MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af01014d5078e186ff588ce207c9f4d52413834d791bb6a4dc1d5d9c7155f6e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af01014d5078e186ff588ce207c9f4d52413834d791bb6a4dc1d5d9c7155f6e3
SHA3-384 hash: 2535836ceb6c20db1b0c652852f633c5f7c6a5c27a830f8f856bc38c718072a22962e093a28535e05989f633c0bdc68c
SHA1 hash: 484d8acef38bd8d6edc0a9ec2a7617fe7175f72a
MD5 hash: aef5ca656d4ff3b53bfa4acb9e500e5e
humanhash: pasta-chicken-michigan-delaware
File name:aef5ca656d4ff3b53bfa4acb9e500e5e
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:683'008 bytes
First seen:2021-10-05 11:39:02 UTC
Last seen:2021-10-05 12:58:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bec5279be0cb3c653f5b0b143b00a99c (3 x RaccoonStealer, 2 x ArkeiStealer, 1 x RedLineStealer)
ssdeep 12288:QFrYOMhsFwHpYWRXJCmDX1Hr8ShSD1bPGLZlxLnRHgPgmz0tSylKnkU:sasFIp5CmDXdrXED1AZLTRHgP/QtSy8k
Threatray 3'112 similar samples on MalwareBazaar
TLSH T13DE4F120B7D0C034F2BB21B549BA93B8A92D7DB1673485CF66D56AF946B86D4EC30307
File icon (PE):PE icon
dhash icon eae8c8e8aa66a489 (1 x ArkeiStealer)
Reporter zbetcheckin
Tags:32 ArkeiStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
aef5ca656d4ff3b53bfa4acb9e500e5e
Verdict:
Malicious activity
Analysis date:
2021-10-05 11:56:55 UTC
Tags:
trojan stealer vidar loader
Link:
https://app.any.run/tasks/12c2daa3-b246-4b21-9ebb-263f093b53c4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/195002/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader42.62977.10304.14989.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt to an infection source
Sending a TCP request to an infection source
Launching the default Windows debugger (dwwin.exe)
Query of malicious DNS domain
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed stop
Link:
https://www.filescan.io/uploads/615c395998a6280f3932519f/reports/4079a65c-46ec-4ac5-a502-7e690a655270/overview
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0e7993ab-ca7a-4cd6-8d19-700816d67e16
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/864727
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Self deletion via cmd delete
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/af01014d5078e186ff588ce207c9f4d52413834d791bb6a4dc1d5d9c7155f6e3/
Threat name:
Win32.Ransomware.Stop
Create hunting rule
Status:
Malicious
First seen:
2021-10-05 11:39:06 UTC
AV detection:
26 of 45 (57.78%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0043de32b946e3da5bf993515848be03979a1bf019b720f4c2a1ad647f120f53
ArkeiStealer
02bee4e148a2a4a9b5371d5d7db5f0a376484315c3046ab69766e6f2dc5680e7
ArkeiStealer
0d165ee8e30b6716bf316118565b781b82ad87c7aff58c1907ae1e2b512f522c
ArkeiStealer
21c2d5c785b09b136e5190ac486ffccf57d97dbe50115ba9361b6377bba522e6
ArkeiStealer
3decf0329e1b897bb576210f182a3e9d1369613a117cb02d6e47ccaaa151c7b9
ArkeiStealer
434a28e5e131dff29b239284643df2370d0f317d0a8621b682c26ec944d8889a
ArkeiStealer
48f9b4bc2bf75c03449857ff0d6b47c35ab97ed8ba444890ccdd4128d9ae1027
ArkeiStealer
774753d2a216a134c971df97df73b7c8efb0f1207e7948dbacff5e2e30f85456
ArkeiStealer
e1d5ab87fe1bc0121e1d2e0d5523d8f24cd68040f436410bb3530ad86c385575
ArkeiStealer
f3880cc610096c5ce3a7407741d8679de5b4f163fe1df37a051cb6026afe56d3
ArkeiStealer
+ 3'102 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:903 discovery spyware stealer suricata
Link:
https://tria.ge/reports/211005-nsaknaaabj/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Vidar Stealer
Vidar
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Malware Config
C2 Extraction:
https://mas.to/@bardak1ho
Unpacked files
SH256 hash:
c0373cb6700d7314e3b44e685db8a2c2326257e4da94d3c174e84d79c6c26a5a
MD5 hash:
01bf3415c4e09d7cdc4ba42eb68719be
SHA1 hash:
fcb641c5763fd874c956f197ca20fbac6836632a
Link:
https://www.unpac.me/results/ee386d3e-5bbf-4263-ac8d-6d91d4e53351/
SH256 hash:
af01014d5078e186ff588ce207c9f4d52413834d791bb6a4dc1d5d9c7155f6e3
MD5 hash:
aef5ca656d4ff3b53bfa4acb9e500e5e
SHA1 hash:
484d8acef38bd8d6edc0a9ec2a7617fe7175f72a
Link:
https://www.unpac.me/results/ee386d3e-5bbf-4263-ac8d-6d91d4e53351/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/af01014d5078e186ff588ce207c9f4d52413834d791bb6a4dc1d5d9c7155f6e3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ArkeiStealer

Executable exe af01014d5078e186ff588ce207c9f4d52413834d791bb6a4dc1d5d9c7155f6e3

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1655614/
Cape
Cape
https://www.capesandbox.com/analysis/195002/

Comments


Avatar
zbet commented on 2021-10-05 11:39:04 UTC

url : hxxp://89.223.70.202/ruz22nzVkxErrqtL.exe