MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ada3f1fca37b6aa5a1b851c10e9d35fb9fd7d757c6e6bcccba173e933ef30837. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 11 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ada3f1fca37b6aa5a1b851c10e9d35fb9fd7d757c6e6bcccba173e933ef30837
SHA3-384 hash: f65d20eae3b22cf9ea4d46ec6d356a6ee913fe35a97b51fadc880be4e2d0a56f085aaece588506cb403f5966afd9613c
SHA1 hash: 728e0cb8b0a79b883bac76fb9913979962670708
MD5 hash: 328064b232879fe34864e9c6d88608ed
humanhash: berlin-steak-neptune-west
File name:328064b232879fe34864e9c6d88608ed
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:482'304 bytes
First seen:2023-08-13 14:29:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2851f76e885446c55a9b6a41d8745a10 (3 x ArkeiStealer)
ssdeep 12288:sl2/13vxcqRQG6KPwy44mYQ6/0hYYVKOOu:DxcqRQGvPD4jYQbYYMOO
Threatray 14 similar samples on MalwareBazaar
TLSH T180A47B32B654C036F59210B68E3EEBA71879A8712315A4CBFBC50DB97DB81E1973421F
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 ArkeiStealer exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
442
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
arkei
Create hunting rule
ID:
1
File name:
328064b232879fe34864e9c6d88608ed
Verdict:
Malicious activity
Analysis date:
2023-08-13 14:29:54 UTC
Tags:
stealer arkei vidar
Link:
https://app.any.run/tasks/0424ae80-3eb1-403b-9b59-8967cc220d53

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442516/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Steam.36399.11381.4982.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Using the Windows Management Instrumentation requests
Creating a window
Stealing user critical data
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/102785/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/ada3f1fca37b6aa5a1b851c10e9d35fb9fd7d757c6e6bcccba173e933ef30837
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1998c8d2-5795-4b65-bbb5-2c78373fa436
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1290685
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Creates HTML files with .exe extension (expired dropper behavior)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Searches for specific processes (likely to inject)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ada3f1fca37b6aa5a1b851c10e9d35fb9fd7d757c6e6bcccba173e933ef30837/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-08-13 14:30:05 UTC
File Type:
PE (Exe)
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vwr7d7fdpnvklinykhaq5hjv7op5pv2xy3tlztf2c47jgpxtba3q._file
Verdict:
malicious
Similar samples:
0f0edb7f25b876773ac2318600e0a493edcb6ea3a0235a9b0a3141ff6247c4f9
ArkeiStealer
190799d08ea8f5f3ff77f68c1fc6d2d231b3412c46407b9fa72bd485132de1c8
ArkeiStealer
38936812027f8a25f120857b93a85fdf3561059c0e36b96e7b3b326d98037ca2
ArkeiStealer
5b4b8343ff56fd9ca6d55567e49a3bf1f31d542dbe620bdeb27f7e7ce792c656
ArkeiStealer
8506490bd404c8b37462c5c04db5dc14fdc425dcb66fe4d6d2f3b669de115eb3
ArkeiStealer
bd5aff6936d77e3deae4e45195b44ec5d4e7ba4f2a9dfe68ee7d6f7be2cfd97a
ArkeiStealer
c65843189ff4683d957d94ad74b7a455a96736a51d66716182208c45bdb08c55
ArkeiStealer
f155342f5bb62210ca274f42d22e4345fd8ca58a1c4c05d06e1ff86b8888a8cb
ArkeiStealer
+ 4 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:6ba937c4f557f3e5e256c94548f72a29 spyware stealer
Link:
https://tria.ge/reports/230813-rt5c7sfa8x/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses 2FA software files, possible credential harvesting
Loads dropped DLL
Reads user/profile data of web browsers
Malware Config
C2 Extraction:
https://t.me/tatlimark
https://steamcommunity.com/profiles/76561199536605936
Unpacked files
SH256 hash:
ada3f1fca37b6aa5a1b851c10e9d35fb9fd7d757c6e6bcccba173e933ef30837
MD5 hash:
328064b232879fe34864e9c6d88608ed
SHA1 hash:
728e0cb8b0a79b883bac76fb9913979962670708
Detections:
VidarStealer
Create hunting rule
Link:
https://www.unpac.me/results/f0ae77e2-58c5-48b7-bcb2-951f4b2f33d0/
Malware family:
Vidar.A
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ada3f1fca37b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ada3f1fca37b6aa5a1b851c10e9d35fb9fd7d757c6e6bcccba173e933ef30837

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:has_telegram_urls
Create hunting rule
Author:Aaron DeVera<aaron@backchannel.re>
Description:Detects Telegram URLs
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:Telegram_Links
Create hunting rule
Rule name:Vidar
Create hunting rule
Author:kevoreilly,rony
Description:Vidar Payload
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_vidar_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.vidar.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe ada3f1fca37b6aa5a1b851c10e9d35fb9fd7d757c6e6bcccba173e933ef30837

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/442516/
  
URLhaus
https://urlhaus.abuse.ch/url/2704265/

Comments


Avatar
zbet commented on 2023-08-13 14:29:28 UTC

url : hxxp://193.233.255.9/lend/build666.exe