MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b050ed31de09e850f5e903d211951938bd07de743f320610cd82f409e4c7de08. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 8

Intelligence 8 IOCs YARA 6 File information Comments 1

SHA256 hash:	b050ed31de09e850f5e903d211951938bd07de743f320610cd82f409e4c7de08
SHA3-384 hash:	215570132d01779e7eff015a40d3881de215627ae0a7a48291ad40680bf8493d065c465570f2c09ed92fcc1bdecbccf0
SHA1 hash:	fa5053cb77932af2014ac86ead412c2990b9bb95
MD5 hash:	4d0c54facda22627e27ddc68f7a1d31a
humanhash:	georgia-item-asparagus-five
File name:	4d0c54facda22627e27ddc68f7a1d31a
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	2'912'920 bytes
First seen:	2021-07-08 13:09:05 UTC
Last seen:	2021-07-08 13:48:40 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	3462297f1b643d0154e9e1dff836a1db (1 x ArkeiStealer)
ssdeep	49152:2xYMqHTBIHGEo3G0/9GC3/I2siOR3h9Uku4R:9JNItYG0/9Gq/vsiy3h9UkrR
Threatray	2'356 similar samples on MalwareBazaar
TLSH	T16AD53A59AA35DBEBCBC618B156E7C503C30D12A180056F16EBD57CB4A0D3C9F0FA5E8A
Reporter	zbetcheckin
Tags:	32 ArkeiStealer exe signed

Code Signing Certificate

Organisation:	Logitech Z-906
Issuer:	Logitech Z-906
Algorithm:	sha1WithRSAEncryption
Valid from:	2021-07-03T10:07:35Z
Valid to:	2031-07-04T10:07:35Z
Serial number:	66390fc17786d4a342f0ee89996d6522
Intelligence:	5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	a0cdb1c5a7429ea15858acfc418c93ed96f733236efc0f2409f29138001956cb
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

108

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

4d0c54facda22627e27ddc68f7a1d31a

Verdict:

Suspicious activity

Analysis date:

2021-07-08 13:11:34 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/5a286bf4-2bc5-44fa-842d-13156e35c90b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/170446/

Detection(s):

SecuriteInfo.com.Trojan.Siggen14.28352.19836.12647.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f3e351cd-5031-49de-ad8d-5555cef0e156

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/813491

Signature

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Vidar

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b050ed31de09e850f5e903d211951938bd07de743f320610cd82f409e4c7de08/

Threat name:

Win32.Trojan.Chapak

Status:

Malicious

First seen:

2021-07-07 17:40:24 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 46 (45.65%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wbio2mo6bhufb5pjapjbdfizhc6qpxtuh4zamegnql2atzgh3yea._file

Verdict:

unknown

ArkeiStealer

16bf40060a0544cf49bda85272b976265fb56248c6068d7d95296937af664ecc

ArkeiStealer

1a1d8823b35b8c0d8dfcebe065520a07fe105589893262976fce4122317c55b8

ArkeiStealer

69b5a6cbf1cf8218f6481c08f7244fe453d3c8b3871404222875b9f228e59180

ArkeiStealer

6e29b950d675a5cf30bfd81326279d3310b1c26658b9d09091e6d8871354320b

ArkeiStealer

6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787

ArkeiStealer

714a30085b93988295ea7b732d24384db7bb3be843e20acd447ae8dd258db7a8

ArkeiStealer

aef50fda005e037a443df81e3dbaa530c7f4d661bacb90f40f955647c1ab33fd

ArkeiStealer

e5a666bc9d8b7c4a483d8a9204919dc454bca394cd22ac150aaf18bbb80b0b89

ArkeiStealer

f84ae3bdd7a26957eebe4e4893718bd512960c013a8aa4903998af16072c0041

ArkeiStealer

+ 2'346 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:0 discovery evasion spyware stealer themida trojan

Link:

https://tria.ge/reports/210708-cgrp65n4aa/

Behaviour

Suspicious use of WriteProcessMemory

Checks processor information in registry

Delays execution with timeout.exe

Kills process with taskkill

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Enumerates physical storage devices

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks whether UAC is enabled

Checks BIOS information in registry

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Themida packer

Downloads MZ/PE file

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Vidar

Unpacked files

SH256 hash:

f4b2fc8f5381eb1ec138f4bb018792a17937838d7bab52fcf701e1ea06dd5c3a

MD5 hash:

6612311a334b6d116648fe051977311c

SHA1 hash:

ef661e3fbd341e5b9f254b4110b85bb93df8ceca

Link:

https://www.unpac.me/results/7ffeac04-33f3-4fb5-900b-417858c054e0/

SH256 hash:

b050ed31de09e850f5e903d211951938bd07de743f320610cd82f409e4c7de08

MD5 hash:

4d0c54facda22627e27ddc68f7a1d31a

SHA1 hash:

fa5053cb77932af2014ac86ead412c2990b9bb95

Link:

https://www.unpac.me/results/7ffeac04-33f3-4fb5-900b-417858c054e0/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/b050ed31de09e850f5e903d211951938bd07de743f320610cd82f409e4c7de08

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	INDICATOR_SUSPICOIUS_WindDefender_AntiEmaulation Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing potential Windows Defender anti-emulation checks

Rule name:	MALWARE_Win_Vidar Create hunting rule
Author:	ditekSHen
Description:	Detects Vidar / ArkeiStealer

Rule name:	Vidar Create hunting rule
Author:	kevoreilly
Description:	Vidar Payload

Rule name:	with_sqlite Create hunting rule
Author:	Julian J. Gonzalez <info@seguridadparatodos.es>
Description:	Rule to detect the presence of SQLite data in raw image
Reference:	http://www.st2labs.com