MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3fb5417f369f276a7db43531dabc38241f6fb329bcec6b26f1d9ccd1f817c22. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b3fb5417f369f276a7db43531dabc38241f6fb329bcec6b26f1d9ccd1f817c22
SHA3-384 hash: 21740b23850399facd25b167795a3c8f50b76f7d93a0906c2670269556f6cbe046603b9117f094973a774beade047e09
SHA1 hash: a26e8d1130da96e4719989f693305bd0096b77fa
MD5 hash: de57ece65f33390aef34432f750236c9
humanhash: beryllium-nine-hotel-twenty
File name:b3fb5417f369f276a7db43531dabc38241f6fb329bcec.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:5'417'663 bytes
First seen:2022-09-20 07:45:55 UTC
Last seen:2022-09-21 09:31:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6c9b62aae6117060f9867b92d139b95e (9 x ArkeiStealer, 2 x Smoke Loader, 1 x RedLineStealer)
ssdeep 98304:0aURnsjfaRQ2k9Q8xLgSFbZdIYS6AlTku4eH:0znsjfd0SFt+YSzgu4eH
TLSH T1A846B0237389A43EC06B29354427AAE4593B7F61B50ACC4A5BF8798CCF35542AF3650F
TrID 61.8% (.EXE) Inno Setup installer (109740/4/30)
23.4% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
5.9% (.EXE) Win64 Executable (generic) (10523/12/4)
2.5% (.EXE) Win32 Executable (generic) (4505/5/1)
1.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon 4e47090d0d09474e (1 x AgentTesla, 1 x AsyncRAT, 1 x Formbook)
Reporter abuse_ch
Tags:ArkeiStealer dixiel22-top dropped exe


Avatar
abuse_ch
ArkeiStealer C2:
http://45.92.156.110/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.92.156.110/ https://threatfox.abuse.ch/ioc/850615/

Intelligence

File Origin
# of uploads :
4
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-09-19 21:55:02 UTC
Tags:
loader evasion trojan stealer raccoon recordbreaker opendir
Link:
https://app.any.run/tasks/83c114fc-ec08-4233-b770-cb8b0faf890d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/311555/
Detection(s):
PUA.Win.Adware.Dealply-6619245-0
Create hunting rule

PUA.Win.Adware.Dealply-6619266-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Delayed reading of the file
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/38210/overview
Behaviour
MalwareBazaar
LanguageCheck
CheckNumberOfProcessor
CPUID_Instruction
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
cmd.exe fingerprint greyware keylogger mokes overlay regasm.exe rundll32.exe vidar
Link:
https://www.filescan.io/uploads/63296fbf36ba812561a16be2/reports/2439a89d-9208-4358-b2aa-bfffaa71be45/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/afdabc65-03b0-4f3a-8225-14aa8770e48f
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1073467
Signature
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 706009 Sample: b3fb5417f369f276a7db43531da... Startdate: 20/09/2022 Architecture: WINDOWS Score: 100 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected Vidar stealer 2->43 45 Found many strings related to Crypto-Wallets (likely being stolen) 2->45 9 b3fb5417f369f276a7db43531dabc38241f6fb329bcec.exe 11 2->9         started        process3 file4 27 C:\ProgramData\...\windll.exe, PE32 9->27 dropped 12 windll.exe 9->12         started        process5 signatures6 47 Multi AV Scanner detection for dropped file 12->47 49 Detected unpacking (changes PE section rights) 12->49 51 Detected unpacking (overwrites its own PE header) 12->51 53 2 other signatures 12->53 15 windll.exe 17 12->15         started        process7 dnsIp8 29 45.92.156.110, 49707, 80 YISP-ASNL Netherlands 15->29 31 t.me 149.154.167.99, 443, 49706 TELEGRAMRU United Kingdom 15->31 33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->33 35 Tries to harvest and steal browser information (history, passwords, etc) 15->35 37 Tries to steal Crypto Currency Wallets 15->37 19 cmd.exe 1 15->19         started        signatures9 process10 process11 21 taskkill.exe 1 19->21         started        23 conhost.exe 19->23         started        25 timeout.exe 1 19->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b3fb5417f369f276a7db43531dabc38241f6fb329bcec6b26f1d9ccd1f817c22/
Threat name:
Win32.Spyware.Vidar
Create hunting rule
Status:
Suspicious
First seen:
2022-09-19 21:10:06 UTC
File Type:
PE (Exe)
Extracted files:
66
AV detection:
18 of 39 (46.15%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wp5vif7tnhzhnj63injr3k6dqja7n6zstphmnmtpdwom2h4bpqra._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/220920-jly78acce8/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bf02eb60-b6fa-4c74-9d13-adb6b52d4310
Unpacked files
SH256 hash:
61e71885942cbb64d50d1cac66a94452dd997e8e6df81abd1cb997d93ab8da60
MD5 hash:
821954255d4088ee4a72247f19580cc4
SHA1 hash:
6c39b6101b30c0fa9f36692284cbfc9f32d650cc
Detections:
win_vidar_auto
Create hunting rule
Link:
https://www.unpac.me/results/6b55162c-dee3-4345-b526-799243f05172/
Parent samples :
b3fb5417f369f276a7db43531dabc38241f6fb329bcec6b26f1d9ccd1f817c22
ee5cd7f14bf98534291bdb1b34d1424bebb1fbc27e01915ff15e928dc9ea73f6
8ecbe3f78c01ca3ddb3cd79498d97441c9f08cc3c2d2416546aee250ff84877e
bb5938ca20203ecde3fc65a31025801a1c136b90c76d7816edcb58db733ca3ed
455e9b43d3df1c83df5182936603a66d04658d6d1cb3098e9676978549e926fa
SH256 hash:
0aa155f4aba5a4fd2bec7ea814be1bb965b3d6ccca5593229ab65fabf02242d0
MD5 hash:
4a69652855a7ff9da15707a62bbfa255
SHA1 hash:
0ad1f27f5765d96ad350c97ae903f924828ec0c4
Link:
https://www.unpac.me/results/6b55162c-dee3-4345-b526-799243f05172/
SH256 hash:
b3fb5417f369f276a7db43531dabc38241f6fb329bcec6b26f1d9ccd1f817c22
MD5 hash:
de57ece65f33390aef34432f750236c9
SHA1 hash:
a26e8d1130da96e4719989f693305bd0096b77fa
Link:
https://www.unpac.me/results/6b55162c-dee3-4345-b526-799243f05172/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b3fb5417f369f276a7db43531dabc38241f6fb329bcec6b26f1d9ccd1f817c22

File information

The table below shows additional information about this malware sample such as delivery method and external references.

ArkeiStealer

Executable exe b3fb5417f369f276a7db43531dabc38241f6fb329bcec6b26f1d9ccd1f817c22

(this sample)

ArkeiStealer

Executable exe ee5cd7f14bf98534291bdb1b34d1424bebb1fbc27e01915ff15e928dc9ea73f6

Cape
Cape
https://www.capesandbox.com/analysis/311555/
  
Dropping
SHA256 ee5cd7f14bf98534291bdb1b34d1424bebb1fbc27e01915ff15e928dc9ea73f6
  
Dropping
MD5 55f28c1e8bdf171d4db09a14543d4cb0

Comments