MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4c9aadd18c1b6f613bf9d6db71dcc010bbdfe8b770b4084eeb7d5c77d95f180. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ArkeiStealer

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	b4c9aadd18c1b6f613bf9d6db71dcc010bbdfe8b770b4084eeb7d5c77d95f180
SHA3-384 hash:	8d0c1e08445902891198f83f08dd19d4dfeeaa5d998a5f0bf8bc1d8f613d85dad4b9d67633577d6f7fd186cf28733a04
SHA1 hash:	0a559ebf6ab1cdf292c79aac5ac20c236d975eb7
MD5 hash:	ed37ebbe1746dd0d566c8c4769655e0b
humanhash:	moon-eight-lithium-spring
File name:	555.exe
Download:	download sample
Signature	ArkeiStealer Create hunting rule
File size:	1'304'576 bytes
First seen:	2022-03-22 22:47:41 UTC
Last seen:	2022-03-23 00:55:40 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	5f3146513f84438aa6d693baf35ebf34 (1 x ArkeiStealer)
ssdeep	24576:atLyuIJLGWVpPq48nuzldzB2sZL7kHNWDzBHc6ewxl:KLgFGYq48nupdzB2sp7kHNW51eE
Threatray	212 similar samples on MalwareBazaar
TLSH	T147550111E2C1C538E16326B04DBB8769093CFD604B3066DBB7D42E7E6F719D26A3631A
dhash icon	18f0f8d4b4e4f266 (1 x ArkeiStealer)
Reporter	malware_traffic
Tags:	ArkeiStealer exe vidar

malware_traffic

Vidar sample from 2019

Intelligence

File Origin

# of uploads :

# of downloads :

283

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2019-09-05-Vidar-from-Ursnif-style-URL-caused-by-Word-macro.exe

Verdict:

No threats detected

Analysis date:

2020-01-29 17:57:33 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/5cfd7481-8cfd-49d0-8d5f-f29078f43161

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Vidar

Link:

https://www.capesandbox.com/analysis/255204/

Detection(s):

SecuriteInfo.com.Variant.Graftor.638761.22011.3954.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Sending a custom TCP request

Searching for synchronization primitives

Сreating synchronization primitives

Modifying an executable file

Unauthorized injection to a recently created process

Launching the default Windows debugger (dwwin.exe)

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/10573/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

CheckCmdLine

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

graftor greyware packed shade update.exe ursnif

Link:

https://www.filescan.io/uploads/623a522c0cd58dbd92da3af3/reports/6e8b3564-b9d4-4304-afcc-c7fd21b9f606/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Vidar

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9470a8a0-0926-48b6-8110-71205fd6b5a9

Result

Threat name:

Oski Stealer Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/962156

Signature

Antivirus / Scanner detection for submitted sample

Country aware sample found (crashes after keyboard check)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected Oski Stealer

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b4c9aadd18c1b6f613bf9d6db71dcc010bbdfe8b770b4084eeb7d5c77d95f180/

Threat name:

Win32.Trojan.Graftor

Status:

Malicious

First seen:

2019-09-06 01:28:16 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 42 (57.14%)

Threat level:

5/5

Verdict:

malicious

ArkeiStealer

13979361d20b6c7184a7d3a8e5454782162a4ab734d2f9a01ed8421aeea5eee9

ArkeiStealer

58476caa3ab2733fc9e339ce77a09aa2133cc6111b78f65c3cf387f41cbb951b

ArkeiStealer

600552e69cace5f3ae996afd8c3376bd2bdd2d486e1fa7187587e197f25a86fa

ArkeiStealer

70ccb52e4c78d8b68d562fb7088d143577ad35a4b0bd01581a383c41580f1b2d

ArkeiStealer

cee863800326b0ee3599568530ae5ed3ff1735550df9375845faf8ed26bd6c9b

ArkeiStealer

e3e03d1ef6b93d46375205d172aa167380750376b1cbd4020afa03ea8c9e282b

ArkeiStealer

ecb89e9f66cd7f37efefec4cb211770200ccb17c810ad741cb3ec141e41c361c

ArkeiStealer

ed3a8374aff45cfadc4d4ee765283407272f90d6a352fc1fe2eca15f30fdb5c0

ArkeiStealer

+ 202 additional samples on MalwareBazaar

Result

Malware family:

vidar

Score:

10/10

Tags:

family:vidar botnet:288 spyware stealer

Link:

https://tria.ge/reports/220322-2q5jxabdd9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Reads user/profile data of web browsers

Vidar Stealer

Vidar

Malware Config

C2 Extraction:

http://dersed.com/

Unpacked files

SH256 hash:

7597d549f30698a93af08ce8b3d05405181c08751ffbc73fb94fde5ef55e1fdb

MD5 hash:

a62bd1145b3065bad8f72adee95d8a5a

SHA1 hash:

3a3e00bc1ebca496fca949435ab6383712ee8ee0

Detections:

win_vidar_g0

win_vidar_auto

Link:

https://www.unpac.me/results/ccfd4f14-c2ed-47e4-b42b-cb657dc0058e/

SH256 hash:

b4c9aadd18c1b6f613bf9d6db71dcc010bbdfe8b770b4084eeb7d5c77d95f180

MD5 hash:

ed37ebbe1746dd0d566c8c4769655e0b

SHA1 hash:

0a559ebf6ab1cdf292c79aac5ac20c236d975eb7

Link:

https://www.unpac.me/results/ccfd4f14-c2ed-47e4-b42b-cb657dc0058e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b4c9aadd18c1b6f613bf9d6db71dcc010bbdfe8b770b4084eeb7d5c77d95f180

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/255204/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample