MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3455729f0228a10eebd389eda5d2dbc38e34ac4614c16d48631dcc4308cf89a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b3455729f0228a10eebd389eda5d2dbc38e34ac4614c16d48631dcc4308cf89a
SHA3-384 hash: 249bef13c07cfb0e9344978e5e54acb15a41e6a80a33ca1eacc0ee7a028ad0747d08b0d594d7437c3466174f104d658f
SHA1 hash: 0da94f9b6886399c89a9930a660b73352ac8c508
MD5 hash: 9bd6f835af0c901c523080fcf38b4f78
humanhash: saturn-twenty-robert-kilo
File name:Loader.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:1'524'736 bytes
First seen:2022-10-29 18:55:26 UTC
Last seen:2022-10-29 20:10:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b5f0f18aac36409a08519634008f3b24 (12 x RedLineStealer, 1 x ArkeiStealer, 1 x RecordBreaker)
ssdeep 24576:7qKoE4gM9v/k8qfcloc5SZwFoKNCHocoiAF8kVWX5/vwYcyUgJMEhL:7DOE52mwFoKNC/kIXxorynJRL
TLSH T16965A022B9918067DEE325F590BDE52D251EB1B00F3108CB5A44AAF8BDF05D22E35F97
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://95.216.181.10/

Intelligence

File Origin
# of uploads :
2
# of downloads :
428
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
Loader.exe
Verdict:
Malicious activity
Analysis date:
2022-10-29 18:58:20 UTC
Tags:
trojan stealer vidar
Link:
https://app.any.run/tasks/a5a55e62-0f4a-4c2c-b491-742fe44adb04

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/325941/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.93075.28329.10891.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/635d7742a5db8d309cbbd66a/reports/f18ca044-019e-414d-8afe-ba8b1f4bd48a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c8a62e21-3330-4b7d-83b8-25b02646c2c6
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1101015
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
DLL side loading technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
PE file contains section with special chars
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 733673 Sample: Loader.exe Startdate: 29/10/2022 Architecture: WINDOWS Score: 100 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus detection for URL or domain 2->38 40 Yara detected Vidar stealer 2->40 42 4 other signatures 2->42 8 Loader.exe 1 2->8         started        process3 signatures4 44 Contains functionality to inject code into remote processes 8->44 46 Writes to foreign memory regions 8->46 48 Allocates memory in foreign processes 8->48 50 Injects a PE file into a foreign processes 8->50 11 vbc.exe 20 8->11         started        16 WerFault.exe 23 9 8->16         started        18 conhost.exe 8->18         started        20 WerFault.exe 8->20         started        process5 dnsIp6 32 t.me 149.154.167.99, 443, 49700 TELEGRAMRU United Kingdom 11->32 34 95.216.181.10, 49701, 80 HETZNER-ASDE Germany 11->34 28 C:\ProgramData\sqlite3.dll, PE32 11->28 dropped 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->52 54 Tries to harvest and steal browser information (history, passwords, etc) 11->54 56 DLL side loading technique detected 11->56 58 Tries to steal Crypto Currency Wallets 11->58 22 cmd.exe 11->22         started        30 C:\ProgramData\Microsoft\...\Report.wer, Unicode 16->30 dropped file7 signatures8 process9 process10 24 conhost.exe 22->24         started        26 timeout.exe 22->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b3455729f0228a10eebd389eda5d2dbc38e34ac4614c16d48631dcc4308cf89a/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-10-29 18:56:09 UTC
File Type:
PE (Exe)
AV detection:
22 of 39 (56.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wncvokpqekfbb3v5hcpnuxjnxq4ogswemfgbnvegghomimem7cna._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:1375 spyware stealer
Link:
https://tria.ge/reports/221029-xlbzksbecp/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Uses the VBS compiler for execution
Vidar
Malware Config
C2 Extraction:
https://t.me/slivetalks
https://c.im/@xinibin420
Unpacked files
SH256 hash:
4cb115e7c6630aee85f5e22d7d70fc3661a855bd82b5bc3616e116104bb88a07
MD5 hash:
ba01164649d60f055289ee1a775b021e
SHA1 hash:
2e0b5d7e57142cb0f5d708c5ffcb8028bce96a69
Link:
https://www.unpac.me/results/58d8cbf6-2fb6-475c-8c10-01e86055d676/
SH256 hash:
b3455729f0228a10eebd389eda5d2dbc38e34ac4614c16d48631dcc4308cf89a
MD5 hash:
9bd6f835af0c901c523080fcf38b4f78
SHA1 hash:
0da94f9b6886399c89a9930a660b73352ac8c508
Link:
https://www.unpac.me/results/58d8cbf6-2fb6-475c-8c10-01e86055d676/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b3455729f0228a10eebd389eda5d2dbc38e34ac4614c16d48631dcc4308cf89a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Vidar
Create hunting rule
Author:kevoreilly,rony
Description:Vidar Payload
Rule name:Windows_Trojan_Vidar_114258d5
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/325941/

Comments