501b97f8e3c81bd491ace7d4dd0
ArkeiStealer
ca689501b79de8430f0900c86e9a6b5c93b2d7cc68bc0b8921bb6ebb005f6893
ArkeiStealer
+ 752 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar discovery spyware stealer
Link:
https://tria.ge/reports/210221-cmksd7jabn/
Behaviour
Checks processor information in registry
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Vidar
Unpacked files
SH256 hash:
ac2fb6674e44ec4e06a12aa1fed4b46fbc064c7940c603aa83344d04f738a3cb
MD5 hash:
ca783503849f597d3ee2d6555adc1513
SHA1 hash:
7f3ea2e3f8b4338024f1e75d464bba8f507706f5
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/861cd3c4-4f98-412c-9193-99916983c0ea/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe ac2fb6674e44ec4e06a12aa1fed4b46fbc064c7940c603aa83344d04f738a3cb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1021987/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/927868/
Cape
Cape
https://www.capesandbox.com/analysis/118138/

Comments